Merge 1.x branch into 2.x branch (squashed commits)

.rubocop_todo.yml

@@ -68,7 +68,7 @@ Layout/ExtraSpacing:
     - 'lib/ruby_saml/logoutrequest.rb'
     - 'lib/ruby_saml/response.rb'
 
-# Offense count: 6
+# Offense count: 8
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, IndentationWidth.
 # SupportedStyles: consistent, consistent_relative_to_receiver, special_for_inner_method_call, special_for_inner_method_call_in_parentheses
@@ -86,7 +86,7 @@ Layout/FirstHashElementIndentation:
     - 'lib/ruby_saml/authrequest.rb'
     - 'lib/ruby_saml/metadata.rb'
 
-# Offense count: 5
+# Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: Width, AllowedPatterns.
 Layout/IndentationWidth:
@@ -115,7 +115,7 @@ Layout/SpaceAroundEqualsInParameterDefault:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/utils.rb'
 
-# Offense count: 16
+# Offense count: 10
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowForAlignment, EnforcedStyleForExponentOperator, EnforcedStyleForRationalLiterals.
 # SupportedStylesForExponentOperator: space, no_space
@@ -125,19 +125,17 @@ Layout/SpaceAroundOperators:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/utils.rb'
     - 'lib/ruby_saml/xml/document.rb'
-    - 'lib/ruby_saml/xml/signed_document.rb'
 
-# Offense count: 3
+# Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
 # SupportedStyles: space, no_space
 # SupportedStylesForEmptyBraces: space, no_space
 Layout/SpaceInsideBlockBraces:
   Exclude:
     - 'lib/ruby_saml/idp_metadata_parser.rb'
-    - 'lib/ruby_saml/utils.rb'
 
-# Offense count: 37
+# Offense count: 28
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces.
 # SupportedStyles: space, no_space, compact
@@ -180,7 +178,7 @@ Lint/UselessAssignment:
   Exclude:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 41
+# Offense count: 42
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 100
@@ -194,39 +192,34 @@ Metrics/BlockLength:
 # Offense count: 8
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 652
+  Max: 661
 
-# Offense count: 26
+# Offense count: 29
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/CyclomaticComplexity:
   Max: 21
 
-# Offense count: 58
+# Offense count: 60
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
-  Max: 80
-
-# Offense count: 1
-# Configuration parameters: CountComments, CountAsOne.
-Metrics/ModuleLength:
-  Max: 300
+  Max: 77
 
 # Offense count: 1
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ModuleLength:
-  Max: 244
+  Max: 261
 
 # Offense count: 2
 # Configuration parameters: Max, CountKeywordArgs.
 Metrics/ParameterLists:
   MaxOptionalParameters: 4
 
-# Offense count: 24
+# Offense count: 25
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:
   Max: 22
 
-# Offense count: 13
+# Offense count: 15
 Naming/AccessorMethodName:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
@@ -297,12 +290,11 @@ Performance/StringInclude:
     - 'lib/ruby_saml/logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
 
-# Offense count: 4
+# Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
 Performance/StringReplacement:
   Exclude:
     - 'lib/ruby_saml/metadata.rb'
-    - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 48
@@ -397,7 +389,7 @@ Style/HashSyntax:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 66
+# Offense count: 65
 # This cop supports safe autocorrection (--autocorrect).
 Style/IfUnlessModifier:
   Exclude:
@@ -413,7 +405,6 @@ Style/IfUnlessModifier:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/ruby_saml/xml/base_document.rb'
     - 'lib/ruby_saml/xml/document.rb'
     - 'lib/ruby_saml/xml/signed_document.rb'
 
@@ -432,11 +423,10 @@ Style/OptionalBooleanParameter:
     - 'lib/ruby_saml/utils.rb'
     - 'lib/ruby_saml/xml/signed_document.rb'
 
-# Offense count: 3
+# Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
 Style/RedundantRegexpArgument:
   Exclude:
-    - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 3
@@ -465,7 +455,7 @@ Style/StringConcatenation:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 339
+# Offense count: 335
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
 # SupportedStyles: single_quotes, double_quotes
@@ -484,7 +474,6 @@ Style/StringLiterals:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -502,7 +491,7 @@ Style/SymbolArray:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 104
+# Offense count: 107
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
 # URISchemes: http, https

CHANGELOG.md

@@ -15,7 +15,13 @@
 * [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
 * [#711](https://github.com/SAML-Toolkits/ruby-saml/pull/711) Standardize how RubySaml reads and formats certificate and private_key PEM values, including the `RubySaml::Util#format_cert` and `#format_private_key` methods.
 
