Use new .signedReferences interace in xml-crypto to "see what is signed"#397
Merged
cjbarth merged 25 commits intonode-saml:masterfrom Jul 21, 2025
Merged
Conversation
# Conflicts: # package-lock.json # package.json # src/saml.ts # src/xml.ts
- Clean code
Collaborator
|
When I get back to my personal computer later today I can address those DeepScan issues if you don't get to it before then. |
Contributor
Author
|
@cjbarth , I fixed the issues. SHould be good now |
Collaborator
|
This has been released as 5.1.0. Since there were some other changes, that was the correct semver, but it should be compatible with the standard When @srd90 gets back in to his normal routine, I'm looking forward to his comments. I'm also looking forward to how we can clean all this up for a v6 release. |
AlbertPangilinan
pushed a commit
to Foxquilt/foxden-node-saml
that referenced
this pull request
Sep 22, 2025
AlbertPangilinan
added a commit
to Foxquilt/foxden-node-saml
that referenced
this pull request
Sep 23, 2025
* Bump xml-encryption from 3.0.1 to 3.0.2 (node-saml#236) Bumps [xml-encryption](https://github.com/auth0/node-xml-encryption) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/auth0/node-xml-encryption/releases) - [Commits](https://github.com/auth0/node-xml-encryption/commits) --- updated-dependencies: - dependency-name: xml-encryption dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump xml2js from 0.4.23 to 0.5.0 (node-saml#268) Bumps [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js) from 0.4.23 to 0.5.0. - [Release notes](https://github.com/Leonidas-from-XIV/node-xml2js/releases) - [Commits](https://github.com/Leonidas-from-XIV/node-xml2js/commits/0.5.0) --- updated-dependencies: - dependency-name: xml2js dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Release 4.0.4 * Update minor dependencies (node-saml#269) * Improve audience mismatch error message (node-saml#257) * feat: add public getAuthorizeMessage method (node-saml#235) * Acknowledge that XML can be parsed to `any` (node-saml#271) * feat: support additionalParams on HTTP-POST binding (node-saml#263) * Make `callbackUrl` manditory (node-saml#214) * Add public key support (node-saml#225) Co-authored-by: Chris Barth <chrisjbarth@hotmail.com> * Remove types specific to Passport (node-saml#226) * Export types required for SamlOptions (node-saml#224) * Bump vm2 from 3.9.16 to 3.9.19 (node-saml#277) Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.16 to 3.9.19. - [Release notes](https://github.com/patriksimek/vm2/releases) - [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md) - [Commits](patriksimek/vm2@3.9.16...3.9.19) --- updated-dependencies: - dependency-name: vm2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump json5 from 2.2.1 to 2.2.3 (node-saml#244) Bumps [json5](https://github.com/json5/json5) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](json5/json5@v2.2.1...v2.2.3) --- updated-dependencies: - dependency-name: json5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump prettier from 2.8.7 to 2.8.8 (node-saml#274) Bumps [prettier](https://github.com/prettier/prettier) from 2.8.7 to 2.8.8. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@2.8.7...2.8.8) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @typescript-eslint/parser from 5.58.0 to 5.59.8 (node-saml#281) Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.58.0 to 5.59.8. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.8/packages/parser) --- updated-dependencies: - dependency-name: "@typescript-eslint/parser" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump codecov/codecov-action from 3.1.1 to 3.1.4 (node-saml#279) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.1 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v3.1.1...v3.1.4) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update minor dependencies (node-saml#283) * Roll-up changelog entries for beta releases (node-saml#282) * Fix spelling and normalize naming (node-saml#278) * Remove express dependency (node-saml#284) * Prefer Chai `expect` to Node `assert` (node-saml#286) * Add test coverage (node-saml#287) * Separate linting out from testing (node-saml#288) * Remove dependency on Passport types (node-saml#296) * Add tests for XML parsing with comments (node-saml#285) * Bump concurrently from 7.6.0 to 8.2.0 (node-saml#290) Bumps [concurrently](https://github.com/open-cli-tools/concurrently) from 7.6.0 to 8.2.0. - [Release notes](https://github.com/open-cli-tools/concurrently/releases) - [Commits](open-cli-tools/concurrently@v7.6.0...v8.2.0) --- updated-dependencies: - dependency-name: concurrently dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @typescript-eslint/parser from 5.59.9 to 5.60.1 (node-saml#292) Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.9 to 5.60.1. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.1/packages/parser) --- updated-dependencies: - dependency-name: "@typescript-eslint/parser" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump typescript from 4.8.4 to 5.1.6 (node-saml#293) Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.8.4 to 5.1.6. