New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is pysaml2 affected by CVE-2017-11427? #497
Comments
I think so. If I understand what I think I do...
This, in turn, calls Line 1710 in 86cf3a4
That in turn calls Line 1843 in fd7a4f6
That in turn calls Line 1620 in fd7a4f6
That in turn calls Line 91 in 847e970
... which is the same library that OneLogin/python-saml had to patch here: SAML-Toolkits/python-saml@fad881b I think direct access of attributes on this DOM are risky. Instead, something like |
I've been trying to reproduce, but I have not been able to yet. From what I can tell, the comments are stripped out appropriately. In my local environment, I intercepted the SAML Response, and injected the comment in the user value. Here is a simple version of the POC:
|
Also confirming in my system that pysaml2 already handles the injected comment fine, and the text before and after the comment are combined for the intended nameid. Same thing for an email attribute. |
In that case, should this be closed? Do we need more confirmation here @c00kiemon5ter? |
This is related to CVE-2017-11427[0] and VU#475445[1] Related issues: IdentityPython#496 IdentityPython#497 Reported by duo[2] through this blog post[3] pysaml2 is not affected, as, by default, the xml.etree.ElementTree and xml.etree.cElementTree parsers ignore comments. However, this commit makes sure that the ElementTree being used is set correctly through defusexml lib and centralizes the control of which functions are exposed and available for usage in the code. Any code that needs a function to parse, modify or serialize XML should be obtain through the xml_safe module. The new module asks defusexml to provide the function and if it is not available it will fallback to the one provided by xml.etree.cElementTree. This is a guarantee that functions like parse, fromstring et al are provided by defusexml lib. [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427 [1]: https://www.kb.cert.org/vuls/id/475445 [2]: https://duo.com [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
This is related to CVE-2017-11427[0] and VU#475445[1] Related issues: IdentityPython#496 IdentityPython#497 Reported by duo[2] through this blog post[3] pysaml2 is not affected, as, by default, the xml.etree.ElementTree and xml.etree.cElementTree parsers ignore comments. However, this commit makes sure that the ElementTree being used is set correctly through defusexml lib and centralizes the control of which functions are exposed and available for usage in the code. Any code that needs a function to parse, modify or serialize XML should be obtain through the xml_safe module. The new module asks defusexml to provide the function and if it is not available it will fallback to the one provided by xml.etree.cElementTree. This is a guarantee that functions like parse, fromstring et al are provided by defusexml lib. [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427 [1]: https://www.kb.cert.org/vuls/id/475445 [2]: https://duo.com [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
This is related to CVE-2017-11427[0] and VU#475445[1] Related issues: IdentityPython#496 IdentityPython#497 Reported by duo[2] through this blog post[3] pysaml2 is not affected, as, by default, the xml.etree.ElementTree and xml.etree.cElementTree parsers ignore comments. However, this commit makes sure that the ElementTree being used is set correctly through defusexml lib and centralizes the control of which functions are exposed and available for usage in the code. Any code that needs a function to parse, modify or serialize XML should be obtain through the xml_safe module. The new module asks defusexml to provide the function and if it is not available it will fallback to the one provided by xml.etree.cElementTree. This is a guarantee that functions like parse, fromstring et al are provided by defusexml lib. [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427 [1]: https://www.kb.cert.org/vuls/id/475445 [2]: https://duo.com [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
This is related to CVE-2017-11427[0] and VU#475445[1] Related issues: IdentityPython#496 IdentityPython#497 Reported by duo[2] through this blog post[3] pysaml2 is not affected, as, by default, the xml.etree.ElementTree and xml.etree.cElementTree parsers ignore comments. However, this commit makes sure that the ElementTree being used is set correctly through defusexml lib and centralizes the control of which functions are exposed and available for usage in the code. Any code that needs a function to parse, modify or serialize XML should be obtain through the xml_safe module. The new module asks defusexml to provide the function and if it is not available it will fallback to the one provided by xml.etree.cElementTree. This is a guarantee that functions like parse, fromstring et al are provided by defusexml lib. [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427 [1]: https://www.kb.cert.org/vuls/id/475445 [2]: https://duo.com [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Looks okay from @bqumsiyeh's attempt. This should probably be rolled into a pysaml2 test so people can easily verify behavior and if there are any changes to the XML library down the road you can be confident that it is still covered. |
Hello,
Just a quick sanity check to ensure pysaml2 isn't affected by the SAML vulnerabilities announced:
https://www.kb.cert.org/vuls/id/475445
The note does not mention pysaml2, but it would be great to hear it from the horse's mouth.
I apologize if this is not the appropriate venue for this type of query.
John
The text was updated successfully, but these errors were encountered: