Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix encryption for @xmldom/xmldom 0.8.6 upgrade #511

Merged
merged 3 commits into from Feb 26, 2023
Merged

Fix encryption for @xmldom/xmldom 0.8.6 upgrade #511

merged 3 commits into from Feb 26, 2023

Conversation

mastermatt
Copy link
Contributor

@xmldom/xmldom 0.8.6 included: "fix: Properly check nodes before replacement."
xmldom/xmldom#457

Which caused the .replaceChild calls in encryptAssertion and decryptAssertion to error with:

"Not found: child not in parent"

The root cause is a subtle difference in @xmldom/xmldom Document vs Element instances.
The previous code was asking xmldom to replace an element from a top-level Document with another top-level Document. The patch to xmldom 0.8.6 started the enforcement of .replaceChild being passed Nodes who share a common parent Node.

e.g. in the case of encryptAssertion: doc.replaceChild(encryptAssertionNode, rawAssertionNode).
It's important to distinguish that neither doc nor encryptAssertionNode are Element nodes, but instead Document Nodes. Meaning doc does not refer to the <samlp:Response> node, but instead a meta object one level up. To reference the Response tag, you instead use the Document#documentElement attribute.
Changing that line to the following as the same intended affect using the correct node references.
doc.documentElement.replaceChild(encryptAssertionNode.documentElement, rawAssertionNode)
I renamed a few of the variables in an attempt to clarify which are Documents.

Also fixes an issue where the ERR_NO_ASSERTION and ERR_UNDEFINED_ENCRYPTED_ASSERTION errors were not being thrown if exactly zero nodes were found.

fixes: #495

@mastermatt
fix: encryption for @xmldom/xmldom 0.8.6
f04359d 
`@xmldom/xmldom` 0.8.6 included: fix: Properly check nodes before replacement.
xmldom/xmldom#457

Which caused the `.replaceChild` calls in `encryptAssertion` and `decryptAssertion` to error with:
> "Not found: child not in parent"

The root cause is a subtle difference in `@xmldom/xmldom` `Document` vs `Element` instances.
The previous code was asking xmldom to replace an element from a top-level Document with another top-level Document. The patch to xmldom 0.8.6 started the enforcement of `.replaceChild` being passed `Nodes` who share a common parent Node.

e.g. in the case of `encryptAssertion`: `doc.replaceChild(encryptAssertionNode, rawAssertionNode)`.
It's important to distinguish that neither `doc` nor `encryptAssertionNode` are `Element` nodes, but instead `Document` Nodes. Meaning `doc` does _not_ refer to the `<samlp:Response>` node, but instead a meta object one level up. To reference the Response tag, you instead use the `Document#documentElement` attribute.
Changing that line to the following as the same intended affect using the correct node references.
`doc.documentElement.replaceChild(encryptAssertionNode.documentElement, rawAssertionNode)`
I renamed a few of the variables in an attempt to clarify which are `Documents`.

Also fixes an issue where the `ERR_NO_ASSERTION` and `ERR_UNDEFINED_ENCRYPTED_ASSERTION` errors were not being thrown if exactly zero nodes were found.

fixes: tngan#495
@mastermatt
fix test: remove sessionIndex from failing logout request tests
5c78b94 
Seems to have been accidentally added in tngan#501,
these never worked because `sessionIndex` is not part of the default logout request template,
so whether the extractor works or not, the creation of the request will not include the value.

And with this, the test suite passes again!
@mastermatt mastermatt mentioned this pull request Feb 14, 2023
Closed
KuSh
KuSh reviewed Feb 15, 2023
View reviewed changes
src/libsaml.ts Outdated Show resolved Hide resolved
src/libsaml.ts Outdated Show resolved Hide resolved
@mastermatt
Copy link
Contributor Author

@tngan I just want to make sure you're aware of this PR. It would be great if this could go in and published.
I'd like to upgrade and have one less CVE in my stack.

@tngan
Copy link
Owner

tngan commented Feb 25, 2023

@mastermatt I will review it within hours.

tngan
tngan requested changes Feb 25, 2023
View reviewed changes
Copy link
Owner

@tngan tngan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the change looks fine though, but why taking out the seesionIndex from test

test/flow.ts Show resolved Hide resolved
@tngan tngan merged commit 4540c1a into tngan:master Feb 26, 2023
@tngan
Copy link
Owner

tngan commented Feb 26, 2023

a patch release will be prepared later today

@mastermatt mastermatt deleted the fix-encryption-for-latest-xmldom branch February 26, 2023 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KuSh KuSh KuSh left review comments

@tngan tngan tngan requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Decrypt assertion broken
3 participants
@mastermatt @tngan @KuSh