Check for more than one Assertions (#179)

auth0 · Nov 30, 2022 · bb29aec · bb29aec
1 parent 101aa24
commit bb29aec
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/lib/passport-wsfed-saml2/wsfederation.js b/lib/passport-wsfed-saml2/wsfederation.js
@@ -59,6 +59,12 @@ WsFederation.prototype = {
       return callback(new Error('missing RequestedSecurityToken element'));
     }
 
+    // Check for more than one Assertions to conform with spec
+    var foundAssertions = xpath.select("//*[local-name(.)='Assertion']", token);
+    if (foundAssertions.length > 1) {
+      return callback(new Error('A RequestedSecurityToken can contain only one Assertion element.'));
+    }
+
     callback(null, token);
   },
 

diff --git a/test/wsfed.tests.js b/test/wsfed.tests.js
@@ -2,6 +2,8 @@ var expect = require('chai').expect;
 var server = require('./fixture/wsfed-server');
 var request = require('request');
 var cheerio = require('cheerio');
+const xpath = require('xpath');
+const DOMParser = require('xmldom').DOMParser;
 
 describe('wsfed', function () {
   before(function (done) {
@@ -12,6 +14,43 @@ describe('wsfed', function () {
     server.close(done);
   });
 
+  describe('Validations', () => {
+    it('returns 400 if we have more than one Assertion element', (done) => {
+      request.get({
+        jar: request.jar(),
+        uri: 'http://localhost:5050/login?wa=wsignin1.0&wtrealm=urn:fixture-test'
+      }, function (err, response, b){
+        if(err) return done(err);
+        expect(response.statusCode)
+          .to.equal(200);
+
+
+        const $ = cheerio.load(b);
+        const wresult = $('input[name="wresult"]').attr('value');
+        const wa = $('input[name="wa"]').attr('value');
+
+        const root = new DOMParser().parseFromString(wresult);
+        const assertion = xpath.select("//*[local-name(.)='Assertion']", root)[0];
+
+        const copiedAssertion = assertion.cloneNode(true);
+        assertion.appendChild(copiedAssertion);
+
+        const modifiedResult = root.toString();
+
+        request.post({
+          jar: request.jar(),
+          uri: 'http://localhost:5050/callback',
+          form: { wresult: modifiedResult, wa: wa }
+        }, function (err, response, _) {
+          if (err) return done(err);
+          expect(response.statusCode).to.equal(400);
+          done();
+        });
+      });
+    })
+
+  })
+
   describe('normal flow', function () {
     var user, r, bod, $;