Tighten clock skew checks for SAML. #97
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option.
gkwang
force-pushed
the
tighten-clockskew
branch
from
aca2061
to
2730dba
Compare
machuga
approved these changes
Sep 20, 2018
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 28, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) ## ✏️ Changes There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. ## 🔗 References [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ## 🎯 Testing ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated xmldom@0.1.27: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <matiasw@gmail.com> Co-authored-by: German Lena <german.lena@gmail.com> Co-authored-by: Sandrino Di Mattia <contact@sandrino.be> Co-authored-by: Mike Lee <mike.lee@auth0.com> Co-authored-by: Mike Lee <33419919+mikeops@users.noreply.github.com> Co-authored-by: Marcos Castany <marcos.castany@auth0.com> Co-authored-by: Gustavo Narea <gnarea@users.noreply.github.com> Co-authored-by: Eduardo Diaz <eduardo.diaz@auth0.com> Co-authored-by: radekk <radekk@auth0.com> Co-authored-by: Eduardo Diaz <eduardo.ds@gmail.com> Co-authored-by: Matthew Machuga <machuga@users.noreply.github.com> Co-authored-by: Robert <robert@robertlawson.net> Co-authored-by: Arkadiusz Kaɫkus <kalkus@10g.pl> Co-authored-by: gkwang <gkwang@notwebscale.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Fady Makram <fady@auth0.com> Co-authored-by: Jose Luis Diaz <diazjoseluis@gmail.com> Co-authored-by: Yamil Asusta <hello@yamilasusta.com> Co-authored-by: Robin Bijlani <robin.bijlani@auth0.com> Co-authored-by: Hernan Zalazar <hzalaz@users.noreply.github.com> Co-authored-by: Nico Sabena <nico.sabena@hotmail.com> Co-authored-by: KalleV <kvirtaneva@gmail.com>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated xmldom@0.1.27: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <matiasw@gmail.com> Co-authored-by: German Lena <german.lena@gmail.com> Co-authored-by: Sandrino Di Mattia <contact@sandrino.be> Co-authored-by: Mike Lee <mike.lee@auth0.com> Co-authored-by: Mike Lee <33419919+mikeops@users.noreply.github.com> Co-authored-by: Marcos Castany <marcos.castany@auth0.com> Co-authored-by: Gustavo Narea <gnarea@users.noreply.github.com> Co-authored-by: Eduardo Diaz <eduardo.diaz@auth0.com> Co-authored-by: radekk <radekk@auth0.com> Co-authored-by: Eduardo Diaz <eduardo.ds@gmail.com> Co-authored-by: Matthew Machuga <machuga@users.noreply.github.com> Co-authored-by: Robert <robert@robertlawson.net> Co-authored-by: Arkadiusz Kaɫkus <kalkus@10g.pl> Co-authored-by: gkwang <gkwang@notwebscale.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Fady Makram <fady@auth0.com> Co-authored-by: Jose Luis Diaz <diazjoseluis@gmail.com> Co-authored-by: Yamil Asusta <hello@yamilasusta.com> Co-authored-by: Robin Bijlani <robin.bijlani@auth0.com> Co-authored-by: Hernan Zalazar <hzalaz@users.noreply.github.com> Co-authored-by: Nico Sabena <nico.sabena@hotmail.com> Co-authored-by: KalleV <kvirtaneva@gmail.com>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated xmldom@0.1.27: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <matiasw@gmail.com> Co-authored-by: German Lena <german.lena@gmail.com> Co-authored-by: Sandrino Di Mattia <contact@sandrino.be> Co-authored-by: Mike Lee <mike.lee@auth0.com> Co-authored-by: Mike Lee <33419919+mikeops@users.noreply.github.com> Co-authored-by: Marcos Castany <marcos.castany@auth0.com> Co-authored-by: Gustavo Narea <gnarea@users.noreply.github.com> Co-authored-by: Eduardo Diaz <eduardo.diaz@auth0.com> Co-authored-by: radekk <radekk@auth0.com> Co-authored-by: Eduardo Diaz <eduardo.ds@gmail.com> Co-authored-by: Matthew Machuga <machuga@users.noreply.github.com> Co-authored-by: Robert <robert@robertlawson.net> Co-authored-by: Arkadiusz Kaɫkus <kalkus@10g.pl> Co-authored-by: gkwang <gkwang@notwebscale.