Skip to content

Commit

Permalink
#6 Added OIOSAML 1.7.9 upstream changes for xml injection mitigation,…
Browse files Browse the repository at this point in the history 
… needs tested
  • Loading branch information
@i8beef
i8beef committed Aug 31, 2016
1 parent f7ee42b commit 7440365
Show file tree
Hide file tree
Showing 27 changed files with 45 additions and 45 deletions.
8 changes: 4 additions & 4 deletions src/SAML2.Tests/AssertionUtil.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public static XmlDocument ConvertAssertionToXml(Assertion assertion)
throw new ArgumentNullException("assertion");
}

var res = new XmlDocument { PreserveWhitespace = true };
var res = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
res.Load(new StringReader(Serialization.SerializeToXmlString(assertion)));

return res;
Expand Down Expand Up @@ -213,7 +213,7 @@ public static X509Certificate2 GetCertificate()
/// <returns>The XML document.</returns>
public static XmlDocument GetTestAssertion()
{
var res = new XmlDocument { PreserveWhitespace = true };
var res = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
res.Load(new StringReader(Serialization.SerializeToXmlString(GetBasicAssertion())));

return res;
Expand Down Expand Up @@ -271,7 +271,7 @@ public static XmlDocument LoadXmlDocument(string assertionFile)
{
using (var fs = File.OpenRead(assertionFile))
{
var document = new XmlDocument { PreserveWhitespace = true };
var document = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
document.Load(fs);
fs.Close();

Expand All @@ -289,7 +289,7 @@ public static XmlDocument LoadBase64EncodedXmlDocument(string assertionFile)
var assertionBase64 = File.ReadAllText(@"Assertions\fobs-assertion2");
var assertionBytes = Convert.FromBase64String(assertionBase64);

var document = new XmlDocument { PreserveWhitespace = true };
var document = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
document.Load(new MemoryStream(assertionBytes));

return document;
Expand Down
6 changes: 3 additions & 3 deletions src/SAML2.Tests/EncryptedAssertionUtil.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ public class EncryptedAssertionUtil
/// <param name="file">The file.</param>
public static void DecryptAssertion(string file)
{
var doc = new XmlDocument();
doc.Load(file);
var doc = new XmlDocument { XmlResolver = null };
doc.Load(file);
var encryptedDataElement = GetElement(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc, doc);

var encryptedData = new EncryptedData();
Expand Down Expand Up @@ -66,7 +66,7 @@ public static void DecryptAssertion(string file)
var encryptedXml = new EncryptedXml();
var plaintext = encryptedXml.DecryptData(encryptedData, symmetricKey);

var assertion = new XmlDocument();
var assertion = new XmlDocument { XmlResolver = null };
assertion.Load(new StringReader(System.Text.Encoding.UTF8.GetString(plaintext)));

// A very simple test to ensure that there is indeed an assertion in the plaintext.
Expand Down
4 changes: 2 additions & 2 deletions src/SAML2.Tests/PingCompatibilityTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,12 @@ public class PingCompatibilityTest
public void DecryptPingAssertion()
{
// Load the assertion
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
doc.Load(File.OpenRead(@"c:\tmp\pingassertion.txt"));

var xe = GetElement(EncryptedAssertion.ElementName, Saml20Constants.Assertion, doc);

var doc2 = new XmlDocument();
var doc2 = new XmlDocument { XmlResolver = null };
doc2.AppendChild(doc2.ImportNode(xe, true));

var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
Expand Down
6 changes: 3 additions & 3 deletions src/SAML2.Tests/Saml20AssertionTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ public void AddAttribute()
// Verify that the modified assertion can survive complete serialization and deserialization.
var assertionString = assertion.GetXml().OuterXml;

var deserializedAssertionDoc = new XmlDocument { PreserveWhitespace = true };
var deserializedAssertionDoc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
deserializedAssertionDoc.Load(new StringReader(assertionString));

