Skip to content

Commit 7b71596

Browse files
vandernorthJeffrey
vandernorth
and
Jeffrey
authored
validateSignature: Support XML docs that contain multiple signed nodes. Only select the signatures which reference the currentNode. (#481)
Co-authored-by: Jeffrey <jeffrey@grexx.net>
1 parent aa4fa86 commit 7b71596

File tree

27 files changed

+1724
-2
lines changed

27 files changed

+1724
-2
lines changed

src/passport-saml/saml.ts

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -614,8 +614,11 @@ class SAML {
614614
// See https://github.com/bergie/passport-saml/issues/19 for references to some of the attack
615615
// vectors against SAML signature verification.
616616
validateSignature = function (fullXml, currentNode, certs) {
617-
const xpathSigQuery = ".//*[local-name(.)='Signature' and " +
618-
"namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']";
617+
const xpathSigQuery = ".//*[" +
618+
"local-name(.)='Signature' and " +
619+
"namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and " +
620+
"descendant::*[local-name(.)='Reference' and @URI='#"+currentNode.getAttribute('ID')+"']" +
621+
"]";
619622
const signatures = xpath(currentNode, xpathSigQuery);
620623
// This function is expecting to validate exactly one signature, so if we find more or fewer
621624
// than that, reject.

test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
3+
<saml:Issuer>https://evil-corp.com</saml:Issuer>
4+
<samlp:Status>
5+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
6+
</samlp:Status>
7+
<saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
8+
<saml:Issuer>https://evil-corp.com</saml:Issuer>
9+
<saml:Subject>
10+
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
11+
</saml:NameID>
12+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
13+
<saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
14+
</saml:SubjectConfirmation>
15+
</saml:Subject>
16+
<saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
17+
<saml:Advice>
18+
<saml:Assertion ID="_cccccccccccccccccccccccccccccccc" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
19+
<saml:Issuer>https://evil-corp.com</saml:Issuer>
20+
<saml:Subject>
21+
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
22+
vincent.vega@evil-corp.com
23+
</saml:NameID>
24+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
25+
<saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
26+
</saml:SubjectConfirmation>
27+
</saml:Subject>
28+
<saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
29+
<saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
30+
<saml:AuthnContext>
31+
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
32+
</saml:AuthnContextClassRef>
33+
</saml:AuthnContext>
34+
</saml:AuthnStatement>
35+
<saml:AttributeStatement>
36+
<saml:Attribute Name="evil-corp.partner">
37+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
38+
Jules Winnfield
39+
</saml:AttributeValue>
40+
</saml:Attribute>
41+
</saml:AttributeStatement>
42+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>32by6AdEK8sMSSW24h3290YngOx6o14TtYirwH57Plc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>INVALID-IilJ1HabeLEMnQXR3olQgWQ6AzGgG/f0PdecFLSfOiOzXgHsEhnKdCoKrLvkFNW+GHMyw1FHfYE0TP+O62SFBxbzQVKD4VrlEAeJwISiH/MtLiFiARXYrvshD/vJOpQgiR3WJW3IuqsZPjrDzflnwr7CJ48TooTZVY3m0kDh+JCOKsaHg76cPOm51V+ZJmVe6aBPsIMRYyUJY4WcikpHvMDGL+MlUow0rC6qiJ2JzKTs/yAvp0TcRHSM//0s5h8Z4R67r/ECbLFs2f4WM1ggYKqZpasNQbeFFey4/XdRvRHDcQn711HxBLsam+qD6EFnJO7FWkV033F6WkDGwQheDA==</ds:SignatureValue></ds:Signature></saml:Assertion>
43+
</saml:Advice>
44+
<saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
45+
<saml:AuthnContext>
46+
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
47+
</saml:AuthnContextClassRef>
48+
</saml:AuthnContext>
49+
</saml:AuthnStatement>
50+
<saml:AttributeStatement>
51+
<saml:Attribute Name="evil-corp.egroupid">
52+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
53+
vincent.vega@evil-corp.com
54+
</saml:AttributeValue>
55+
</saml:Attribute>
56+
<saml:Attribute Name="evilcorp.givenname">
57+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vincent
58+
</saml:AttributeValue>
59+
</saml:Attribute>
60+
<saml:Attribute Name="evilcorp.sn">
61+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VEGA
62+
</saml:AttributeValue>
63+
</saml:Attribute>
64+
</saml:AttributeStatement>
65+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>MDfWSGB2QmoV3THz9KU/8vLcYnTO2G2Lf+0F/DNDu78=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>INVALID-INVALIDZ3KfW/E9VdUhxQN4nMNFFlp2g7A0SZV0dnU8UTqKT5loy0+lniWoSf2fJjX0fgEackedWBDGwY4hM2W1xbC3r0MlS3xXudRFQFY04uIeVStt/aYgSckDnUsffkXpsw2agGOav1bZdgNIblaZYt5nIBWRUFMmJUnaR5XJ1S311G0gGxBzOzw4jYqKoWfJ/3bygqZxCYhPmOFBYPi2tLIGPMhC0Gt1+lbO9ociMz3k+z5zWCXRqRfq6zN9Ks5x9adS0ofbbaXRArwfYfXUUaFA9XrkzphwdNZy0KJSfQWtHKMyddHVFepq38/GjipCSnYV6TiCA4YzYxsShnge4ctzjQ==</ds:SignatureValue></ds:Signature></saml:Assertion>
66+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>UvTBtpd/QsNbEZaTVdWTUj2vYN+oBjYg/gTmLYChv9A=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>INVALID-INVALIDdDu5iloo/Ah8Wf5oe80SZJMQsfsaKisKkPSCGXjquNOomqZsct+khxXiPWSrIksQmHtbcUtx1PExdZJ/P9BRjtYeUi/PRLiXz6rON+k9m2BVWmZUANXFF4yhZkU9q0WNPoETSpWR1laO3o0+sAwD6BoZu5q5+mBisg7OJLO61qB9c/VSc6ypH3JjcFzZm2Q8/R1LZtM/JtKbgzsR59SlSTKuW1Tz0pU0L700o/LfLBgyflfaSFUQxhlZmOpvxN9BKhpOU0czhvlKOMMndztlF0BLNVM1NyOjO6qcKvxxJoW6LGAzAUl9pWC6WoypzsIUnx+XUBsHyoz9I6Y1cikuZw==</ds:SignatureValue></ds:Signature></samlp:Response>

