add additional tests

Author: zendesk-mradmacher

test/unit/test_response_signature_wrapping_attack.rb

@@ -1,55 +1,132 @@
 require File.expand_path("test/test_helper")
 
 describe Samlr do
-  describe "invalid multiple saml responses" do
+  # Zendesk acts as a SAML Service Provider (SP).
+  describe "signature wrapping attack" do
     let(:shared_id) { Samlr::Tools.uuid }
-    let(:xml_response_doc) do
-      options = {
-        :destination     => "https://example.org/saml/endpoint",
-        :in_response_to  => Samlr::Tools.uuid,
-        :name_id         => "[email protected]",
-        :audience        => "example.org",
-        :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
-        :not_before      => Samlr::Tools::Timestamp.stamp(Time.now - 60),
-        :response_id     => Samlr::Tools.uuid,
-        skip_conditions: true,
-        sign_response: false,
-        sign_assertion: false,
-        assertion_id: shared_id,
-        certificate: TEST_CERTIFICATE
-      }
-      Samlr::Tools::ResponseBuilder.build(options)
-    end
+    # Most IdPs publish a public, signed metadata file.
+    # - The signature (<SignatureValue>) covers ONLY this EntityDescriptor and matches the data/ID exactly.
+    # - This is meant to be public so SPs (like Zendesk) can get the IdP’s public keys for SSO.
     let(:xml_metadata_doc) do
       options = {
         :entity_id            => "https://sp.example.com/saml2",
         :name_identity_format => "identity_format",
         :consumer_service_url => "https://support.sp.example.com/",
         :sign_metadata        => true,
-        metadata_id: shared_id,
-        certificate: TEST_CERTIFICATE
+        :metadata_id          =>  shared_id,
+        :certificate          => TEST_CERTIFICATE
       }
       Samlr::Tools::MetadataBuilder.build(options)
     end
-
     let(:fingerprint) { Samlr::Certificate.new(TEST_CERTIFICATE.x509).fingerprint.value }
-    let(:saml_response) { Samlr::Response.new(Base64.encode64(xml_response_doc), fingerprint: fingerprint) }
 
-    it "succeeds" do
+    it "is prevented by rejecting duplicate XML ID references" do
+      # The attacker crafts their own <Assertion>, filling in any identity/attributes.
+      options = {
+        :destination     => "https://example.org/saml/endpoint",
+        :in_response_to  => Samlr::Tools.uuid,
+        :name_id         => "[email protected]",
+        :audience        => "example.org",
+        :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
+        :not_before      => Samlr::Tools::Timestamp.stamp(Time.now - 60),
+        :response_id     => Samlr::Tools.uuid,
+        :skip_conditions => true,
+        # This Assertion is not signed - meaning the attacker can put anything they want for the user, roles, etc.
+        :sign_assertion  => false,
+        :sign_response   => false,
+        :assertion_id    => shared_id,
+        :certificate     => TEST_CERTIFICATE
+      }
+      xml_response_doc = Samlr::Tools::ResponseBuilder.build(options)
+
       metadata_doc = Nokogiri::XML(xml_metadata_doc)
       response_doc = Nokogiri::XML(xml_response_doc)
 
-      metadata_signature_doc = metadata_doc.xpath("md:EntityDescriptor/ds:Signature", Samlr::NS_MAP).first
-      metadata_entity_descriptor_doc = metadata_doc.xpath("md:EntityDescriptor", Samlr::NS_MAP).first
-
       assertion_doc = response_doc.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first
-      assertion_doc.xpath("saml:Subject/saml:NameID").first.content = "[email protected]"
+      # The attacker embeds the entire valid, signed EntityDescriptor inside the assertion.
+      # Now there are two elements with same ID in the same doc:
+      # - The outer Assertion (attacker’s, unsigned, forged)
+      # - The nested EntityDescriptor (genuine, validly signed, but only public metadata)
+      metadata_entity_descriptor_doc = metadata_doc.xpath("md:EntityDescriptor", Samlr::NS_MAP).first
       assertion_doc.xpath("saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData", Samlr::NS_MAP).first.add_child(metadata_entity_descriptor_doc.dup)
+      # The attacker places everything in a single SAML Response document,
+      # and uses the real <Signature> (copied from metadata) at the <Response> or <Assertion> level referencing the duplicate ID.
+      #
+      # The public signature and certificate are left untouched - copied exactly as found.
+      # Only the outer Assertion is attacker-controlled (and unsigned).
+      # The document is constructed so that, if a SAML parser looks for a valid signature on any element with the shared ID (and not just on the assertion),
+      # it will pass signature validation on the wrong node (EntityDescriptor), and allows an attacker to log in with the fake assertion.
+      # According to SAML schema, the <Signature> needs to be placed after <Issuer>.
+      metadata_signature_doc = metadata_doc.xpath("md:EntityDescriptor/ds:Signature", Samlr::NS_MAP).first
       response_doc.at("/samlp:Response/saml:Issuer", Samlr::NS_MAP).add_next_sibling(metadata_signature_doc.dup)
 