var deserializedAssertion = new Saml20Assertion(deserializedAssertionDoc.DocumentElement, null, false);
Expand Down Expand Up @@ -124,7 +124,7 @@ public void ThrowsExceptionWhenXmlAttributeStatementAttributeAnyAttrUnqualified(
var attributeStatments = (AttributeStatement)statements.Find(x => x is AttributeStatement);
var attribute = (SamlAttribute)attributeStatments.Items[0];

var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
attribute.AnyAttr = new[] { doc.CreateAttribute(string.Empty, "Nonqualified", string.Empty) };

saml20Assertion.Items = statements.ToArray();
Expand All @@ -145,7 +145,7 @@ public void ThrowsExceptionWhenXmlAttributeStatementAttributeAnyAttrSamlQualifie
var attributeStatments = (AttributeStatement)statements.Find(x => x is AttributeStatement);
var attribute = (SamlAttribute)attributeStatments.Items[0];

var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
saml20Assertion.Items = statements.ToArray();

foreach (var samlns in Saml20Constants.SamlNamespaces)
Expand Down
6 changes: 3 additions & 3 deletions src/SAML2.Tests/Saml20MetadataDocumentTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ public class ConstructorMethod
public void CanExtractCertificates()
{
// Arrange
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.Load(@"Protocol\MetadataDocs\metadata-ADLER.xml");

// Act
Expand All @@ -53,7 +53,7 @@ public void CanExtractCertificates()
public void CanExtractEndpoints()
{
// Arrange
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.Load(@"Protocol\MetadataDocs\metadata-ADLER.xml");

// Act
Expand Down Expand Up @@ -88,7 +88,7 @@ public void SignsXml()

// Act
var metadata = doc.ToXml();
var document = new XmlDocument { PreserveWhitespace = true };
var document = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
document.LoadXml(metadata);
var result = XmlSignatureUtils.CheckSignature(document);

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2.Tests/SignatureTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ private static XmlDocument LoadDocument(string assertionFile)
{
using (var fs = File.OpenRead(assertionFile))
{
var document = new XmlDocument { PreserveWhitespace = true };
var document = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
document.Load(fs);
fs.Close();

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2.Tests/Utils/XmlSignatureUtilsTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ private static XmlDocument LoadDocument(string assertionFile)
{
using (var fs = File.OpenRead(assertionFile))
{
var document = new XmlDocument { PreserveWhitespace = true };
var document = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
document.Load(fs);
fs.Close();

Expand Down
8 changes: 4 additions & 4 deletions src/SAML2.Tests/Validation/Saml20SubjectConfirmationDataValidatorTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ public void ThrowsExceptionWhenKeyInfoConfirmationDataHasNoElementsWithCorrectNa
// Arrange
var subjectConfirmationData = new KeyInfoConfirmationData();
subjectConfirmationData.Recipient = "urn:wellformed.uri:ok";
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
subjectConfirmationData.AnyElements = new[] { doc.CreateElement("ds", "KeyInfo", "http://wrongNameSpace.uri") };

var validator = new Saml20SubjectConfirmationDataValidator();
Expand All @@ -62,7 +62,7 @@ public void ThrowsExceptionWhenKeyInfoConfirmationDataHasNoElementsWithValidKeyN
{
// Arrange
var subjectConfirmationData = new KeyInfoConfirmationData { Recipient = "urn:wellformed.uri:ok" };
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
var elem = doc.CreateElement("ds", "KeyInfo", "http://wrongNameSpace.uri");
elem.AppendChild(doc.CreateElement("ds", "KeyName", Saml20Constants.Xmldsig));

Expand All @@ -83,7 +83,7 @@ public void ThrowsExceptionWhenKeyInfoConfirmationDataSubElementHasNoChildren()
{
// Arrange
var subjectConfirmationData = new KeyInfoConfirmationData { Recipient = "urn:wellformed.uri:ok" };
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
subjectConfirmationData.AnyElements = new[] { doc.CreateElement("ds", "KeyInfo", Saml20Constants.Xmldsig) };

var validator = new Saml20SubjectConfirmationDataValidator();
Expand Down Expand Up @@ -148,7 +148,7 @@ public void ValidatesKeyInfoConfirmationData()
{
// Arrange
var subjectConfirmationData = new KeyInfoConfirmationData { Recipient = "urn:wellformed.uri:ok" };
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
var elem = doc.CreateElement("ds", "KeyInfo", Saml20Constants.Xmldsig);
elem.AppendChild(doc.CreateElement("lalala"));

