Revert "validateSignature: Support XML docs that contain multiple sig…

…ned nodes (#455)" (#480) This reverts commit 43df9ad.
node-saml · Oct 29, 2020 · aa4fa86 · aa4fa86
1 parent 43df9ad
commit aa4fa86
Show file tree

Hide file tree

Showing 30 changed files with 2 additions and 1,920 deletions.
diff --git a/src/passport-saml/saml.ts b/src/passport-saml/saml.ts
@@ -614,11 +614,8 @@ class SAML {
   // See https://github.com/bergie/passport-saml/issues/19 for references to some of the attack
   //   vectors against SAML signature verification.
   validateSignature = function (fullXml, currentNode, certs) {
-    const xpathSigQuery = ".//*[" +
-                        "local-name(.)='Signature' and " +
-                        "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and " +
-                        "descendant::*[local-name(.)='Reference' and @URI='#"+currentNode.getAttribute('ID')+"']" +
-                        "]";
+    const xpathSigQuery = ".//*[local-name(.)='Signature' and " +
+                        "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']";
     const signatures = xpath(currentNode, xpathSigQuery);
     // This function is expecting to validate exactly one signature, so if we find more or fewer
     //   than that, reject.

diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml