Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to fail hard if there should be valid top level signature and validation of top level signature failed #58

Closed
cjbarth opened this issue Apr 4, 2022 · 0 comments · Fixed by #83
Closed

Add option to fail hard if there should be valid top level signature and validation of top level signature failed #58

cjbarth opened this issue Apr 4, 2022 · 0 comments · Fixed by #83
Labels
enhancement New feature or request

Comments

@cjbarth
Copy link
Collaborator

cjbarth commented Apr 4, 2022

Currently, if the validation of the top-level signature fails, we continue after setting a variable. We should have an option, or perhaps just fail, if we find a top-level signature that isn't valid. Right now, node-saml will allow an invalid top-level signature. This allowance allows for a whole class of crafty attacks that cause a top-level signature to be invalid, but which preserve the signature of an assertion. See node-saml/passport-saml#671 for a more thorough discussion of this matter.
@cjbarth cjbarth added the enhancement New feature or request label Apr 4, 2022
@srd90 srd90 mentioned this issue May 4, 2022
Merged
@cjbarth cjbarth mentioned this issue May 5, 2022
Merged
@srd90 srd90 mentioned this issue Jun 21, 2022
Closed
@cjbarth cjbarth linked a pull request Aug 16, 2022 that will close this issue
Document signatures are now required by default. Setting wantAuthenResponseSigned=false disables this feature and restores the prior, less secure behavior #83
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
1 participant
@cjbarth