Merge commit 'da829fc0216ed961ea7cb8a6234df65a60f51114' into CB/query…

…-string-signing * commit 'da829fc0216ed961ea7cb8a6234df65a60f51114': Use crypto.randomBytes for ID generation (node-saml#235) BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238 docs: Improve docs for privateKey format. Ref node-saml#230 Drop support for Node versions < 4. v0.20.2
cjbarth · Sep 10, 2018 · f266c34 · f266c34
2 parents 511a7f8 + da829fc
commit f266c34
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 18 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,8 +1,5 @@
 language: node_js
 node_js:
-  - "0.10"
-  - "0.12"
-  - "iojs"
   - "4.0"
   - "stable"
 

diff --git a/README.md b/README.md
@@ -117,7 +117,10 @@ The `decryptionCert` argument should be a public certificate matching the `decry
 
 Passport-SAML uses the HTTP Redirect Binding for its `AuthnRequest`s (unless overridden with the `authnRequestBinding` parameter), and expects to receive the messages back via the HTTP POST binding.
 
-Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the `privateCert` configuration key. For example:
+Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the `privateCert` configuration key. The certificate
+should start with `-----BEGIN PRIVATE KEY-----` on its own line and end with `-----END PRIVATE KEY-----` on its own line.
+
+For example:
 
 ```javascript
     privateCert: fs.readFileSync('./cert.pem', 'utf-8')

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
@@ -94,12 +94,7 @@ SAML.prototype.getCallbackUrl = function (req) {
 };
 
 SAML.prototype.generateUniqueID = function () {
-  var chars = "abcdef0123456789";
-  var uniqueID = "";
-  for (var i = 0; i < 20; i++) {
-    uniqueID += chars.substr(Math.floor((Math.random()*15)), 1);
-  }
-  return uniqueID;
+  return crypto.randomBytes(10).toString('hex');
 };
 
 SAML.prototype.generateInstant = function () {
@@ -512,15 +507,23 @@ SAML.prototype.validateSignature = function (fullXml, currentNode, cert) {
 
 SAML.prototype.validatePostResponse = function (container, callback) {
   var self = this;
-  var xml = new Buffer(container.SAMLResponse, 'base64').toString('utf8');
-  var doc = new xmldom.DOMParser().parseFromString(xml);
 
-  var inResponseTo = xpath(doc, "/*[local-name()='Response']/@InResponseTo");
-  if(inResponseTo){
-    inResponseTo = inResponseTo.length ? inResponseTo[0].nodeValue : null;
-  }
+  var xml, doc, inResponseTo;
 
   Q.fcall(function(){
+    xml = new Buffer(container.SAMLResponse, 'base64').toString('utf8');
+    doc = new xmldom.DOMParser({
+    }).parseFromString(xml);
+
+    if (!doc.hasOwnProperty('documentElement'))
+      throw new Error('SAMLResponse is not valid base64-encoded XML');
+
+    inResponseTo = xpath(doc, "/*[local-name()='Response']/@InResponseTo");
+
+    if(inResponseTo){
+      inResponseTo = inResponseTo.length ? inResponseTo[0].nodeValue : null;
+    }
+
     if(self.options.validateInResponseTo){
       if (inResponseTo) {
         return Q.ninvoke(self.cacheProvider, 'get', inResponseTo)

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "passport-saml",
-  "version": "0.20.1",
+  "version": "0.20.2",
   "license" : "MIT",
   "keywords": [
     "saml",
@@ -45,7 +45,7 @@
     "sinon": "^2.1.0"
   },
   "engines": {
-    "node": ">= 0.10.0"
+    "node": ">= 4"
   },
   "scripts": {
     "test": "mocha",

diff --git a/test/tests.js b/test/tests.js