Merge pull request auth0#79 from ziluvatar/fix-signature-location

sec: fix signature location lookup
TigerC10 · Mar 13, 2018 · f75211d · f75211d
2 parents 6d50336 + dca554e
commit f75211d
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 6 deletions.
diff --git a/SECURITY-NOTICE.md b/SECURITY-NOTICE.md
@@ -1,3 +1,27 @@
+Security vulnerability details for passport-wsfed-saml2 < 3.0.10
+===============================================================
+
+A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the proper location inside an "Assertion" tag. This leads to a signature relocation attack where the attacker can corrupt one field of data while
+maintaining the signature valid. This could allow an authenticated attacker to "remove" one group from his assertion or corrupt another field of an assertion.
+
+Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. See below:
+
+```
+{
+  "dependencies": {
+    "passport-wsfed-saml2": "^3.0.10"
+  }
+}
+```
+
+## Upgrade Notes
+
+This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.
+
+You can read more details regarding the vulnerability [here](https://auth0.com/docs/security/bulletins/cve-2018-8085).
+
+
+
 Security vulnerability details for passport-wsfed-saml2 < 3.0.5
 ===============================================================
 

diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js
@@ -304,7 +304,7 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) {
   self.validateSignature(samlAssertion.toString(), {
     cert: self.options.cert,
     thumbprints: self.options.thumbprints,
-    signaturePath: ".//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) {
+    signaturePath: "/*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) {
     if (err) return callback(err);
 
     self.parseAssertion(samlAssertion, callback);

diff --git a/test/interop.tests.js b/test/interop.tests.js
diff --git a/test/saml20.tests.js b/test/saml20.tests.js