Strip comments from SAML Response XML during scan

[hodak]

trafficstars

Let's say you get this kind of email claim in SAML Response

<saml:Attribute
  Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
  <saml:AttributeValue xsi:type="xs:string">
    [email protected]@evil.com
  </saml:AttributeValue>
</saml:Attribute>

using Samly you will get this assertion:

%Samly.Assertion{
  attributes: %{
    "email" => "[email protected]@evil.com",
    ...
  },
  ...
}

but with modifying the response and adding an empty comment

<saml:Attribute
  Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
  <saml:AttributeValue xsi:type="xs:string">
    [email protected]<!---->@evil.com
  </saml:AttributeValue>
</saml:Attribute>

the envelope signature verification will pass, and you will get

%Samly.Assertion{
  attributes: %{
    "email" => ["[email protected]", "@evil.com"],
    ...
  },
  ...
}

If your app expects multiple emails and takes the first one, it might assume the identity of a different user within the same organization.

We've been running this kind of fix ourselves for a while now https://github.com/Recruitee/samly/commit/056298df41891b2f65400c0195469843bf55b49a but now thought it might be better to update it in the core if you agree.

[CLAassistant]

All committers have signed the CLA.