From 10427c5e4b853552ac3898dad0bf07a0d221bbfb Mon Sep 17 00:00:00 2001
From: Eduardo Diaz <eduardo.diaz@auth0.com>
Date: Wed, 7 Mar 2018 11:27:25 +0100
Subject: [PATCH 1/2] fix signature location lookup

---
 lib/passport-wsfed-saml2/saml.js |  2 +-
 test/interop.tests.js            | 29 ++++++++++++++++++++++++++---
 test/saml20.tests.js             |  4 ++--
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/lib/passport-wsfed-saml2/saml.js b/lib/passport-wsfed-saml2/saml.js
index a5b1561..b0caefd 100644
--- a/lib/passport-wsfed-saml2/saml.js
+++ b/lib/passport-wsfed-saml2/saml.js
@@ -304,7 +304,7 @@ SAML.prototype.validateSamlAssertion = function (samlAssertion, callback) {
   self.validateSignature(samlAssertion.toString(), {
     cert: self.options.cert,
     thumbprints: self.options.thumbprints,
-    signaturePath: ".//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) {
+    signaturePath: "/*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" }, function(err) {
     if (err) return callback(err);
 
     self.parseAssertion(samlAssertion, callback);
diff --git a/test/interop.tests.js b/test/interop.tests.js
index 920271f..d053bdf 100644
--- a/test/interop.tests.js
+++ b/test/interop.tests.js
@@ -145,6 +145,29 @@ describe('interop', function () {
     });
   });
 
