don't allow duplicate saml:Assertion nodes at all

steved · steved · commit f72a7ad8c031 · 2014-03-25T19:39:51.000-07:00
diff --git a/lib/samlr/assertion.rb b/lib/samlr/assertion.rb
@@ -77,7 +77,7 @@ def verify_conditions!
     end
 
     def verify_assertion!
-      assertion_count = document.xpath(DEFAULT_LOCATION, NS_MAP).size
+      assertion_count = document.xpath("//saml:Assertion", NS_MAP).size
 
       if assertion_count == 0
         raise Samlr::FormatError.new("Invalid SAML response: assertion missing")
diff --git a/test/unit/test_response.rb b/test/unit/test_response.rb
@@ -46,8 +46,7 @@
       modified_document.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first["ID"] = "evil_id"
 
       response = Samlr::Response.new(modified_document.to_xml(:save_with => Nokogiri::XML::Node::SaveOptions::AS_XML), {:certificate => TEST_CERTIFICATE.x509})
-      assert_equal true, response.verify!
-      assert_equal "someone@example.org", response.name_id
+      assert_raises(Samlr::FormatError) { response.verify! }
     end
   end
 
