Change x509 dependency #142
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Dec 15, 2020
asmclean
approved these changes
Dec 17, 2020
|
When is this expected to get merged? |
frytg
approved these changes
Jan 4, 2021
|
Anyone here to turn this into a new version to make this all work on newer Node versions/platforms again? Or maybe even use the updated one with upgrades for the other dependencies (#144)? |
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 28, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) ## ✏️ Changes There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. ## 🔗 References [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ## 🎯 Testing ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <[email protected]> Co-authored-by: German Lena <[email protected]> Co-authored-by: Sandrino Di Mattia <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Marcos Castany <[email protected]> Co-authored-by: Gustavo Narea <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: radekk <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: Matthew Machuga <[email protected]> Co-authored-by: Robert <[email protected]> Co-authored-by: Arkadiusz Kaɫkus <[email protected]> Co-authored-by: gkwang <[email protected]> Co-authored-by: Eva Sarafianou <[email protected]> Co-authored-by: Fady Makram <[email protected]> Co-authored-by: Jose Luis Diaz <[email protected]> Co-authored-by: Yamil Asusta <[email protected]> Co-authored-by: Robin Bijlani <[email protected]> Co-authored-by: Hernan Zalazar <[email protected]> Co-authored-by: Nico Sabena <[email protected]> Co-authored-by: KalleV <[email protected]>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <[email protected]> Co-authored-by: German Lena <[email protected]> Co-authored-by: Sandrino Di Mattia <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Marcos Castany <[email protected]> Co-authored-by: Gustavo Narea <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: radekk <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: Matthew Machuga <[email protected]> Co-authored-by: Robert <[email protected]> Co-authored-by: Arkadiusz Kaɫkus <[email protected]> Co-authored-by: gkwang <[email protected]> Co-authored-by: Eva Sarafianou <[email protected]> Co-authored-by: Fady Makram <[email protected]> Co-authored-by: Jose Luis Diaz <[email protected]> Co-authored-by: Yamil Asusta <[email protected]> Co-authored-by: Robin Bijlani <[email protected]> Co-authored-by: Hernan Zalazar <[email protected]> Co-authored-by: Nico Sabena <[email protected]> Co-authored-by: KalleV <[email protected]>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <[email protected]> Co-authored-by: German Lena <[email protected]> Co-authored-by: Sandrino Di Mattia <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Marcos Castany <[email protected]> Co-authored-by: Gustavo Narea <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: radekk <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: Matthew Machuga <[email protected]> Co-authored-by: Robert <[email protected]> Co-authored-by: Arkadiusz Kaɫkus <[email protected]> Co-authored-by: gkwang <[email protected]> Co-authored-by: Eva Sarafianou <[email protected]> Co-authored-by: Fady Makram <[email protected]> Co-authored-by: Jose Luis Diaz <[email protected]> Co-authored-by: Yamil Asusta <[email protected]> Co-authored-by: Robin Bijlani <[email protected]> Co-authored-by: Hernan Zalazar <[email protected]> Co-authored-by: Nico Sabena <[email protected]> Co-authored-by: KalleV <[email protected]>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <[email protected]> Co-authored-by: German Lena <[email protected]> Co-authored-by: Sandrino Di Mattia <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Marcos Castany <[email protected]> Co-authored-by: Gustavo Narea <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: radekk <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: Matthew Machuga <[email protected]> Co-authored-by: Robert <[email protected]> Co-authored-by: Arkadiusz Kaɫkus <[email protected]> Co-authored-by: gkwang <[email protected]> Co-authored-by: Eva Sarafianou <[email protected]> Co-authored-by: Fady Makram <[email protected]> Co-authored-by: Jose Luis Diaz <[email protected]> Co-authored-by: Yamil Asusta <[email protected]> Co-authored-by: Robin Bijlani <[email protected]> Co-authored-by: Hernan Zalazar <[email protected]> Co-authored-by: Nico Sabena <[email protected]> Co-authored-by: KalleV <[email protected]>
KalleV
added a commit
to LabShare-Archive/passport-wsfed-saml2
that referenced
this pull request
Sep 29, 2022
* initial commit * Initial commit * Add security notice to readme * Added logic to error if the options are missing the identityProviderUrl login endpoint * Updated the error message and added unit test cases * Added pattern match for expected generated URL * Switching from block-scoped declaration to var to fix TravisCI error * 3.0.6 * Removing the moment package dependency and removing all imports of the package * 3.0.7 * Fix issue with digest with extra whitespaces (auth0#70) * Added digest issue test * bumped library * remove github tag * Changed tag * Removing the package-lock.json file. This serves no purpose and should not be published per https://docs.npmjs.com/files/package-lock.json * Improve error message when signing certificate is invalid (auth0#72) * Improve error message when the provided signing certificate is invalid * Convert indentation to spaces * Added tests for the encoded XML value in an AttributeValue field (auth0#74) * Added tests for the