From 5e25e09e502a512d2105d0e1ef5a19d2bc688d8a Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:08:20 -0700 Subject: [PATCH 1/8] chore: Ignore additional files for npm --- .npmignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.npmignore b/.npmignore index 2537dd6..47a8265 100644 --- a/.npmignore +++ b/.npmignore @@ -3,3 +3,6 @@ coverage node_modules lib *.html +.circleci/ +.github/ +.nvmrc From 964a5a0bb492ee2dffe804b8145291b7d8863072 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:09:22 -0700 Subject: [PATCH 2/8] deps: Update xml-encryption from ^1.2.1 to ^2.0.0 Closes #252. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 8236087..14e68ee 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,7 @@ "debug": "^4.3.0", "underscore": "^1.8.0", "xml-crypto": "^2.0.0", - "xml-encryption": "^1.2.1", + "xml-encryption": "^2.0.0", "xml2js": "^0.4.0", "xmlbuilder2": "^2.4.0", "xmldom": "^0.4.0" From 9299ffaa9fb3c74322eb2a6cf805038f659b2000 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:14:14 -0700 Subject: [PATCH 3/8] deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3 Closes #237, #232, #248, #246, #240, #234. --- lib/saml2.coffee | 2 +- package.json | 2 +- test/saml2.coffee | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/saml2.coffee b/lib/saml2.coffee index 0490c77..216d1a2 100644 --- a/lib/saml2.coffee +++ b/lib/saml2.coffee @@ -7,7 +7,7 @@ url = require 'url' util = require 'util' xmlbuilder = require 'xmlbuilder2' xmlcrypto = require 'xml-crypto' -xmldom = require 'xmldom' +xmldom = require '@xmldom/xmldom' xmlenc = require 'xml-encryption' zlib = require 'zlib' SignedXml = require('xml-crypto').SignedXml diff --git a/package.json b/package.json index 14e68ee..9f432f9 100644 --- a/package.json +++ b/package.json @@ -38,6 +38,6 @@ "xml-encryption": "^2.0.0", "xml2js": "^0.4.0", "xmlbuilder2": "^2.4.0", - "xmldom": "^0.4.0" + "@xmldom/xmldom": "^0.8.3" } } diff --git a/test/saml2.coffee b/test/saml2.coffee index 54f35fa..d74ed10 100644 --- a/test/saml2.coffee +++ b/test/saml2.coffee @@ -7,7 +7,7 @@ fs = require 'fs' saml2 = require "#{__dirname}/../lib/saml2" url = require 'url' util = require 'util' -xmldom = require 'xmldom' +xmldom = require '@xmldom/xmldom' xmlcrypto = require 'xml-crypto' describe 'saml2', -> From 3de2fd6003b06f2140b658e8e7cb0439f2b289f7 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:21:34 -0700 Subject: [PATCH 4/8] deps: Update xml-crypto from ^2.0.0 to ^3.0.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9f432f9..e4aea19 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,7 @@ "async": "^3.2.0", "debug": "^4.3.0", "underscore": "^1.8.0", - "xml-crypto": "^2.0.0", + "xml-crypto": "^3.0.0", "xml-encryption": "^2.0.0", "xml2js": "^0.4.0", "xmlbuilder2": "^2.4.0", From b13ee9d059fee2bc8f24df6de80a8c2d047a28bd Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:27:55 -0700 Subject: [PATCH 5/8] chore: Tidy dependencies --- package.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index e4aea19..d2b715f 100644 --- a/package.json +++ b/package.json @@ -10,8 +10,8 @@ }, "scripts": { "build": "coffee --bare -c -o lib-js lib", - "test": "NODE_ENV=test mocha --require coffee-script/register test/*.coffee", - "test-cov": "NODE_ENV=test nyc --extension .coffee -r html -r text mocha --require coffee-script/register test/*.coffee", + "test": "NODE_ENV=test mocha --require coffeescript/register test/*.coffee", + "test-cov": "NODE_ENV=test nyc --extension .coffee -r html -r text mocha --require coffeescript/register