Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent duplicate parsing and use async crypto #11

Merged
merged 4 commits into from
Feb 10, 2025
Merged

Prevent duplicate parsing and use async crypto #11

merged 4 commits into from
Feb 10, 2025

Conversation

elbuo8
Copy link

@elbuo8 elbuo8 commented Jan 23, 2025

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

Describe the purpose of this PR along with any background information and the impacts of the proposed change. For the benefit of the community, please do not assume prior context.

Provide details that support your chosen implementation, including: breaking changes, alternatives considered, changes to the API, etc.

If the UI is being changed, please provide screenshots.

References

Include any links supporting this change such as a:

  • GitHub Issue/PR number addressed or fixed
  • Auth0 Community post
  • StackOverflow post
  • Support forum thread
  • Related pull requests/issues from other repos

If there are no references, simply delete this section.

Testing

Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.

Also include details of the environment this PR was developed in (language/platform/browser version).

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

CharlesRea
CharlesRea reviewed Jan 24, 2025
View reviewed changes
lib/signed-xml.js Show resolved Hide resolved
lib/signed-xml.js Outdated
signer.verifySignature(signedInfoCanon, this.signingKey, this.signatureValue, (err, res) => {
if (err || !res) {
this.validationErrors.push("invalid signature: the signature value " +
this.signatureValue + " is incorrect")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be this.signatureValue.toString('base64') now we're using a buffer instead of string.

lib/signed-xml.js Show resolved Hide resolved
test/saml-response-test.js Show resolved Hide resolved
test/saml-response-test.js Show resolved Hide resolved
shane-tomlinson
shane-tomlinson reviewed Feb 4, 2025
View reviewed changes
lib/signed-xml.js Outdated

return true
return await this.validateSignatureValue(doc);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't strictly need the await here do you? Does it cause an extra entry on the micro task queue?

lib/signed-xml.js
signer.verifySignature(signedInfoCanon, this.signingKey, this.signatureValue, (err, res) => {
if (err || !res) {
this.validationErrors.push("invalid signature: the signature value " +
this.signatureValue.toString('base64') + " is incorrect")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for this function to be invoked when this.signatureValue is not defined or is null, which would cause toString to fail?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but you wouldn't. This function is meant to be an internal function of checkSignature.

Possible, yes, based on misuse.

lib/signed-xml.js
@@ -917,7 +923,7 @@ SignedXml.prototype.createSignature = function(prefix) {
prefix = '';
}

var signatureValueXml = "<" + prefix + "SignatureValue>" + this.signatureValue + "</" + prefix + "SignatureValue>"
var signatureValueXml = "<" + prefix + "SignatureValue>" + this.signatureValue.toString('base64') + "</" + prefix + "SignatureValue>"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for this.signatureValue to be undefined or null which would cause toString to fail?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to above. createSignature is an internal method of computeSignature. Note that the documentation is just the README for "public" methods but those are the ones meant to be used by consumers to have proper usage of the library.

@shane-tomlinson shane-tomlinson merged commit b7404a6 into auth0:c14n-line-endings Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shane-tomlinson shane-tomlinson shane-tomlinson approved these changes

@CharlesRea CharlesRea CharlesRea approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@elbuo8 @shane-tomlinson @CharlesRea