Add tests for XML parsing with comments

[cjbarth]

These tests don't improve coverage, but they do make sure that there is no regression in dependent libraries, specifically around XML parsing.

[cjbarth]

@markstos , @srd90, I wrote this code a while ago, and I found it while cleaning up. It was still compatible with our code-base, so I've put up a PR. However, I don't want to include code that doesn't add value as that just adds maintenance overhead. What are your thoughts about including this?

[codecov]

Codecov Report

Merging #285 (e74c66f) into master (a32c441) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #285   +/-   ##
=======================================
  Coverage   81.49%   81.49%           
=======================================
  Files          11       11           
  Lines         816      816           
  Branches      252      252           
=======================================
  Hits          665      665           
  Misses         63       63           
  Partials       88       88           

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[srd90]

@cjbarth It seems that this PR contains also unrelated changes. Actual new code is Should parse XML with comments correctly.

---

IMHO it is never bad idea to add tests for cases which has caused problems with other systems that use XML parsers and especially with other security related systems which use XML.

This PR seems to add test for this issue:

• SAML Bypass vulnerability passport-saml#266

---

There is already at least one test which tests just XML parser:

node-saml/test/test-signatures.spec.ts

Lines 76 to 81 in 9657c66

	describe("Signatures - multiple roots are considered invalid", () => {
	it(
	"multiple roots => invalid",
	testOneResponse("/invalid/response.root-signed.multiple-root-elements.xml", XMLDOM_ERROR, 0)
	);
	});

so this new test would not be "outliner".

---

If you choose to keep this test here are few suggestions:

1. remove unrelated changes from this PR
2. add some comment to test which describes which issue it addresses
3. consider implementing this test so that it is tested via @node-saml/node-saml's public interface (i.e. yet another login message test). Why? because node-saml seems to be using two XML libraries xml2js and @xmldom/xmldom and at the end of the day what counts is that regardless of XML library (execution path etc) attribute value that pops out after authenticate method call must be correct.

---

btw. this PR's new test contains following XML snippets evil, evilCommentDoc and good.

evilCommentDoc and good are obvious but based on quick look I can't see whats so special at evil.

IMHO difference between evil and good is just email address (text node) which doesn't seem to contain anything dubious (in evil snippet).

[cjbarth]

1. remove unrelated changes from this PR

Done.

2. add some comment to test which describes which issue it addresses

Done.

3. consider implementing this test so that it is tested via @node-saml/node-saml's public interface

I had a look at this and I feel that we're probably OK on this one. The reason is that this test suite is specifically for the interface between xml.ts and saml.ts. Since we are testing at an internal API interface, it seems we're doing the right thing here. If we have any tests that result in exports just for the test, then I think we have a test we need to refactor; that is not the case here.

IMHO difference between evil and good is just email address (text node) which doesn't seem to contain anything dubious (in evil snippet).

That is good feedback. I've simplified the test to account for this.