Fix transform processing regression #379
Conversation
Codecov Report
@@ Coverage Diff @@
## master #379 +/- ##
==========================================
+ Coverage 72.84% 72.98% +0.14%
==========================================
Files 9 9
Lines 880 881 +1
Branches 234 235 +1
==========================================
+ Hits 641 643 +2
Misses 149 149
+ Partials 90 89 -1
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
This is not exactly fix for regression but maybe there should be guard against situation where signature does not have any references. I.e. if this code block Lines 473 to 480 in 2e32d50 would have had something like this (in pseudo code) it would have prevented this ( #378 ) particular signature bypass situation in published versions [4.0.0, 4.1.0].
validateReferences(doc: Document) {
+ if ( ! Array.isArray(this.references) || this.references.length <= 0) {
+ throw new Error("Missing reference(s)");
+ // or return false ....
+ }
for (const ref of this.references) {
if (!this.validateReference(ref, doc)) {
return false;
}
}
return true;
} Links to spec: https://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/#sec-SignedInfo says:
and https://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/#sec-Reference says:
|
src/c14n-canonicalization.ts
Outdated
| @@ -171,7 +171,7 @@ export class C14nCanonicalization implements CanonicalizationOrTransformationAlg | |||
| if (xpath.isComment(node)) { | |||
| return this.renderComment(node); | |||
| } | |||
| if (xpath.isComment(node)) { | |||
| if (xpath.isComment(node) || xpath.isTextNode(node)) { | |||
There was a problem hiding this comment.
line 171 already handles xpath.isComment(node)
not related to regression bug: How this and other C14N implementations would handle XML CDATA sections (in which case node type might might be CDATA or something like that):
<library>
<book id="bookid">
<name><![CDATA[this & that < foo]]></name>
</book>
</library>instead of
<library>
<book id="bookid">
<name>this & that < foo</name>
</book>
</library>There was a problem hiding this comment.
Fixed.
Regarding CDATA, MDN clarifies that we should be handling more cases where there is a .data property: https://developer.mozilla.org/en-US/docs/Web/API/CharacterData
There was a problem hiding this comment.
I didn't like my original fix. There is no value in complicating the code just for the sake of types. I've used a different method for now and we can revisit types later on.
I like that suggestion. I wonder if @DiegoMajluf could help with a test or two for these cases. |
|
@cjbarth thanks for your work. I will make some test with my testing documents, I'm still facing some issues with the canonicalization. I will let you know. |
|
@cjbarth @srd90, I have tested PR 379 with some of my production documents, and all of them have passed successfully. Thank you very much once again. However, as I mentioned, I'm still encountering issues related to canonicalization (or transform algorithm; I'm not very clear on the difference yet). From what I've gathered so far, it seems to be connected to the presence or absence of namespace attributes on the root element. Nevertheless, I believe this might belongs to a different issue. I will create a new issue report when I can build a more specific situation. |
There was a bug introduced in the 4.x release of
xml-cryptowhereby transforms weren't added in all the cases they were supposed to.This includes code from the comment by @srd90.
Closes #378