Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validate_signature broken with recently released version of REXML (3.2.5) #577

Closed
maxfelsher opened this issue Apr 5, 2021 · 3 comments
Closed

validate_signature broken with recently released version of REXML (3.2.5) #577

maxfelsher opened this issue Apr 5, 2021 · 3 comments

Comments

@maxfelsher
Copy link

maxfelsher commented Apr 5, 2021
edited
Loading

With REXML 3.2.5 (security release from this morning) and ruby-saml 1.12.0, calling validate_signature leads to an exception:

REXML::ParseException: Garbage component exists at the end: <]>: </p:Response[@ID=$id]/ds:Signature]>
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb:28:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb:80:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath.rb:78:in `match'
/usr/local/rvm/gems/ruby-2.7.2/gems/ruby-saml-1.12.0/lib/onelogin/ruby-saml/response.rb:829:in `validate_signature'

It seems it doesn't like the ] at the end of the XPath that ruby-saml is trying to use. Is that character necessary?
@seandilda
Copy link

I ran into the same issue a few minutes.

@maxfelsher
Copy link
Author

It looks like the closing square bracket was introduced in 059abe4 when "/p:Response[@ID=$id]" was changed to "/p:Response/ds:Signature]". I think that the bracket is unnecessary but wasn't breaking anything until now.

pitbulk added a commit that referenced this issue Apr 5, 2021
@pitbulk
See #577. Fix XPath typo incompatible with Rexml 3.2.5
b40edbf
pitbulk added a commit that referenced this issue Apr 5, 2021
@pitbulk
See #577. Fix XPath typo incompatible with Rexml 3.2.5
49a8b4c
pitbulk added a commit that referenced this issue Apr 5, 2021
@pitbulk
Merge pull request #578 from onelogin/fix_xpath
3ed4da3 
See #577. Fix XPath typo incompatible with Rexml 3.2.5
kwerle added a commit to cdd/ruby-saml that referenced this issue Apr 5, 2021
@kwerle
validate_signature broken with recently released version of REXML (3.…
4467c93 
…2.5) SAML-Toolkits#577

SAML-Toolkits#577

With REXML 3.2.5 (security release from this morning) and ruby-saml 1.12.0, calling validate_signature leads to an exception:

REXML::ParseException: Garbage component exists at the end: <]>: </p:Response[@id=$id]/ds:Signature]>
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb:28:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb:80:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath.rb:78:in `match'
/usr/local/rvm/gems/ruby-2.7.2/gems/ruby-saml-1.12.0/lib/onelogin/ruby-saml/response.rb:829:in `validate_signature'
It seems it doesn't like the ] at the end of the XPath that ruby-saml is trying to use. Is that character necessary?
@kwerle kwerle mentioned this issue Apr 5, 2021
Closed
@pitbulk pitbulk closed this as completed Apr 5, 2021
@pitbulk
Copy link
Collaborator

pitbulk commented Apr 5, 2021

Thanks for reporting this. The typo was fixed and 1.12.1 released

@manmorjim manmorjim mentioned this issue Apr 22, 2021
Merged
@rileyanderson rileyanderson mentioned this issue May 3, 2021
Closed
@ericboehs ericboehs mentioned this issue May 3, 2021
Closed
7 tasks
This was referenced May 9, 2021
Closed
Closed
n1zyy added a commit to department-of-veterans-affairs/caseflow-efolder that referenced this issue May 19, 2021
@n1zyy
Update ruby-saml
43f0e82 
The rexml upgrade exposed a dormant bug in ruby-saml:
SAML-Toolkits/ruby-saml#577

Shout-out to Riley Anderson for helping us identify this.
@n1zyy n1zyy mentioned this issue May 19, 2021
Merged
1 task
CGillen added a commit to OregonDigital/OD2 that referenced this issue Jun 9, 2021
@CGillen
Update ruby-saml to fix parse error in rexml
6fb5531 
SAML-Toolkits/ruby-saml#577
Capncavedan pushed a commit to intellum/ruby-saml that referenced this issue Jun 30, 2021
@pitbulk @Capncavedan
See SAML-Toolkits#577. Fix XPath typo incompatible with Rexml 3.2.5
9220104
@kennethc kennethc mentioned this issue Jul 14, 2021
Merged
n1zyy added a commit to department-of-veterans-affairs/caseflow-efolder that referenced this issue Jul 20, 2021
@n1zyy
Catch up on security updates (#1293)
a78bdfd 
* Update rexml and Rails

rexml: 3.2.4 -> 3.2.5
rails: 5.2.4.5 -> 5.2.4.6

Both for CVEs

* Update ruby-saml

The rexml upgrade exposed a dormant bug in ruby-saml:
SAML-Toolkits/ruby-saml#577

Shout-out to Riley Anderson for helping us identify this.

* Remove security overrides

* Updates nokogiri

* Updates puma

* Extend the multi-year snooze on CVE-2015-9284 for now :-[

* Update addressable gem

Security fix
giladshanan added a commit to tablexi/nucore-open that referenced this issue Sep 1, 2021
@giladshanan
Update ruby-saml
58173ce 
SAML-Toolkits/ruby-saml#577
@klouvas klouvas mentioned this issue Sep 6, 2021
Open
romanrizzi added a commit to discourse/discourse-saml that referenced this issue Sep 22, 2021
@romanrizzi
DEV: Bump ruby-saml version from 1.7.2 to 1.13.0
acb285d 
We started seeing [this error](SAML-Toolkits/ruby-saml#577) on some of our sites, which has been fixed on 1.12.1.
@romanrizzi romanrizzi mentioned this issue Sep 22, 2021
Merged
romanrizzi added a commit to discourse/discourse-saml that referenced this issue Sep 22, 2021
@romanrizzi
DEV: Bump ruby-saml version from 1.7.2 to 1.13.0 (#35)
9d83628 
We started seeing [this error](SAML-Toolkits/ruby-saml#577) on some of our sites, which has been fixed on 1.12.1.
@pgwillia pgwillia mentioned this issue Nov 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pitbulk @maxfelsher @seandilda