-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security updates #113
Security updates #113
Conversation
Version 3.3 saw the introduction of more strict parsing of saml messages. This caused EB to break when invalid data is set in the saml response according to the SAML2 lib.
Interesting, the failing test is broken because of a SAML2 3.2 feature which I am yet to find. OpenConext-profile/src/OpenConext/Profile/Tests/Entity/AuthenticatedUserTest.php Lines 141 to 154 in b4a44ee
The test works with SAML2 @ 3.1.6 but breaks on 3.2.6. |
Ive been researching the problem. And the SAML2 lib used to have a very explicit check on the correctness of the EPTI attribute. This was added in: simplesamlphp/saml2@d3b8bb0 (simplesamlphp/saml2#60 and later simplesamlphp/saml2#76) Then @thijskh made the validation less harsh, by logging the problem instead of throwing an Exception. in this commit: simplesamlphp/saml2@6db9836 which landed in v3.2.3. In order to be compatible with versions >= v3.2.3 we need to update the test or make SAML2 more strict again. I'm opting for the first option. @thijskh can you remember the reason for such a specific test case in the AuthenticatedUserTest.php? Is it something that happens often, having an assertion with more than one EPTI values? |
That should really never happen. Does the commit history not tell anything about it? Otherwise safe to drop it. |
Nope no insights to be found in gitlog. The test is actually more a test of the SAML bundle. Removing the test. |
First, these tests are acually testing the StepUp SAML bundle and not really any features of Profile. Second, the SAML2 library no longer throws exceptions when more than one attribute value is set on the epti attribute. This is now logged. In accordance with the PO, we decided to remove these tests and rely on EB to never release more than one epti value. So, in addition to removing the tests, I also dropped the version restraint on SAML2 3.2 #113 (comment)
Fix the security warnings that are reported by the security checker.
Note that we use the SimpleSAMLphp SAML2 library at version 3.2 until 3.3 is considered stable.