saml icon indicating copy to clipboard operation
saml copied to clipboard

Published 20 hours ago verified publisher icon crewjam

fix: update goxmldsig to v1.2.0

Open lucasbbb opened this issue 3 years ago • 1 comments

This PR updates the github.com/russellhaering/goxmldsig v1.1.1 => v1.2.0.

err := etreeutils.TransformExcC14n(el, canonicalizerPrefixList, false)
if err != nil {
	panic(err)
}

This issue https://github.com/crewjam/saml/issues/436 has existed since https://github.com/crewjam/saml/pull/428.

lucasbbb avatar Jun 08 '22 03:06 lucasbbb

Bumping to version 1.2.0 pulls in this commit which changes how comments are handled.

This causes the TestSPRejectsInjectedComment test to fail with both comments enabled and disabled. That test was added as a regression to a security issue. I don't have my head around this right now, but I don't think we can bump to v1.2.0. I'm going to revert the dependabot-generated version bump for now.

crewjam avatar Jun 25 '22 13:06 crewjam

The issue is that the replacement is no longer valid:

y := strings.Replace(string(x), "[email protected]", "[email protected]<!-- and a comment -->.example.com", 1)

because the string in saml2:NameID has changed.

<saml2:NameID>ross@<!-- and a comment -->octolabs.io</saml2:NameID>

For the test to pass, the replacement should now be:

y := strings.Replace(string(x), "ross@<!-- and a comment -->octolabs.io", "[email protected]<!-- and a comment -->.example.com", 1)

greenpau avatar Dec 31 '22 13:12 greenpau

Once https://github.com/crewjam/saml/pull/478 is merged, this one will be resolved too, because the upgrade is included.

greenpau avatar Dec 31 '22 13:12 greenpau

Thanks!!!

crewjam avatar Dec 31 '22 14:12 crewjam

fixed in #478

crewjam avatar Jan 12 '23 21:01 crewjam