+  describe('signed assertion with Signature located in wrong place', function () {
+    var r;
+    var SAMLResponse = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJfYzc0NjM4NjI3MzFmOGQzYjMzZGIiICBJblJlc3BvbnNlVG89Il8yTjVHR3Aybm1JVENGYmN5R1NLamFRM2FpNkt4OWNBd0RoQkdYMWdBSnl2Q3JsSnZvRVFkakVnVHNmYWpnTTltN2oudy5JOUZ6MWRkVmpaOWxLWkNoY3NwdHA5a3hrQ3VxY3diZU5lLmxKeVZRcEI4aVNhNGF3RllzajlBNXI3UkViNUpwSEg3MkI2ZmVndUhGRlBFOE1hazN1NGhTRUtsOV84bW9pWExkQTU3V1ZoendhOFhZeG40bURzaFNwM1hiMFBFWktPREhNdHhsVlhheWNHWXVNZ0MyMEdwZkNBIiAgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTgtMDMtMDdUMTA6MDk6MzRaIiAgRGVzdGluYXRpb249Imh0dHBzOi8vYXV0aDAtZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+dXJuOmZpeHR1cmUtdGVzdDwvc2FtbDpJc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIFZlcnNpb249IjIuMCIgSUQ9Il9GVjZKTGRuS1MyTFVEakNkTkJIRUpYYzBob2lmbEpLdiIgSXNzdWVJbnN0YW50PSIyMDE4LTAzLTA3VDEwOjA5OjM0LjQ1MFoiPjxzYW1sOklzc3Vlcj51cm46Zml4dHVyZS10ZXN0PC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj4xMjM0NTY3ODwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIFJlY2lwaWVudD0iaHR0cHM6Ly9hdXRoMC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20iIEluUmVzcG9uc2VUbz0iXzJONUdHcDJubUlUQ0ZiY3lHU0tqYVEzYWk2S3g5Y0F3RGhCR1gxZ0FKeXZDcmxKdm9FUWRqRWdUc2ZhamdNOW03ai53Lkk5RnoxZGRWalo5bEtaQ2hjc3B0cDlreGtDdXFjd2JlTmUubEp5VlFwQjhpU2E0YXdGWXNqOUE1cjdSRWI1SnBISDcyQjZmZWd1SEZGUEU4TWFrM3U0aFNFS2w5Xzhtb2lYTGRBNTdXVmh6d2E4WFl4bjRtRHNoU3AzWGIwUEVaS09ESE10eGxWWGF5Y0dZdU1nQzIwR3BmQ0EiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9hdXRoMC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb208L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50IHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWVpZGVudGlmaWVyIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+MTIzNDU2Nzg8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+amZvb0BnbWFpbC5jb208U2lnbmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48U2lnbmVkSW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PFJlZmVyZW5jZSBVUkk9IiNfRlY2SkxkbktTMkxVRGpDZE5CSEVKWGMwaG9pZmxKS3YiPjxUcmFuc2Zvcm1zPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L1RyYW5zZm9ybXM+PERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxEaWdlc3RWYWx1ZT5vRjRwY1pielBFcWtOOHhRN1FkY1VlMzJXMkVEdDBqRDJhS2xLOFBKenlZPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5nU0s5a245cFhCTFpLZUY1b1gvLyttQUxBKzRNQ1loUUt5SURVZTd4NjdSNlFhMkdPNkNONktCeFJtNEhrUTBmWGoxT0dyVVJPaWdIZTRHVVR6Nkh6d3gvQ0VHYU1UY1FYbldCanlQVVVHb2MrNGtPQm1FazRpSGF6c1hnaTdVM0JEcnVlbFpNY3RXWnp0TWEzWGhhTWZ2c1lCbDFncThHK0VHNFo5TnRpcHNRZUova3IxUFg0K1dGZUVkNExYKzczTlBhblgyQ1cyZnBLZXhtYyt5cHpBN2RyRXJKTTNsbXJhUGxqMFEyUllGSWZWcWc4VVVaQm9VL2VnU1FiS3dra28yYVlnUFJYQkhDRjhveTJQcXhxUWRybkFxUnpqV3FwdVQ5L0ZtZUhlSzg4dHFIVDlMVFl3akZxUTZBZGFHbm1GQU5wZm1uQjRrZ2ZUbzlWa1NsSXc9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU+TUlJRUR6Q0NBdmVnQXdJQkFnSUpBTHI5SHdnclE3R2VNQTBHQ1NxR1NJYjNEUUVCQlFVQU1HSXhHREFXQmdOVkJBTVREMkYxZEdnd0xtRjFkR2d3TG1OdmJURVNNQkFHQTFVRUNoTUpRWFYwYURBZ1RFeERNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1YyRnphR2x1WjNSdmJqRVFNQTRHQTFVRUJ4TUhVbVZrYlc5dVpEQWVGdzB4TWpFeU1qa3hOVE13TkRkYUZ3MHhNekF4TWpneE5UTXdORGRhTUdJeEdEQVdCZ05WQkFNVEQyRjFkR2d3TG1GMWRHZ3dMbU52YlRFU01CQUdBMVVFQ2hNSlFYVjBhREFnVEV4RE1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LVjJGemFHbHVaM1J2YmpFUU1BNEdBMVVFQnhNSFVtVmtiVzl1WkRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVppVm1OSGlYTGxkcmdiUzUwT05OT0g3cEoyemc2T2NTTWtZWkdEWkpiT1ovVHF3YXVDNkpPbkk3K3h0a1BKc1FIWlNGSnM0VTBzcmpaS3pEQ21hejJqTEFKRFNoUDJqYVhscmtpMTZuRExQRS8vSUdBZzNCSmd1U21CQ1dwRGJTbTkyVjloU3NFK01oeDZiRGFKaXc4eVErUThpU20wYVRRWnRwNk80SUNNdTAwRVNkaDlOSnFJRUNFTHZQMzFBRFYxWGhqN0lieXlWUERGeE12M29sNUJ5U0U5d3d3T0ZVcS93djdYejlMUmlValV6UE8rTHEzT00zby91Q0RiazdqRDdYckdVdU95ZEFMRDhVTHNYcDRFdURPK25GYmVYQi9pS25kWnludVZLb2tpcnl3bDJuRDJJUDAveW5jZExRWjhCeUl5cVAzRzgyZnEvbDhwN0FzQ0F3RUFBYU9CeHpDQnhEQWRCZ05WSFE0RUZnUVVISTJyVVhlQmpUdjF6QWxsYVBHckhGY0VLMFl3Z1pRR0ExVWRJd1NCakRDQmlZQVVISTJyVVhlQmpUdjF6QWxsYVBHckhGY0VLMGFoWnFSa01HSXhHREFXQmdOVkJBTVREMkYxZEdnd0xtRjFkR2d3TG1OdmJURVNNQkFHQTFVRUNoTUpRWFYwYURBZ1RFeERNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1YyRnphR2x1WjNSdmJqRVFNQTRHQTFVRUJ4TUhVbVZrYlc5dVpJSUpBTHI5SHdnclE3R2VNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFGclhJaEN5NFQ0ZUdyaWtiMFIyd0h2L3VTNTQ4cjNwWnlCVjBDRGJjUndBdGJucEpNdmtHRnFLVnA0cG15b0lEU1ZOSy9qK3NMRXNoQjIwWGZ0ZXpIWnlSSmJDVWJ0S3ZYUTZGc3hvZVpNbE4wSVRZS1Rhb0JaS2hVeHhqOTBvdEFoTkM1OHF3R1VQcXQyTGV3SmhIeUx1Y0trR0oxbVEzYjV4S1o1MzJUb3Vmb3VIOVZMaGlnM0gxS254V28vek1ENktlOGNDazZxTzlodHVoSTA2czNHUUdTMVFXUXRBbW0xN0M2VGZLZ0R3UUZad2hxSFVVWm53S1JIOGdVNk9nWnN2aGdWMUI3SDVtalpjdTU3S01pREJla1U5TUVZMERDVlROM1drbWNUSUk2Njh6THNKcmtOWDZQRWZjazFBTUJiVkU2cEVVS2NXd3EzdWFMdmxBVW89PC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5Kb2huIEZvbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9naXZlbm5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5Kb2huPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3N1cm5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5Gb288L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxOC0wMy0wN1QxMDowOTozNC40NTBaIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==';
+
+    before(function (done) {
+      request.post({
+        jar: request.jar(),
+        uri: 'http://localhost:5051/callback',
+        form: { SAMLResponse: SAMLResponse }
+      }, function(err, response) {
+        if(err) return done(err);
+        r = response;
+        done();
+      });
+    });
+
+    it('should return error', function(){
+      console.log({ body: r.body });
+      expect(r.statusCode)
+            .to.equal(400);
+    });
+  });
+
   describe('signed assertion from ping', function () {
     var r, bod;
 