test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
3+
<saml:Issuer>https://evil-corp.com</saml:Issuer>
4+
<samlp:Status>
5+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
6+
</samlp:Status>
7+
<saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
8+
<saml:Issuer>https://evil-corp.com</saml:Issuer>
9+
<saml:Subject>
10+
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
11+
</saml:NameID>
12+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
13+
<saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
14+
</saml:SubjectConfirmation>
15+
</saml:Subject>
16+
<saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
17+
<saml:Advice>
18+
<saml:Assertion ID="_cccccccccccccccccccccccccccccccc" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
19+
<saml:Issuer>https://evil-corp.com</saml:Issuer>
20+
<saml:Subject>
21+
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
22+
vincent.vega@evil-corp.com
23+
</saml:NameID>
24+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
25+
<saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
26+
</saml:SubjectConfirmation>
27+
</saml:Subject>
28+
<saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
29+
<saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
30+
<saml:AuthnContext>
31+
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
32+
</saml:AuthnContextClassRef>
33+
</saml:AuthnContext>
34+
</saml:AuthnStatement>
35+
<saml:AttributeStatement>
36+
<saml:Attribute Name="evil-corp.partner">
37+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
38+
Jules Winnfield
39+
</saml:AttributeValue>
40+
</saml:Attribute>
41+
</saml:AttributeStatement>
42+
</saml:Assertion>
43+
</saml:Advice>
44+
<saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
45+
<saml:AuthnContext>
46+
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
47+
</saml:AuthnContextClassRef>
48+
</saml:AuthnContext>
49+
</saml:AuthnStatement>
50+
<saml:AttributeStatement>
51+
<saml:Attribute Name="evil-corp.egroupid">
52+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
53+
vincent.vega@evil-corp.com
54+
</saml:AttributeValue>
55+
</saml:Attribute>
56+
<saml:Attribute Name="evilcorp.givenname">
57+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vincent
58+
</saml:AttributeValue>
59+
</saml:Attribute>
60+
<saml:Attribute Name="evilcorp.sn">
61+
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VEGA
62+
</saml:AttributeValue>
63+
</saml:Attribute>
64+
</saml:AttributeStatement>
65+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>kObrMLtwlZT3OYmstzY2kzYZN8CcmcYla1af9ZT/9/0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>INVALID-vc2FGUjV17K+lHN186mhOMvBfgyTNnkM/67byJqlQUR0MCaTigBtcKtkr4dZm05umtnl7QHX35TAUByGtaggk8lj/3Ge+R086/8GGIgAUctwNGPlUtOnLXmvW7JQj70BeTXaS1QBsDamkePzCGxQDI92wKw3CPkFsX2lXLAgSLtfzOmnJqvxU6x+ItYY7ocnoruuEMvS7YYpJ+CGqe6nQ5zdglD2JVefjWXUq7sU1J2mZ9f1WoHdTWBUvwX0BgEUg/DFknueBaI7ZlxoL7eIs4pen4DcLTtUTsHX50L1cr4piaEwqqSj1U/pvfqa5Zpn/VLmAx2ia0ZCHlYN1LIeXw==</ds:SignatureValue></ds:Signature></saml:Assertion>
66+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>vEwbdEHKTaKHy0gAH81FzX22qUlbHDiIz25CdLDIUHA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>INVALID-UurDWgiukshWcaeh6wT6uQS8xLGpJ+SwmgG6lynlrI/IH3k6ltdwiODjRUwQqY6C1UtH1h0cdJR+B2VB4a3w62XEM1qZChyO1QQ85JYyWfqhhkml8XQkZbtjBihc5Rd4Zy0h4B48+yO8f5SN18E9RWLAWOpV1fc+fbDB+cuxMjHVbH5/UyPyGWObETpSP8EaVym/EOUHiUSxYgZz3gN2RGZKryBOYePeN7Yft/rNLkC2aWSjJ6uaIUUty2DeeqtWF0cEW+mSbo1xjZfN96eGfXGhyrhRBTQSioYxphMlj5Hp1Vx/3lWw+E11JRjdsoksFxvdF38I4Xzf5/Qm9DQxCQ==</ds:SignatureValue></ds:Signature></samlp:Response>

0 commit comments

Comments
 (0)