-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump xmldom to 0.5.x since all lower versions have security issue #551
Conversation
Is there already release scheduled to get this change online? |
@gugu are there any blockers to merging this into a 2.x release? |
The head of |
I created a branch v2.x on my forked repo then open this PR #552 I think a maintainer will have to create a v2.x branch on this repo? Let me know if I can help. Thanks |
You have to create the PR against the commit you want to fork off of, for example, the latest 2.x tag. You created that PR to merge against |
Just wanted to know was this vulnerability exploitable in passport saml? I am going through https://mattermost.com/blog/securing-xml-implementations-across-the-web/. It seems like we need a round trip so that the signature is validated against different input and email is from different. Do we do that in passport-saml? cc @gugu |
@meetsuraj No one has reported that the vuln was exploitable through passport-saml. You are welcome to test yourself. |
I can confirm we are parsing data we have serialized ourselves, so it could very well be exploitable. Same for the new xmldom issue. Short term we should update xmldom whenever it's possible. Longer term we should avoid parsing anything we produced. I have plans, but it's a bit of work ;) |
FYI: The latest version of XMLDOM is: |
This update has already been made @catamphetamine : https://github.com/node-saml/node-saml/blob/42589290ecb3f800e5129d5d1a49eabf8b2026ae/package.json#L54 |
Description
xmldom versions <= 0.4.0 have security issue. Update xmldom dependency to 0.5.x and bump package version.
More information: GHSA-h6q6-9hqw-rwfv
After this fix as been merged, a new version of passport-saml should be released to npm.