Merge branch 'master' into remove-deprecated-dependency-querystring

auth0 · Feb 27, 2024 · c0eb530 · c0eb530
2 parents 5e7ade8 + 7158002
commit c0eb530
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 21 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,15 +1,20 @@
 name: Semgrep
+
 on:
-  pull_request: {}
+  pull_request_target: {}
   push:
-     branches: ["master"] 
+    branches: ["master", "main"]
+permissions:
+  contents: read
 jobs:
   semgrep:
     name: Scan
     runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
     if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
     steps:
-      - uses: actions/checkout@v2
-      - uses: returntocorp/semgrep-action@v1
-        with:
-          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+      - uses: actions/checkout@v3
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [7.1.1](https://github.com/auth0/node-samlp/compare/v7.1.0...v7.1.1) (2023-11-20)
+
+
+### Bug Fixes
+
+* support signed logout response sent via POST ([#140](https://github.com/auth0/node-samlp/issues/140)) ([5274d62](https://github.com/auth0/node-samlp/commit/5274d622b1f4cca04790dcf2acf83840c0b592c6))
+
 ## [7.1.0](https://github.com/auth0/node-samlp/compare/v7.0.2...v7.1.0) (2023-07-24)
 
 

diff --git a/lib/utils.js b/lib/utils.js
@@ -184,11 +184,12 @@ module.exports.validateSignature = validateSignature;
 function validateSignature(req, element_type, xml, options) {
   const type = constants.ELEMENTS[element_type].PROP;
 
-  const isRequestSigned = !options.deflate ?
+  const isPostOrWithoutDeflate = (req.body && req.body[type]) || !options.deflate;
+  const isRequestSigned = isPostOrWithoutDeflate ?
     xpath.select(options.signaturePath || constants.ELEMENTS[element_type].SIGNATURE_VALIDATION_PATH, xml).length > 0 : !!req.query.Signature;
 
   if (isRequestSigned) {
-    if ((req.body && req.body[type]) || !options.deflate) {
+    if (isPostOrWithoutDeflate) {
       // HTTP-POST or HTTP-Redirect without deflate encoding
       const validationErrors = signers.validateXmlEmbeddedSignature(xml, options);
       if (validationErrors && validationErrors.length > 0) {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "samlp",
-  "version": "7.1.0",
+  "version": "7.1.1",
   "engines": {
     "node": ">=12"
   },

diff --git a/test/fixture/signed_response.js b/test/fixture/signed_response.js
diff --git a/test/utils.tests.js b/test/utils.tests.js
@@ -1,24 +1,45 @@
-const timekeeper = require('timekeeper');
-const expect = require('chai').expect;
+const timekeeper = require("timekeeper");
+const DOMParser = require("@auth0/xmldom").DOMParser;
+const expect = require("chai").expect;
 
-const utils = require('../lib/utils');
+const utils = require("../lib/utils");
 
-describe('utils', function () {
-  describe('generateInstant', function () {
-    it('should pad the millis appropriately', function () {
+const signedResponse = require("./fixture/signed_response");
+
+describe("utils", function () {
+  describe("generateInstant", function () {
+    it("should pad the millis appropriately", function () {
       timekeeper.withFreeze(0, () => {
-        expect(utils.generateInstant()).to.equal('1970-01-01T00:00:00.000Z');
+        expect(utils.generateInstant()).to.equal("1970-01-01T00:00:00.000Z");
       });
     });
   });
-  describe('generateUniqueID', function() {
-    it('should generate an ID 20 chars long', function() {
+  describe("generateUniqueID", function () {
+    it("should generate an ID 20 chars long", function () {
       expect(utils.generateUniqueID().length).to.equal(20);
     });
   });
-  describe('generateUniqueID', function() {
-    it('should generate an ID from the alphabet', function() {
-      expect('abcdef0123456789'.split('')).to.include.members(utils.generateUniqueID().split(''));
+  describe("generateUniqueID", function () {
+    it("should generate an ID from the alphabet", function () {
+      expect("abcdef0123456789".split("")).to.include.members(
+        utils.generateUniqueID().split("")
+      );
+    });
+  });
+  describe("validateSignature", function () {
+    describe("with custom signing certificate", function () {
+      it("should validate the signature correctly", function () {
+        const response = signedResponse.response;
+
+        const req = { body: { SAMLResponse: response }, query: {} };
+        const element_type = "LOGOUT_RESPONSE";
+        const xml = new DOMParser().parseFromString(signedResponse.xml);
+        const options = { signingCert: signedResponse.cert, deflate: true };
+
+        // should not throw errors
+        expect(utils.validateSignature(req, element_type, xml, options)).to.be
+          .undefined;
+      });
     });
   });
 });