encoded XML value in an AttributeValue field * Updated the xmldom dependency to point to a release tag. * 3.0.8 (auth0#73) * Fix remaining cases where an invalid identityProviderUrl isn't handled (auth0#77) We used to parse `options.identityProviderUrl` assuming it was a string, which failed when it wasn't. We'd fixed this in Samlp.getSamlRequestUrl(), but its siblings getSamlRequestParams() and getSamlRequestForm() were still susceptible. * 3.0.9 * fix signature location lookup * Update the security notice file with a new entry. * 3.0.10 (auth0#80) * Handle exception when signing a malformed requestTemplate (auth0#88) 3.0.11 Handle exception when signing a malformed requestTemplate * DF-38 Wrapping template parse to prevent uncaught (auth0#90) There is a situation in which the @@ VAR @@ can get goofed up and contain strings that will include part of the template itself. This will not parse correctly and throws an exception in the replace phase of the regex matching. I've wrapped it in a try/catch to prevent it from bringing the process down. Noting that this area looks problematic as it was recently patched in auth0#88 Version bumped to `3.0.12`. [Sentry Issue](https://sentry.io/auth0/auth0-server/issues/617753396/events/25564560312/) ✅ This change has unit test coverage * Isolating handling of malformed template (auth0#93) The `supplant` function will explode when a template is passed in this manner, so this will return a corresponding error message when handing the try/catch in this way. If we add proper XML validation down the line, we can widen this out. * Include option to check SAML certificate expiration (auth0#96) * add certificate expiration checking as an option (off by default) Drops Node4 support as well, though it was already failing on Node4 in master changes per machuga comments changes per machuga comments remove separate supported-versions list for saml * restore test we lost in bad squash * change some vars to lets and camel to snake case in tests * add test to ensure we can allow expired certs if we choose to * remove unneeded comment from tests * Fix documentation for ADFS strategy configuration. (auth0#95) * Tighten clock skew checks for SAML. (auth0#97) Changing default clock skew to 3 minutes to adhere to standard industry practice. Also make clock skew a configurable option. * Use crypto randombytes for uniqueness (auth0#104) * Use crypto randombytes for uniqueness * Conform id length with the spec * Added a variant of XSW test (auth0#107) Adding a variant of xml signature wrapping unit tests in light of recent samlify vulnerability. * Add support of new error message format (for OpenSSL errors) of Node.js (auth0#98) fixes auth0#75 @machuga Bugfix for issue `Invalid cert tests break with Node >= 8.7.0 auth0#75` * Add event for certificate expiration validation (auth0#114) * Add event for certificate expiration validation * emit always * fix * fix cert validation * 3.0.14 (auth0#115) * Fix x509 dependency (auth0#116) * Fix x509 dependency * 3.0.15 * change dependency * fix cert validation (auth0#118) * Catch x509 exeptions on invalid certificates (auth0#124) * 3.0.17 (auth0#125) * [Node 10] Update x509 (auth0#130) * [Node 10] Update x509 * 4.0.0 * Update travis * get rid of npm install * Fix securty deps. (auth0#137) * remove cryptiles * bump xml-encryption * express upgrade * bump request version (auth0#138) * Bump XML Crypto version (auth0#139) * use last xml-crypto * Change x509 dependency (auth0#142) * 4.2.0 * Bump xml-encryption to 1.2.1 for modern algorithm support (auth0#145) * new version: 4.3.0 (auth0#146) * Move CI away from Travis and to Github Actions (auth0#147) * Forgotten workflows folder (auth0#148) * Run tests on all branch pushes and PRs (auth0#149) * Use @auth0/xmldom (auth0#150) Use custom npm lib with custom versions of xmldom Tag v0.1.19-auth0.2 is now version v0.1.22 * Bump to 4.4.0 (auth0#151) * add Destination & AssertionConsumerServiceURL as SAML req template vars * 4.5.1 (auth0#155) * Drop node 10, update/consolidate dev deps (auth0#157) * Handle encoded CR entities in assertions (auth0#158) * Allow options.assertionConsumerServiceURL or options.callback (auth0#156) * Revert "Handle encoded CR entities in assertions (auth0#158)" (auth0#159) * chore(ci): configure Semantic Release publishing * chore: use npm i instead of npm ci * fix(pkg): upgrade xml-crypto to latest version Addresses: ``` npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 ``` Co-authored-by: woloski <[email protected]> Co-authored-by: German Lena <[email protected]> Co-authored-by: Sandrino Di Mattia <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Mike Lee <[email protected]> Co-authored-by: Marcos Castany <[email protected]> Co-authored-by: Gustavo Narea <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: radekk <[email protected]> Co-authored-by: Eduardo Diaz <[email protected]> Co-authored-by: Matthew Machuga <[email protected]> Co-authored-by: Robert <[email protected]> Co-authored-by: Arkadiusz Kaɫkus <[email protected]> Co-authored-by: gkwang <[email protected]> Co-authored-by: Eva Sarafianou <[email protected]> Co-authored-by: Fady Makram <[email protected]> Co-authored-by: Jose Luis Diaz <[email protected]> Co-authored-by: Yamil Asusta <[email protected]> Co-authored-by: Robin Bijlani <[email protected]> Co-authored-by: Hernan Zalazar <[email protected]> Co-authored-by: Nico Sabena <[email protected]> Co-authored-by: KalleV <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
Replace
x509dependency fornode-forge.References
x509is abandoned.Testing
Checklist
master