Releases: tngan/samlify
v2.4.0-rc1
Release Note
This is a pre-release version. We aim to provide the availability to install samlify across different platforms, after v2.3, we introduce a schema validation check for the response as most of saml libraries do. However, it also causes a list of issues reported in this discussion thread (#129). Therefore, starting from v2.4.0, we delegate the schema check to the JAVA runtime. We won't release the release v2.4 until it is being well tested.
yarn add samlify@2.4.0-rc1
For those who are using samlify in production, you can keep to use samlify@2.3.8 until we release v2.4.0. We expect we still have several release candidates.
Included in this rc1 version:
v2.3.8
Release note:
#173 Fix the wrong property for name id format
#170 #176 Update documentation for breaking change of API >= 2.0
#174 Fix syntax error of type definition in libsaml module
#187 Use npm published package instead of github repo link
#190 Expose InResponseTo in parseLoginResponse extract (@benbabic)
9dc7460 Put type definitions back to dependencies list
1d78763 Update the testing scope of different node version
The current testing build for Node.js v10 is broken, we will seek for a fix in next release very soon.
v2.3.7
Release Note
#167 Upgrade to the latest stable release version of node-forge (0.7.4) in order to get the fix of the CVE.
#153 (PR #161) Fix the empty reference URI (@wwindcloud)
Remarks:
For the issue #167, xml-encryption also uses node-forge. However, since there is no update since we sent the PR two weeks ago, we force to use the fork version which upgrades the node-forge to 0.7.4 first, once they merge the PR, we will change back to use the official one.
https://github.com/tngan/samlify/blob/master/package.json#L45
v2.3.6
Release Note
#150 UTF-8 encoding for decoding response with special character (@kiejo)
Remarks:
The policy for releasing new version is in weekly based. If any pull request is being merged, new commits are done for enhancements and bug fixes within that week, those are grouped in one patch and released to npm registry before 15:00 UTC on friday.
v2.3.5
v2.3.4
v2.3.3
v2.3.0
Release Note
#119 Trim space in certificate string (7173238, contributed by @ahwitz)
#121 Response xsd schema validation (reported by @thijsschoonbrood)
Reference: https://www.whitehats.nl/blog/xml-signature-wrapping-samlify
This release includes a fix for potential security risk reported by @thijsschoonbrood from WhiteHats B.V., all versions before samlify v2.2.0 basically accepts any kind of response without a schema validation, and the xpath we used to fetch the xml element is in relative path, so that it could expose to MITM attack in the following form:
<saml:NameID>evil@evil.com</saml:NameID>
<samlp:Response>
<saml:Assertion>
<saml:NameID>good@good.com</saml:NameID>
</saml:Assertion>
</samlp:Response>const { samlContent, extract } = await sp.parseLoginResponse(idp, 'post', req);The parsed result in extract.nameid object would have an array consists of evil@evil.com and good@good.com. samlify is designed to parse essential fields and leave the validation to users, the false nameid (or other sensitive fields) can be accepted unless the validation is done properly on developer side.
A test is made and an error is expected to be thrown. Error: Element 'NameID': No matching global declaration available for the validation root.
The first approach is to add response xsd schema validation, and the next step would be refactor of the usage of xpath and introduce common validations (#111, #126), such as time validation.