Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request from GHSA-m974-647v-whv7
- Loading branch information
8b7e3f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does multiple root elements not get caught by the XML parser (it's an XML parsing error?) prior to signature validation?
8b7e3f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An XML parser will gladly parse an XML document with multiple roots. Then, a signature can apply to only one root node. However, XPath can traverse multiple root nodes to find authn and authz information. So, one root node may be signed and then another, unsigned node, could contain authn and authz information, which is obviously a problem.
The solution was chosen because there should never be more than one root node with children in a valid SAML XML document. So, limiting things this way makes all further processing much simpler and more secure.
8b7e3f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
jindw/xmldom#150 (see the discussion about the fact that xmldom does not follow the standard, and instead allows multiple root nodes without either ignoring the malformed content after the first root node, or erroring). I see why you have chosen the solution you've chosen, but it's still broken at the XML parser level.
8b7e3f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some better solutions:
8b7e3f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@frumioj , I'd love to see a PR with some of these solutions. You can either make the PR against the 3.x branch here, or over at node-saml, which will be what eventually powers a 4.x release here at passsport-saml.
8b7e3f5There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@frumioj , I've started a PR with some comments from @srd90 here. Feel free to comment there, or even make a PR against that branch with some suggestions.