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](https://github.com/Microsoft/TypeScript/commits) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Allow 5.x series for TypeScript --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sinon from 14.0.2 to 15.2.0 (node-saml#294) Bumps [sinon](https://github.com/sinonjs/sinon) from 14.0.2 to 15.2.0. - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md) - [Commits](sinonjs/sinon@v14.0.2...v15.2.0) --- updated-dependencies: - dependency-name: sinon dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump word-wrap from 1.2.3 to 1.2.4 (node-saml#298) Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @typescript-eslint/parser from 5.59.9 to 5.62.0 (node-saml#299) Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.9 to 5.62.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.62.0/packages/parser) --- updated-dependencies: - dependency-name: "@typescript-eslint/parser" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @xmldom/xmldom from 0.8.8 to 0.8.10 (node-saml#301) Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom) from 0.8.8 to 0.8.10. - [Release notes](https://github.com/xmldom/xmldom/releases) - [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md) - [Commits](xmldom/xmldom@0.8.8...0.8.10) --- updated-dependencies: - dependency-name: "@xmldom/xmldom" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @typescript-eslint/eslint-plugin from 5.59.9 to 5.62.0 (node-saml#302) Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.9 to 5.62.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.62.0/packages/eslint-plugin) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @types/node from 14.18.50 to 14.18.53 (node-saml#303) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.18.50 to 14.18.53. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @cjbarth/github-release-notes from 4.0.0 to 4.1.0 (node-saml#304) Bumps [@cjbarth/github-release-notes](https://github.com/cjbarth/github-release-notes) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/cjbarth/github-release-notes/releases) - [Changelog](https://github.com/cjbarth/github-release-notes/blob/master/CHANGELOG.md) - [Commits](cjbarth/github-release-notes@4.0.0...4.1.0) --- updated-dependencies: - dependency-name: "@cjbarth/github-release-notes" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump release-it from 15.11.0 to 16.1.3 (node-saml#305) Bumps [release-it](https://github.com/release-it/release-it) from 15.11.0 to 16.1.3. - [Release notes](https://github.com/release-it/release-it/releases) - [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md) - [Commits](release-it/release-it@15.11.0...16.1.3) --- updated-dependencies: - dependency-name: release-it dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint from 8.42.0 to 8.45.0 (node-saml#306) Bumps [eslint](https://github.com/eslint/eslint) from 8.42.0 to 8.45.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.42.0...v8.45.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump prettier-plugin-packagejson from 2.4.3 to 2.4.5 (node-saml#307) Bumps [prettier-plugin-packagejson](https://github.com/matzkoh/prettier-plugin-packagejson) from 2.4.3 to 2.4.5. - [Release notes](https://github.com/matzkoh/prettier-plugin-packagejson/releases) - [Commits](matzkoh/prettier-plugin-packagejson@v2.4.3...v2.4.5) --- updated-dependencies: - dependency-name: prettier-plugin-packagejson dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump prettier from 2.8.8 to 3.0.0 (node-saml#300) Bumps [prettier](https://github.com/prettier/prettier) from 2.8.8 to 3.0.0. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@2.8.8...3.0.0) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Lint --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chris Barth <chrisjbarth@hotmail.com> * Merge pull request from GHSA-vx8m-6fhw-pccw * Added verifyLogoutRequest to validatePostRequestAsync flow * Added bad expiration test * Updated IssueInstance to be in the past * Enforce valid setting for validateInResponseTo (node-saml#314) * Add test coverage for initialize() of saml.ts (node-saml#327) * Fixes `node-saml` not checking all `Audience`s in an `AudienceRestriction` (node-saml#340) * Upgrade to latest version of xml-crypto (node-saml#341) * Update to current Node versions (node-saml#342) * Fix metadata order (node-saml#334) Use the element order defined by "saml-schema-metadata-2.0.xsd" Closes node-saml#333 * Export generateServiceProviderMetadata (node-saml#337) * Rename `cert` to `idpCert` and `signingCert` to `publicCert` (node-saml#343) * Added X509 certificate to KeyInfo X509Data, if passed through options (node-saml#36) Co-authored-by: Ganesh Kshirsagar <ganesh.kshirsagar@nice.com> Co-authored-by: Barry Hagan <barryhagan@gmail.com> Co-authored-by: Chris Barth <chrisjbarth@hotmail.com> * Update minor dependencies and Node to 18 (node-saml#344) * Bump actions/checkout from 3 to 4 (node-saml#330) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump sinon and @types/sinon (node-saml#349) Bumps [sinon](https://github.com/sinonjs/sinon) and [@types/sinon](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sinon). These dependencies needed to be updated together. Updates `sinon` from 15.2.0 to 17.0.1 - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md) - [Commits](sinonjs/sinon@v15.2.0...v17.0.1) Updates `@types/sinon` from 10.0.20 to 17.0.