Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

validate_signature broken with recently released version of REXML (3.2.5) #577

Closed
maxfelsher opened this issue Apr 5, 2021 · 3 comments
Closed

validate_signature broken with recently released version of REXML (3.2.5) #577

maxfelsher opened this issue Apr 5, 2021 · 3 comments

Comments

@maxfelsher
Copy link

maxfelsher commented Apr 5, 2021
edited
Loading

With REXML 3.2.5 (security release from this morning) and ruby-saml 1.12.0, calling validate_signature leads to an exception:

REXML::ParseException: Garbage component exists at the end: <]>: </p:Response[@ID=$id]/ds:Signature]>
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb:28:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb:80:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath.rb:78:in `match'
/usr/local/rvm/gems/ruby-2.7.2/gems/ruby-saml-1.12.0/lib/onelogin/ruby-saml/response.rb:829:in `validate_signature'

It seems it doesn't like the ] at the end of the XPath that ruby-saml is trying to use. Is that character necessary?
@seandilda
Copy link

I ran into the same issue a few minutes.

@maxfelsher
Copy link
Author

It looks like the closing square bracket was introduced in 059abe4 when "/p:Response[@ID=$id]" was changed to "/p:Response/ds:Signature]". I think that the bracket is unnecessary but wasn't breaking anything until now.

pitbulk added a commit that referenced this issue Apr 5, 2021
@pitbulk
See #577. Fix XPath typo incompatible with Rexml 3.2.5
b40edbf
pitbulk added a commit that referenced this issue Apr 5, 2021
@pitbulk
See #577. Fix XPath typo incompatible with Rexml 3.2.5
49a8b4c
pitbulk added a commit that referenced this issue Apr 5, 2021
@pitbulk
Merge pull request #578 from onelogin/fix_xpath
3ed4da3 
See #577. Fix XPath typo incompatible with Rexml 3.2.5
kwerle added a commit to cdd/ruby-saml that referenced this issue Apr 5, 2021
@kwerle
validate_signature broken with recently released version of REXML (3.…
4467c93 
…2.5) SAML-Toolkits#577

SAML-Toolkits#577

With REXML 3.2.5 (security release from this morning) and ruby-saml 1.12.0, calling validate_signature leads to an exception:

REXML::ParseException: Garbage component exists at the end: <]>: </p:Response[@id=$id]/ds:Signature]>
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb:28:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb:80:in `parse'
/usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath.rb:78:in `match'
/usr/local/rvm/gems/ruby-2.7.2/gems/ruby-saml-1.12.0/lib/onelogin/ruby-saml/response.rb:829:in `validate_signature'
It seems it doesn't like the ] at the end of the XPath that ruby-saml is trying to use. Is that character necessary?
@kwerle kwerle mentioned this issue Apr 5, 2021
Closed
@pitbulk pitbulk closed this as completed Apr 5, 2021
@pitbulk
Copy link
Collaborator

pitbulk commented Apr 5, 2021

Thanks for reporting this. The typo was fixed and 1.12.1 released

@manmorjim manmorjim mentioned this issue Apr 22, 2021
Merged
@rileyanderson rileyanderson mentioned this issue May 3, 2021
Closed
@ericboehs ericboehs mentioned this issue May 3, 2021
Closed
7 tasks
This was referenced May 9, 2021
Closed
Closed
n1zyy added a commit to department-of-veterans-affairs/caseflow-efolder that referenced this issue May 19, 2021
@n1zyy
Update ruby-saml
43f0e82 
The rexml upgrade exposed a dormant bug in ruby-saml:
SAML-Toolkits/ruby-saml#577

Shout-out to Riley Anderson for helping us identify this.
@n1zyy n1zyy mentioned this issue May 19, 2021
Merged
1 task
CGillen added a commit to OregonDigital/OD2 that referenced this issue Jun 9, 2021
@CGillen
Update ruby-saml to fix parse error in rexml
6fb5531 
SAML-Toolkits/ruby-saml#577
Capncavedan pushed a commit to intellum/ruby-saml that referenced this issue Jun 30, 2021
@pitbulk @Capncavedan
See SAML-Toolkits#577. Fix XPath typo incompatible with Rexml 3.2.5
9220104
@kennethc kennethc mentioned this issue Jul 14, 2021
Merged
n1zyy added a commit to department-of-veterans-affairs/caseflow-efolder that referenced this issue Jul 20, 2021
@n1zyy
Catch up on security updates (#1293)
a78bdfd 
* Update rexml and Rails

rexml: 3.2.4 -> 3.2.5
rails: 5.2.4.5 -> 5.2.4.6

Both for CVEs

* Update ruby-saml

The rexml upgrade exposed a dormant bug in ruby-saml:
SAML-Toolkits/ruby-saml#577

Shout-out to Riley Anderson for helping us identify this.

* Remove security overrides

* Updates nokogiri

* Updates puma

* Extend the multi-year snooze on CVE-2015-9284 for now :-[

* Update addressable gem

Security fix
giladshanan added a commit to wyeworks/nucore-open that referenced this issue Sep 1, 2021
@giladshanan
Update ruby-saml
58173ce 
SAML-Toolkits/ruby-saml#577
@klouvas klouvas mentioned this issue Sep 6, 2021
Open
romanrizzi added a commit to discourse/discourse-saml that referenced this issue Sep 22, 2021
@romanrizzi
DEV: Bump ruby-saml version from 1.7.2 to 1.13.0
acb285d 
We started seeing [this error](SAML-Toolkits/ruby-saml#577) on some of our sites, which has been fixed on 1.12.1.
@romanrizzi romanrizzi mentioned this issue Sep 22, 2021
Merged
romanrizzi added a commit to discourse/discourse-saml that referenced this issue Sep 22, 2021
@romanrizzi
DEV: Bump ruby-saml version from 1.7.2 to 1.13.0 (#35)
9d83628 
We started seeing [this error](SAML-Toolkits/ruby-saml#577) on some of our sites, which has been fixed on 1.12.1.
@pgwillia pgwillia mentioned this issue Nov 24, 2021
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pitbulk @maxfelsher @seandilda