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Fady Makram <fady@auth0.com> Co-authored-by: Jose Luis Diaz <diazjoseluis@gmail.com> Co-authored-by: Yamil Asusta <hello@yamilasusta.com> Co-authored-by: Robin Bijlani <robin.bijlani@auth0.com> Co-authored-by: Hernan Zalazar <hzalaz@users.noreply.github.com> Co-authored-by: Nico Sabena <nico.sabena@hotmail.com> Co-authored-by: KalleV <kvirtaneva@gmail.com>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated xmldom@0.1.27: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <matiasw@gmail.com> Co-authored-by: German Lena <german.lena@gmail.com> Co-authored-by: Sandrino Di Mattia <contact@sandrino.be> Co-authored-by: Mike Lee <mike.lee@auth0.com> Co-authored-by: Mike Lee <33419919+mikeops@users.noreply.github.com> Co-authored-by: Marcos Castany <marcos.castany@auth0.com> Co-authored-by: Gustavo Narea <gnarea@users.noreply.github.com> Co-authored-by: Eduardo Diaz <eduardo.diaz@auth0.com> Co-authored-by: radekk <radekk@auth0.com> Co-authored-by: Eduardo Diaz <eduardo.ds@gmail.com> Co-authored-by: Matthew Machuga <machuga@users.noreply.github.com> Co-authored-by: Robert <robert@robertlawson.net> Co-authored-by: Arkadiusz Kaɫkus <kalkus@10g.pl> Co-authored-by: gkwang <gkwang@notwebscale.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Fady Makram <fady@auth0.com> Co-authored-by: Jose Luis Diaz <diazjoseluis@gmail.com> Co-authored-by: Yamil Asusta <hello@yamilasusta.com> Co-authored-by: Robin Bijlani <robin.bijlani@auth0.com> Co-authored-by: Hernan Zalazar <hzalaz@users.noreply.github.com> Co-authored-by: Nico Sabena <nico.sabena@hotmail.com> Co-authored-by: KalleV <kvirtaneva@gmail.com>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated xmldom@0.1.27: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <matiasw@gmail.com> Co-authored-by: German Lena <german.lena@gmail.com> Co-authored-by: Sandrino Di Mattia <contact@sandrino.be> Co-authored-by: Mike Lee <mike.lee@auth0.com> Co-authored-by: Mike Lee <33419919+mikeops@users.noreply.github.com> Co-authored-by: Marcos Castany <marcos.castany@auth0.com> Co-authored-by: Gustavo Narea <gnarea@users.noreply.github.com> Co-authored-by: Eduardo Diaz <eduardo.diaz@auth0.com> Co-authored-by: radekk <radekk@auth0.com> Co-authored-by: Eduardo Diaz <eduardo.ds@gmail.com> Co-authored-by: Matthew Machuga <machuga@users.noreply.github.com> Co-authored-by: Robert <robert@robertlawson.net> Co-authored-by: Arkadiusz Kaɫkus <kalkus@10g.pl> Co-authored-by: gkwang <gkwang@notwebscale.com> Co-authored-by: Eva Sarafianou <eva.sarafianou@gmail.com> Co-authored-by: Fady Makram <fady@auth0.com> Co-authored-by: Jose Luis Diaz <diazjoseluis@gmail.com> Co-authored-by: Yamil Asusta <hello@yamilasusta.com> Co-authored-by: Robin Bijlani <robin.bijlani@auth0.com> Co-authored-by: Hernan Zalazar <hzalaz@users.noreply.github.com> Co-authored-by: Nico Sabena <nico.sabena@hotmail.com> Co-authored-by: KalleV <kvirtaneva@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changing default clock skew to 3 minutes to adhere to standard industry practice.
Also make clock skew a configurable option.