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/sinon) --- updated-dependencies: - dependency-name: sinon dependency-type: direct:development update-type: version-update:semver-major - dependency-name: "@types/sinon" dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint-plugin-deprecation from 1.5.0 to 2.0.0 (node-saml#347) Bumps [eslint-plugin-deprecation](https://github.com/gund/eslint-plugin-deprecation) from 1.5.0 to 2.0.0. - [Release notes](https://github.com/gund/eslint-plugin-deprecation/releases) - [Changelog](https://github.com/gund/eslint-plugin-deprecation/blob/master/CHANGELOG.md) - [Commits](gund/eslint-plugin-deprecation@v1.5.0...v2.0.0) --- updated-dependencies: - dependency-name: eslint-plugin-deprecation dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint-config-prettier from 8.10.0 to 9.1.0 (node-saml#345) Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 8.10.0 to 9.1.0. - [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](prettier/eslint-config-prettier@v8.10.0...v9.1.0) --- updated-dependencies: - dependency-name: eslint-config-prettier dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump eslint-plugin-prettier from 4.2.1 to 5.1.3 (node-saml#346) Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 4.2.1 to 5.1.3. - [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases) - [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md) - [Commits](prettier/eslint-plugin-prettier@v4.2.1...v5.1.3) --- updated-dependencies: - dependency-name: eslint-plugin-prettier dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump release-it from 16.3.0 to 17.0.5 (node-saml#348) Bumps [release-it](https://github.com/release-it/release-it) from 16.3.0 to 17.0.5. - [Release notes](https://github.com/release-it/release-it/releases) - [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md) - [Commits](release-it/release-it@16.3.0...17.0.5) --- updated-dependencies: - dependency-name: release-it dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Release 5.0.0 * Update sponsor acknowledgements (node-saml#365) * Docs: add pitch to encourage more sponsors (node-saml#366) * feat: improve error messages when validating pems (node-saml#373) * docs: Update README.md set never default validateInResponseTo (node-saml#384) * Adjust to support type stripping (node-saml#389) * Update xml-crypto to address CVE (node-saml#388) This update addresses the following CVE: CVE-2025-29774; CVE-2025-29775 * Release 5.0.1 * Update dependencies (node-saml#391) * Adjust linting rules for line endings (node-saml#393) * Export custom SamlStatusError (node-saml#394) * add CI test & lint for Node.js 22 (node-saml#386) * Use new .signedReferences interace in xml-crypto to "see what is signed" (node-saml#397) * Update sponsors: Stytch (node-saml#395) * Release 5.1.0 * Update to support Node strip-only TypeScript support (node-saml#407) * Security: remove debug dependency (node-saml#406) * ARCH-32 node_saml changes * ARCH-32_fixed test * ARCH-32 updated the review comments * ARCH-32 package.json changes * ARCH-32 updated package json * ARCH-32 access to public * upgraded circleci node version to 22 * updated yarn.lock * removed package-lock.json * reset config.yml except for node version * reset workflow.yml * added 22.x to node-version matrix * fixed package-lock.json * fixed package-lock.json and yarn.lock * fixed node version number in package.json --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chris Barth <chrisjbarth@hotmail.com> Co-authored-by: gmhewett <gmhewett@users.noreply.github.com> Co-authored-by: aykutbulca <aykutbulca@gmail.com> Co-authored-by: Gert Sallaerts <1267900+GertSallaerts@users.noreply.github.com> Co-authored-by: RopoMen <RopoMen@users.noreply.github.com> Co-authored-by: jindazhao01 <137830289+jindazhao01@users.noreply.github.com> Co-authored-by: Adam Andreasson <hej@adamandreasson.se> Co-authored-by: 56 <kg0r0@yahoo.co.jp> Co-authored-by: Nikolay <catamphetamine@users.noreply.github.com> Co-authored-by: Salvador Ortiz <sog@msg.mx> Co-authored-by: Nathan Sarang-Walters <nwalters512@gmail.com> Co-authored-by: Ganesh Kshirsagar <ganeshakshirsagar@gmail.com> Co-authored-by: Ganesh Kshirsagar <ganesh.kshirsagar@nice.com> Co-authored-by: Barry Hagan <barryhagan@gmail.com> Co-authored-by: Mark Stosberg <mark@rideamigos.com> Co-authored-by: Kilian Finger <hey@kilianfinger.com> Co-authored-by: Kiran Mali <39133739+kdhttps@users.noreply.github.com> Co-authored-by: Manan Jadhav <166636237+manan-jadhav-ab@users.noreply.github.com> Co-authored-by: ahacker1 <alex@securesaml.com> Co-authored-by: howard-stytch <89414701+howard-stytch@users.noreply.github.com> Co-authored-by: suriyaka <106838750+suriyaka@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I added a new feature on xml-crypto, that returns the exact bytes that were signed. You can ONLY use the exact bytes that were signed by the SignedXML crypto and nothing else.
I then integrated this new feature into the node-saml library with backwards compatibility.
Security fix, apply see what is signed method
@srd90, @markstos can you review the PR.
This fixes the security vulnerability by loading from only signed contents.
To review:
We only care about SAML assertions/ authentication responses. I don't care about logout request/logout responses, because they aren't sensitive.
Security: Whether the SAML assertion FOR ALL PATHS is loaded from only signed contents.
Check whether getVerifiedXML returns only data from getSignedReferences()
Check whether there are code paths to change profile that are loaded from unverified XML.