bump xmldom to 0.5.x since all lower versions have security issue #551
Conversation
|
Is there already release scheduled to get this change online? |
|
@gugu are there any blockers to merging this into a 2.x release? |
|
The head of |
|
I created a branch v2.x on my forked repo then open this PR #552 I think a maintainer will have to create a v2.x branch on this repo? Let me know if I can help. Thanks |
|
You have to create the PR against the commit you want to fork off of, for example, the latest 2.x tag. You created that PR to merge against |
|
Just wanted to know was this vulnerability exploitable in passport saml? I am going through https://mattermost.com/blog/securing-xml-implementations-across-the-web/. It seems like we need a round trip so that the signature is validated against different input and email is from different. Do we do that in passport-saml? cc @gugu |
|
@meetsuraj No one has reported that the vuln was exploitable through passport-saml. You are welcome to test yourself. |
|
I can confirm we are parsing data we have serialized ourselves, so it could very well be exploitable. Same for the new xmldom issue. Short term we should update xmldom whenever it's possible. Longer term we should avoid parsing anything we produced. I have plans, but it's a bit of work ;) |
|
FYI: The latest version of XMLDOM is: |
|
This update has already been made @catamphetamine : https://github.com/node-saml/node-saml/blob/42589290ecb3f800e5129d5d1a49eabf8b2026ae/package.json#L54 |
Description
xmldom versions <= 0.4.0 have security issue. Update xmldom dependency to 0.5.x and bump package version.
More information: GHSA-h6q6-9hqw-rwfv
After this fix as been merged, a new version of passport-saml should be released to npm.