@@ -215,7 +238,7 @@ describe('interop', function () {
 
     var samlpOptions = {
       protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-      destinationUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev'      
+      destinationUrl: 'https://pwctest.auth0.com/login/callback?connection=SiteminderDev'
     };
 
     var sm = new SamlPassport(samlOptions);
@@ -271,7 +294,7 @@ describe('interop', function () {
 
     var samlpOptions = {
       cert: cert,
-      destinationUrl: 'https://netformx.auth0.com/login/callback?connection=emc-test',            
+      destinationUrl: 'https://netformx.auth0.com/login/callback?connection=emc-test',
     };
 
     var sm = new SamlPassport(samlOptions);
@@ -308,7 +331,7 @@ describe('interop', function () {
 
     var samlpOptions = {
       cert: cert,
-      checkDestination: false      
+      checkDestination: false
     };
 
     var sm = new SamlPassport(samlOptions);
diff --git a/test/saml20.tests.js b/test/saml20.tests.js
index 7203d8b..6029af0 100644
--- a/test/saml20.tests.js
+++ b/test/saml20.tests.js
@@ -206,7 +206,7 @@ describe('saml 2.0 assertion', function () {
       var profile = saml_passport.validateSamlAssertion(assertion, function (err, profile) {
         assert.ok(err);
         assert.ok(!profile);
-        assert.equal(err.message, "Signature is missing (xpath: .//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#'])");
+        assert.equal(err.message, "Signature is missing (xpath: /*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#'])");
         done();
       });
     });
@@ -219,7 +219,7 @@ describe('saml 2.0 assertion', function () {
       var profile = saml_passport.validateSamlAssertion(assertion, function (err, profile) {
         assert.ok(err);
         assert.ok(!profile);
-        assert.equal(err.message, "Signature was found more than one time (xpath: .//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#'])");
+        assert.equal(err.message, "Signature was found more than one time (xpath: /*[local-name(.)='Assertion']/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#'])");
         done();
       });
     });

From dca554e0af6ed3d9f3db2a730f4ff2a6da5a92e5 Mon Sep 17 00:00:00 2001
From: radekk <radekk@auth0.com>
Date: Tue, 13 Mar 2018 12:43:41 +0100
Subject: [PATCH 2/2] Update the security notice file with a new entry.

---
 SECURITY-NOTICE.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/SECURITY-NOTICE.md b/SECURITY-NOTICE.md
index abb1404..39cd237 100644
--- a/SECURITY-NOTICE.md
+++ b/SECURITY-NOTICE.md
@@ -1,3 +1,27 @@
+Security vulnerability details for passport-wsfed-saml2 < 3.0.10
+===============================================================
+
+A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the proper location inside an "Assertion" tag. This leads to a signature relocation attack where the attacker can corrupt one field of data while
+maintaining the signature valid. This could allow an authenticated attacker to "remove" one group from his assertion or corrupt another field of an assertion.
+
+Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. See below:
+
+```
+{
+  "dependencies": {
+    "passport-wsfed-saml2": "^3.0.10"
+  }
+}
+```
+
+## Upgrade Notes
+
+This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.
+
+You can read more details regarding the vulnerability [here](https://auth0.com/docs/security/bulletins/cve-2018-8085).
+
+
+
 Security vulnerability details for passport-wsfed-saml2 < 3.0.5
 ===============================================================