Fix multi saml strategy race conditions #426
Conversation
|
thank you for this fix ! maybe want to provide a big warning for those still using < 1.3.3 packages from npm ? |
stavros-wb
force-pushed
the
fix_multisaml_race_conditions
branch
from
85c4adb to
a2ccde0
Compare
|
about
but that any subsequent request which happens concurrently to the login endpoint (not an extreme condition : ) will overwrite the saml client options making the call to authenticate() fail. |
|
Yes the simple manifestation of this bug (I agree not an extreme condition) will be an error on a user trying to login, but I don't consider this part of the Readme. There are other open issues as well, that aren't part of the Readme. The more dangerous manifestation of the bug (which I describe happens under extreme conditions) would be a wrong authentication, a sec vulnerability. I think we should document the false positives (more dangerous) and not the false negatives. WDYT? |
|
imho it should be considered a vulnerability since any user can DoS the login endpoint preventing any other user to authenticate |
stavros-wb
force-pushed
the
fix_multisaml_race_conditions
branch
from
a2ccde0 to
d84a8c6
Compare
|
amended |
|
@markstos PTAL |
|
Published in 1.3.4. |
* upstream: docs: remove badges broken by project rename. bump version to 1.3.5 deps: really bump xml-encryption for node-forge sub-dep upgrade to address vuln. docs: Update package.json / README to reflect site move. deps: bump xml-encryption to address node-forge sub-dep vuln. Update issue templates Update issue templates Bump lodash from 4.17.15 to 4.17.20 (node-saml#449) Bump acorn from 7.1.0 to 7.4.0 (node-saml#448) Return object for XML-valued AttributeValues (node-saml#447) Revert "doc: announce site move." (node-saml#446) doc: announce site move. add yarn-error.log to .gitignore bump version. Fix multi saml strategy race conditions (node-saml#426) v1.3.3 v1.3.2 # Conflicts: # .gitignore # README.md # package.json
* upstream: docs: remove badges broken by project rename. bump version to 1.3.5 deps: really bump xml-encryption for node-forge sub-dep upgrade to address vuln. docs: Update package.json / README to reflect site move. deps: bump xml-encryption to address node-forge sub-dep vuln. Update issue templates Update issue templates Bump lodash from 4.17.15 to 4.17.20 (node-saml#449) Bump acorn from 7.1.0 to 7.4.0 (node-saml#448) Return object for XML-valued AttributeValues (node-saml#447) Revert "doc: announce site move." (node-saml#446) doc: announce site move. add yarn-error.log to .gitignore bump version. Fix multi saml strategy race conditions (node-saml#426) v1.3.3 v1.3.2 # Conflicts: # .gitignore # README.md # package.json
#425