SAML-Toolkits · pitbulk · Oct 7, 2024 · Jul 8, 2024 · Jul 8, 2024 · Jul 9, 2024
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -86,7 +86,7 @@ Layout/FirstHashElementIndentation:
     - 'lib/ruby_saml/authrequest.rb'
     - 'lib/ruby_saml/metadata.rb'
 
-# Offense count: 4
+# Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: Width, AllowedPatterns.
 Layout/IndentationWidth:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,7 +15,13 @@
 * [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
 * [#711](https://github.com/SAML-Toolkits/ruby-saml/pull/711) Standardize how RubySaml reads and formats certificate and private_key PEM values, including the `RubySaml::Util#format_cert` and `#format_private_key` methods.
 
-### 1.17.0
+### 1.18.0  (???)
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+* [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
+* [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
+
+### 1.17.0  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
@@ -55,6 +61,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.3  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
 ### 1.12.2 (Apr 08, 2021)
 * [#575](https://github.com/SAML-Toolkits/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
 
@@ -182,14 +191,12 @@
   * Require Issuer element. (Must match IdP EntityID).
   * Destination value can't be blank (if present must match ACS URL).
   * Check that the EncryptedAssertion element only contains 1 Assertion element.
-
 * [#335](https://github.com/SAML-Toolkits/ruby-saml/pull/335) Explicitly parse as XML and fix setting of Nokogiri options.
 * [#345](https://github.com/SAML-Toolkits/ruby-saml/pull/345)Support multiple settings.auth_context
 * More tests to prevent XML Signature Wrapping
 * [#342](https://github.com/SAML-Toolkits/ruby-saml/pull/342) Correct the usage of Mutex
 * [352](https://github.com/SAML-Toolkits/ruby-saml/pull/352) Support multiple AttributeStatement tags
 
-
 ### 1.3.1 (July 10, 2016)
 * Fix response_test.rb of gem 1.3.0
 * Add reference to Security Guidelines
@@ -302,7 +309,6 @@
 * [#111](https://github.com/SAML-Toolkits/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
 * [#108](https://github.com/SAML-Toolkits/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
 
-
 ### 0.7.3 (Feb 20, 2014)
 Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
 

diff --git a/README.md b/README.md
@@ -7,6 +7,9 @@
 Ruby SAML minor and tiny versions may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
+**There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409).
+Make sure you are using an updated version. (1.12.3 is safe)**
+
 ## Overview
 
 The Ruby SAML library is for implementing the client side of a SAML authorization,
@@ -983,14 +986,3 @@ end
 # Output XML with custom metadata
 MyMetadata.new.generate(settings)
 ```
-
-## Attribution
-
-Portions of the code in `RubySaml::XML` namespace is adapted from earlier work
-copyrighted by either Oracle and/or Todd W. Saxton. The original code was distributed
-under the Common Development and Distribution License (CDDL) 1.0. This code is planned to
-be written entirely in future versions.
-
-## License
-
-Ruby SAML is made available under the MIT License. Refer to [LICENSE](LICENSE).
diff --git a/lib/ruby_saml/response.rb b/lib/ruby_saml/response.rb
@@ -825,7 +825,7 @@ def validate_name_id
         end
 
         if !(settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?) && (name_id_spnamequalifier != settings.sp_entity_id)
-            return append_error('SPNameQualifier value does not match the SP entityID value.')
+          return append_error('SPNameQualifier value does not match the SP entityID value.')
         end
       end
 

diff --git a/test/response_test.rb b/test/response_test.rb
@@ -1356,25 +1356,16 @@ def generate_audience_error(expected, actual)
       end
     end
 
-    # Gets the AuthnInstant from the AuthnStatement.
-    # Could be used to require re-authentication if a long time has passed
-    # since the last user authentication.
-    # @return [String] AuthnInstant value
-    #
-    def authn_instant
-      @authn_instant ||= begin
-        node = xpath_first_from_signed_assertion('/a:AuthnStatement')
-        node.nil? ? nil : node.attributes['AuthnInstant']
+    describe "#authn_instant" do
+      it "extract the value of the AuthnInstant attribute" do
+        assert_equal "2010-11-18T21:57:37Z", response.authn_instant
       end
     end
 
-    # Gets the AuthnContextClassRef from the AuthnStatement
-    # Could be used to require re-authentication if the assertion
-    # did not met the requested authentication context class.
-    # @return [String] AuthnContextClassRef value
-    #
-    def authn_context_class_ref
-      @authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
+    describe "#authn_context_class_ref" do
+      it "extract the value of the AuthnContextClassRef attribute" do
+        assert_equal "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", response.authn_context_class_ref
+      end
     end
 
     describe "#success" do

diff --git a/test/utils_test.rb b/test/utils_test.rb
@@ -363,11 +363,11 @@ def result(duration, reference = 0)
     end
 
     it 'successfully decrypts with the first private key' do
-      assert_match %r{\A<saml:Assertion}, RubySaml::Utils.decrypt_multi(encrypted, [private_key])
+      assert_match(/\A<saml:Assertion/, RubySaml::Utils.decrypt_multi(encrypted, [private_key]))
     end
 
     it 'successfully decrypts with a subsequent private key' do
-      assert_match %r{\A<saml:Assertion}, RubySaml::Utils.decrypt_multi(encrypted, [invalid_key1, private_key])
+      assert_match(/\A<saml:Assertion/, RubySaml::Utils.decrypt_multi(encrypted, [invalid_key1, private_key]))
     end
 
     it 'raises an error when there is only one key and it fails to decrypt' do
-Original file line number
+Diff line change
@@ Expand Up / @@ -825,7 +825,7 @@ def validate_name_id @@
             end
             if !(settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?) && (name_id_spnamequalifier != settings.sp_entity_id)
-                return append_error('SPNameQualifier value does not match the SP entityID value.')
+              return append_error('SPNameQualifier value does not match the SP entityID value.')
             end
           end
@@ Expand Down @@