test/*.coffee", "prepare": "npm run build" }, "repository": { @@ -26,18 +26,18 @@ "url": "https://github.com/Clever/saml2/issues" }, "devDependencies": { - "coffee-script": "^1.12.0", + "coffeescript": "^1.12.7", "mocha": "^8.2.0", "nyc": "^15.0.0" }, "dependencies": { + "@xmldom/xmldom": "^0.8.3", "async": "^3.2.0", "debug": "^4.3.0", "underscore": "^1.8.0", "xml-crypto": "^3.0.0", "xml-encryption": "^2.0.0", "xml2js": "^0.4.0", - "xmlbuilder2": "^2.4.0", - "@xmldom/xmldom": "^0.8.3" + "xmlbuilder2": "^2.4.0" } } From beeb396bbe1a9d04e3cd97a6e834e4f1f4e7ace6 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:39:48 -0700 Subject: [PATCH 6/8] deps: Update mocha from ^8.2.0 to ^8.4.0 9.0.0 breaks compatability with Node v10. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d2b715f..ac734d0 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ }, "devDependencies": { "coffeescript": "^1.12.7", - "mocha": "^8.2.0", + "mocha": "^8.4.0", "nyc": "^15.0.0" }, "dependencies": { From 50e8ce68a54c76ef91a002d7f1043ded1eff6ccf Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:40:24 -0700 Subject: [PATCH 7/8] chore: Remove whitespace normalization before xml-crypto calls For [0]. Any usage of @xmldom/xmldom >= 0.8.0 will normalize these, see [1] and [2]. The current xml-encryption (2.0.0) does not do this normalization, but will in 2.0.1 [3]. It's technically within the path of xmlenc.decrypt() [4], but this follows how assertions have been handled (not handling non-normalized whitespace). For xml-crypto, this was changed in 3.0.0 with [5]. [0] https://github.com/Clever/saml2/blob/6da3e9c39c326a2f6793bb87c6d12c9ab4446585/lib/saml2.coffee#L242-L245 [1] https://github.com/xmldom/xmldom/pull/307 [2] https://github.com/xmldom/xmldom/pull/314 [3] https://github.com/auth0/node-xml-encryption/pull/101 [4] https://github.com/auth0/node-xml-encryption/blob/291f3f10d5d1d571a3b6da2d411aa323398f5650/lib/xmlenc.js#L185 [5] https://github.com/yaronn/xml-crypto/pull/261 --- lib/saml2.coffee | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/saml2.coffee b/lib/saml2.coffee index 216d1a2..fcc1294 100644 --- a/lib/saml2.coffee +++ b/lib/saml2.coffee @@ -239,10 +239,7 @@ decrypt_assertion = (dom, private_keys, cb) -> # This checks the signature of a saml document and returns either array containing the signed data if valid, or null # if the signature is invalid. Comparing the result against null is NOT sufficient for signature checks as it doesn't # verify the signature is signing the important content, nor is it preventing the parsing of unsigned content. -check_saml_signature = (_xml, certificate) -> - # xml-crypto requires that whitespace is normalized as such: - # https://github.com/yaronn/xml-crypto/commit/17f75c538674c0afe29e766b058004ad23bd5136#diff-5dfe38baf287dcf756a17c2dd63483781b53bf4b669e10efdd01e74bcd8e780aL69 - xml = _xml.replace(/\r\n?/g, '\n') +check_saml_signature = (xml, certificate) -> doc = (new xmldom.DOMParser()).parseFromString(xml) # xpath failed to capture nodes of direct descendents of the root. From cfb5ce43023bcabbc10ed6ff26ae8c70a24a01b4 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Fri, 14 Oct 2022 19:28:05 -0700 Subject: [PATCH 8/8] 4.0.0 Updates some dependencies. Closes #232, #234, #237, #240, #246, #248, #252. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ac734d0..f2b6c8e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "saml2-js", - "version": "3.1.0", + "version": "4.0.0", "description": "SAML 2.0 node helpers", "author": "Clever", "license": "Apache-2.0",