Moving setting to new lowercase_url_encoding security key

alagos · alagos · commit 61a1dbfd4ca2 · 2021-12-15T11:53:42.000+13:00
diff --git a/lib/onelogin/ruby-saml/settings.rb b/lib/onelogin/ruby-saml/settings.rb
@@ -280,7 +280,8 @@ def get_binding(value)
           :digest_method              => XMLSecurity::Document::SHA1,
           :signature_method           => XMLSecurity::Document::RSA_SHA1,
           :check_idp_cert_expiration  => false,
-          :check_sp_cert_expiration   => false
+          :check_sp_cert_expiration   => false,
+          :lowercase_url_encoding     => false
         }.freeze
       }.freeze
     end
diff --git a/lib/onelogin/ruby-saml/slo_logoutrequest.rb b/lib/onelogin/ruby-saml/slo_logoutrequest.rb
@@ -27,7 +27,6 @@ class SloLogoutrequest < SamlMessage
       # @param options [Hash]  :settings to provide the OneLogin::RubySaml::Settings object
       #                        Or :allowed_clock_drift for the logout request validation process to allow a clock drift when checking dates with
       #                        Or :relax_signature_validation to accept signatures if no idp certificate registered on settings
-      #                        Or :force_escape_downcasing to accept signatures if no idp certificate registered on settings
       #
       # @raise [ArgumentError] If Request is nil
       #
@@ -339,7 +338,7 @@ def validate_signature
 
       def escape_request_param(param)
         CGI.escape(param).tap do |escaped|
-          next unless options[:force_escape_downcasing]
+          next unless settings.security[:lowercase_url_encoding]
 
           escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
         end
diff --git a/test/slo_logoutrequest_test.rb b/test/slo_logoutrequest_test.rb
@@ -464,10 +464,10 @@ class RubySamlTest < Minitest::Test
         end
 
         # For this case, the parameters will be forced to be downcased after
-        # being escaped with :force_escape_downcasing option
+        # being escaped with :lowercase_url_encoding security option
+        settings.security[:lowercase_url_encoding] = true
         logout_request_force_downcasing_test = OneLogin::RubySaml::SloLogoutrequest.new(
-          params['SAMLRequest'], get_params: params, settings: settings,
-                                 force_escape_downcasing: true
+          params['SAMLRequest'], get_params: params, settings: settings
         )
         assert logout_request_force_downcasing_test.send(:validate_signature)
       end

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,6 @@ class SloLogoutrequest < SamlMessage`
`27`	`27`	`# @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object`
`28`	`28`	`# Or :allowed_clock_drift for the logout request validation process to allow a clock drift when checking dates with`
`29`	`29`	`# Or :relax_signature_validation to accept signatures if no idp certificate registered on settings`
`30`		`- # Or :force_escape_downcasing to accept signatures if no idp certificate registered on settings`
`31`	`30`	`#`
`32`	`31`	`# @raise [ArgumentError] If Request is nil`
`33`	`32`	`#`
`@@ -339,7 +338,7 @@ def validate_signature`
`339`	`338`
`340`	`339`	`def escape_request_param(param)`
`341`	`340`	`CGI.escape(param).tap do \|escaped\|`
`342`		`- next unless options[:force_escape_downcasing]`
	`341`	`+ next unless settings.security[:lowercase_url_encoding]`
`343`	`342`
`344`	`343`	`escaped.gsub!(/%[A-Fa-f0-9]{2}/) { \|match\| match.downcase }`
`345`	`344`	`end`