-### 1.17.0
+### 1.18.0  (???)
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+* [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
+* [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
+
+### 1.17.0  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
@@ -55,6 +61,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.3  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
 ### 1.12.2 (Apr 08, 2021)
 * [#575](https://github.com/SAML-Toolkits/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
 
@@ -182,14 +191,12 @@
   * Require Issuer element. (Must match IdP EntityID).
   * Destination value can't be blank (if present must match ACS URL).
   * Check that the EncryptedAssertion element only contains 1 Assertion element.
-
 * [#335](https://github.com/SAML-Toolkits/ruby-saml/pull/335) Explicitly parse as XML and fix setting of Nokogiri options.
 * [#345](https://github.com/SAML-Toolkits/ruby-saml/pull/345)Support multiple settings.auth_context
 * More tests to prevent XML Signature Wrapping
 * [#342](https://github.com/SAML-Toolkits/ruby-saml/pull/342) Correct the usage of Mutex
 * [352](https://github.com/SAML-Toolkits/ruby-saml/pull/352) Support multiple AttributeStatement tags
 
-
 ### 1.3.1 (July 10, 2016)
 * Fix response_test.rb of gem 1.3.0
 * Add reference to Security Guidelines
@@ -302,7 +309,6 @@
 * [#111](https://github.com/SAML-Toolkits/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
 * [#108](https://github.com/SAML-Toolkits/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
 
-
 ### 0.7.3 (Feb 20, 2014)
 Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
 

README.md

@@ -7,6 +7,9 @@
 Ruby SAML minor and tiny versions may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
+**There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409).
+Make sure you are using an updated version. (1.12.3 is safe)**
+
 ## Overview
 
 The Ruby SAML library is for implementing the client side of a SAML authorization,
@@ -983,14 +986,3 @@ end
 # Output XML with custom metadata
 MyMetadata.new.generate(settings)
 ```
-
-## Attribution
-
-Portions of the code in `RubySaml::XML` namespace is adapted from earlier work
-copyrighted by either Oracle and/or Todd W. Saxton. The original code was distributed
-under the Common Development and Distribution License (CDDL) 1.0. This code is planned to
-be written entirely in future versions.
-
-## License
-
-Ruby SAML is made available under the MIT License. Refer to [LICENSE](LICENSE).

lib/ruby_saml/response.rb

@@ -825,7 +825,7 @@ def validate_name_id
         end
 
         if !(settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?) && (name_id_spnamequalifier != settings.sp_entity_id)
-            return append_error('SPNameQualifier value does not match the SP entityID value.')
+          return append_error('SPNameQualifier value does not match the SP entityID value.')
         end
       end
 

test/response_test.rb

@@ -1356,25 +1356,16 @@ def generate_audience_error(expected, actual)
       end
     end
 
-    # Gets the AuthnInstant from the AuthnStatement.
-    # Could be used to require re-authentication if a long time has passed
-    # since the last user authentication.
-    # @return [String] AuthnInstant value
-    #
-    def authn_instant
-      @authn_instant ||= begin
-        node = xpath_first_from_signed_assertion('/a:AuthnStatement')
-        node.nil? ? nil : node.attributes['AuthnInstant']
+    describe "#authn_instant" do
+      it "extract the value of the AuthnInstant attribute" do
+        assert_equal "2010-11-18T21:57:37Z", response.authn_instant
       end
     end
 
-    # Gets the AuthnContextClassRef from the AuthnStatement
-    # Could be used to require re-authentication if the assertion
-    # did not met the requested authentication context class.
-    # @return [String] AuthnContextClassRef value
-    #
-    def authn_context_class_ref
-      @authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
+    describe "#authn_context_class_ref" do
+      it "extract the value of the AuthnContextClassRef attribute" do
+        assert_equal "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", response.authn_context_class_ref
+      end
     end
 
     describe "#success" do

test/utils_test.rb

@@ -363,11 +363,11 @@ def result(duration, reference = 0)
     end
 
     it 'successfully decrypts with the first private key' do
-      assert_match %r{\A<saml:Assertion}, RubySaml::Utils.decrypt_multi(encrypted, [private_key])
+      assert_match(/\A<saml:Assertion/, RubySaml::Utils.decrypt_multi(encrypted, [private_key]))
     end
 
     it 'successfully decrypts with a subsequent private key' do
-      assert_match %r{\A<saml:Assertion}, RubySaml::Utils.decrypt_multi(encrypted, [invalid_key1, private_key])
+      assert_match(/\A<saml:Assertion/, RubySaml::Utils.decrypt_multi(encrypted, [invalid_key1, private_key]))
     end
 
     it 'raises an error when there is only one key and it fails to decrypt' do