       crafted_saml_response = Samlr::Response.new(Base64.encode64(response_doc.to_xml), fingerprint: fingerprint)
+
+      # Checks for duplicate values of the ID attribute.
+      # If two elements share the same ID, immediately treats the entire SAML Response as invalid.
+      # Signature references (<Reference URI="#META123"/>) must always point to exactly one unique element according to XML DSig/SAML spec.
+      # By rejecting duplicates, the signature can never be validated against a wrong element, like a nested public metadata node.
       error = assert_raises(Samlr::SignatureError) { crafted_saml_response.verify! }
       assert_equal "Expected 1 element with id #{shared_id}, found 2", error.details
     end
+
+    it "is prevented by not allowing signed and unsigned assertions with same ID" do
+      options = {
+        :destination     => "https://example.org/saml/endpoint",
+        :in_response_to  => Samlr::Tools.uuid,
+        :name_id         => "[email protected]",
+        :audience        => "example.org",
+        :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
+        :not_before      => Samlr::Tools::Timestamp.stamp(Time.now - 60),
+        :assertion_id    => shared_id,
+        :skip_conditions => true,
+        :sign_assertion  => true,
+        :sign_response   => false,
+        :certificate     => TEST_CERTIFICATE
+      }
+      xml_response_doc = Samlr::Tools::ResponseBuilder.build(options)
+      response_doc = Nokogiri::XML(xml_response_doc)
+      assertion_doc = response_doc.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first.dup
+      # Duplicating the assertion with same ID, modified data and signature removed.
+      assertion_doc.xpath("saml:Subject/saml:NameID").first.content = "[email protected]"
+      assertion_doc.xpath("ds:Signature", Samlr::NS_MAP).first.remove
+      response_doc.xpath("/samlp:Response", Samlr::NS_MAP).at("./samlp:Status", Samlr::NS_MAP).add_next_sibling(assertion_doc)
+
+      # Never processes login data from any assertion or attribute that is NOT covered by a valid signature.
+      # It won't accept SAML Response with two assertions sharing same ID.
+      error = assert_raises(Samlr::SamlrError) { Samlr::Response.new(Base64.encode64(response_doc.to_xml(Samlr::COMPACT)), fingerprint: fingerprint) }
+      assert_equal "Schema validation failed", error.message
+      assert_match %r{Assertion', attribute 'ID': '#{shared_id}' is not a valid value of the atomic type 'xs:ID'}, error.details
+    end
+
+    it "is prevented by not allowing many assertions - signed and unsigned" do
+      options = {
+        :destination     => "https://example.org/saml/endpoint",
+        :in_response_to  => Samlr::Tools.uuid,
+        :name_id         => "[email protected]",
+        :audience        => "example.org",
+        :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
+        :not_before      => Samlr::Tools::Timestamp.stamp(Time.now - 60),
+        :assertion_id    => shared_id,
+        :skip_conditions => true,
+        :sign_assertion  => true,
+        :sign_response   => false,
+        :certificate     => TEST_CERTIFICATE
+      }
+      xml_response_doc = Samlr::Tools::ResponseBuilder.build(options)
+      response_doc = Nokogiri::XML(xml_response_doc)
+      assertion_doc = response_doc.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first.dup
+      # Duplicating the assertion with different ID, modified data and signature removed.
+      assertion_doc.xpath("saml:Subject/saml:NameID").first.content = "[email protected]"
+      assertion_doc['ID'] = Samlr::Tools.uuid
+      assertion_doc.xpath("ds:Signature", Samlr::NS_MAP).first.remove
+      response_doc.xpath("/samlp:Response", Samlr::NS_MAP).at("./samlp:Status", Samlr::NS_MAP).add_next_sibling(assertion_doc)
+
+      # Never processes login data from any assertion or attribute that is NOT covered by a valid signature.
+      # It won't accept SAML Response with two assertions.
+      crafted_saml_response = Samlr::Response.new(Base64.encode64(response_doc.to_xml(Samlr::COMPACT)), fingerprint: fingerprint)
+      error = assert_raises(Samlr::FormatError) { crafted_saml_response.verify! }
+      assert_equal "Invalid SAML response: unexpected number of assertions", error.message
+    end
   end
 end