Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

switch from xmldom to @xmldom/xmldom #12

Open
mtica opened this issue Jan 30, 2023 · 3 comments
Open

switch from xmldom to @xmldom/xmldom #12

mtica opened this issue Jan 30, 2023 · 3 comments

Comments

@mtica
Copy link

mtica commented Jan 30, 2023

xmldom is no longer maintained and is affected by https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39353

Please switch to https://www.npmjs.com/package/@xmldom/xmldom - the upgrade should be trivial as @xmldom/xmldom
is developed by the same team and is fully backwards compatible.
@billpatrianakos
Copy link
Owner

Thank you for the heads up. I would absolutely merge a change if someone made a pull request.

At this point in time I don't maintain any projects that use SAML in a JS environment and I've also archived all of those projects from my dev machine after buying a new one so just the setup alone would be tons of work for me. I keep this project up because I know there aren't any easy to use SAML libraries for Node around. If you or others think it's better I take this code down rather than let it hang out on the web with a vulnerability I'm open to that as well.

@jdbdnz jdbdnz mentioned this issue Jul 5, 2023
Open
@rajpal1
Copy link

rajpal1 commented Mar 7, 2024

Thank you for the heads up. In my case, when I use the new version of @xmldom/xmldom, it doesn't work for some users, while it works in other cases. When I use the old version of xmldom, it works for all users.

Errors encountered:
image

@rajpal1
Copy link

rajpal1 commented Mar 7, 2024

Thank you for the heads up. In my case, when I use the new version of @xmldom/xmldom, it doesn't work for some users, while it works in other cases. When I use the old version of xmldom, it works for all users.

Errors encountered: image

Hi got the solution

old changes

// Saml2js.parse
// -------------
// Private function.
// Parses raw SAML assertion to JS object.
Saml2js.prototype.parse = function(saml) {
var xml = new Buffer(saml, 'base64').toString('ascii'),
doc = new xmldom.DOMParser().parseFromString(xml),
profile = {};

var attributes = xpath.select('//[local-name() = "AttributeStatement"]/', doc);
attributes.forEach(function(attribute){
var name = xpath.select('string(@name)', attribute);
profile[_.camelCase(name)] = xpath.select('string(*[local-name() = "AttributeValue"]/text())', attribute);
});

latest changes in code

// Saml2js.parse
// -------------
// Private function.
// Parses raw SAML assertion to JS object.
Saml2js.prototype.parse = function(saml) {
var xml = Buffer.from(saml, 'base64').toString('utf-8'),
doc = new xmldom.DOMParser().parseFromString(xml),
profile = {};

var attributes = xpath.select('//[local-name() = "AttributeStatement"]/', doc);
attributes.forEach(function(attribute){
var name = xpath.select('string(@name)', attribute);
profile[_.camelCase(name)] = xpath.select('string(*[local-name() = "AttributeValue"]/text())', attribute);
});

return profile;
};

only this line will change
[var xml = new Buffer(saml, 'base64').toString('ascii')] change to [var xml = Buffer.from(saml, 'base64').toString('utf-8')]

and now code will work both samle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@billpatrianakos @mtica @rajpal1