Release 1.3.0

pitbulk · pitbulk · commit 171a41e8a115 · 2016-06-24T19:03:23.000+02:00
diff --git a/README.md b/README.md
@@ -1,5 +1,9 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.2.x to 1.3.X
+
+Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes. It  adds security improvements in order to prevent Signature wrapping attacks. [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
+
 ## Updating from 1.1.x to 1.2.X
 
 Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom, refactor error handling and some minor improvements
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,10 @@
 # RubySaml Changelog
 
+### 1.3.0 (June 24, 2016)
+* [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
+* Fix XMLSecurity SHA256 and SHA512 uris
+* [#326](https://github.com/onelogin/ruby-saml/pull/326) Fix Destination validation
+
 ### 1.2.0 (April 29, 2016)
 * [#269](https://github.com/onelogin/ruby-saml/pull/269) Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
 * [#289](https://github.com/onelogin/ruby-saml/pull/289) Remove uuid gem in favor of SecureRandom
diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -173,7 +173,7 @@ def status_code
           node = REXML::XPath.first(
             document,
             "/p:Response/p:Status/p:StatusCode",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            { "p" => PROTOCOL }
           )
           node.attributes["Value"] if node && node.attributes
         end
@@ -186,7 +186,7 @@ def status_message
           node = REXML::XPath.first(
             document,
             "/p:Response/p:Status/p:StatusMessage",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            { "p" => PROTOCOL }
           )
           node.text if node
         end
@@ -441,41 +441,40 @@ def validate_signed_elements
           {"ds"=>DSIG}
         )
         signed_elements = []
-        seis = []
-        ids = []
+        verified_seis = []
+        verified_ids = []
         signature_nodes.each do |signature_node|
           signed_element = signature_node.parent.name
           if signed_element != 'Response' && signed_element != 'Assertion'
-            return append_error("Found an unexpected Signature Element. SAML Response rejected")
+            return append_error("Invalid Signature Element '#{signed_element}'. SAML Response rejected")
           end
 
           if signature_node.parent.attributes['ID'].nil?
-            return append_error("Signed Element must contain ID. SAML Response rejected")
+            return append_error("Signed Element must contain an ID. SAML Response rejected")
           end
 
           id = signature_node.parent.attributes.get_attribute("ID").value
-          if ids.include?(id)
+          if verified_ids.include?(id)
             return append_error("Duplicated ID. SAML Response rejected")
           end
-          ids.push(id)
+          verified_ids.push(id)
 
           # Check that reference URI matches the parent ID and no duplicate References or IDs
           ref = REXML::XPath.first(signature_node, ".//ds:Reference", {"ds"=>DSIG})
           if ref
             uri = ref.attributes.get_attribute("URI")
             if uri && !uri.value.empty?
               sei = uri.value[1..-1]
-              id = signature_node.parent.attributes.get_attribute("ID").value
 
               unless sei == id
                 return append_error("Found an invalid Signed Element. SAML Response rejected")
               end
 
-              if seis.include?(sei)
+              if verified_seis.include?(sei)
                 return append_error("Duplicated Reference URI. SAML Response rejected")
               end
 
-              seis.push(sei)
+              verified_seis.push(sei)
             end
           end
 
diff --git a/lib/onelogin/ruby-saml/version.rb b/lib/onelogin/ruby-saml/version.rb
@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.2.0'
+    VERSION = '1.3.0'
   end
 end