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2.Tests/Validation/Saml20SubjectConfirmationValidatorTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ public void ValidatesSubjectConfirmationData_Method_HolderOfKey_Valid()
Method = Saml20Constants.SubjectConfirmationMethods.HolderOfKey,
SubjectConfirmationData = new SubjectConfirmationData()
};
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
var elem = doc.CreateElement("ds", "KeyInfo", Saml20Constants.Xmldsig);
elem.AppendChild(doc.CreateElement("lalala"));

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Bindings/HttpPostBindingParser.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public HttpPostBindingParser(HttpContext context)

Message = Encoding.UTF8.GetString(Convert.FromBase64String(base64));

Document = new XmlDocument { PreserveWhitespace = true };
Document = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
Document.LoadXml(Message);
}

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Bindings/HttpSOAPBindingBuilder.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ public Stream GetResponse(string endpoint, string message, HttpAuthElement auth)
Console.WriteLine(response);
reqChannel.Close();

var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.Load(response.GetReaderAtBodyContents());
var outerXml = doc.DocumentElement.OuterXml;
var memStream = new MemoryStream(Encoding.UTF8.GetBytes(outerXml));
Expand Down
4 changes: 2 additions & 2 deletions src/SAML2/Bindings/HttpSOAPBindingParser.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ protected void LoadSamlMessage()
var reader = new StreamReader(InputStream);
SoapEnvelope = reader.ReadToEnd();

var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(SoapEnvelope);

var soapBody = (XmlElement)doc.GetElementsByTagName(SoapConstants.SoapBody, SoapConstants.SoapNamespace)[0];
Expand All @@ -159,7 +159,7 @@ protected void LoadSamlMessage()
/// <returns>True if the signature is valid, else false.</returns>
private bool CheckSignature(AsymmetricAlgorithm key)
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(SamlMessage.OuterXml);

return XmlSignatureUtils.CheckSignature(doc, key);
Expand Down
4 changes: 2 additions & 2 deletions src/SAML2/Config/IdentityProviderCollection.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ private static XmlDocument ParseGenevaServerMetadata(XmlDocument doc)
throw new ArgumentException("DocumentElement cannot be null", "doc");
}

var other = new XmlDocument { PreserveWhitespace = true };
var other = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
other.LoadXml(doc.OuterXml);

foreach (var node in other.DocumentElement.ChildNodes.Cast<XmlNode>().Where(node => node.Name != IdpSsoDescriptor.ElementName).ToList())
Expand Down Expand Up @@ -265,7 +265,7 @@ private List<Encoding> GetEncodings()
/// <returns>The XML document.</returns>
private XmlDocument LoadFileAsXmlDocument(string filename)
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };

try
{
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Protocol/Saml20SignonHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ private static XmlDocument GetDecodedSamlResponse(HttpContext context, Encoding

var base64 = context.Request.Params["SAMLResponse"];

var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
var samlResponse = encoding.GetString(Convert.FromBase64String(base64));
doc.LoadXml(samlResponse);

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20ArtifactResolve.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ public static Saml20ArtifactResolve GetDefault()
/// <returns>The XML document.</returns>
public XmlDocument GetXml()
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(_artifactResolve));

return doc;
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20ArtifactResponse.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ public static Saml20ArtifactResponse GetDefault()
/// <returns>The XML document.</returns>
public XmlDocument GetXml()
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(_artifactResponse));

return doc;
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20Assertion.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,7 +439,7 @@ public void Sign(X509Certificate2 cert)
signatureParentNode.RemoveChild(sigNode);
}

var assertionDocument = new XmlDocument();
var assertionDocument = new XmlDocument { XmlResolver = null };
assertionDocument.Load(new StringReader(Serialization.SerializeToXmlString(XmlAssertion)));

AddSignature(assertionDocument, cert);
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20AttributeQuery.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ public void PerformQuery(HttpContext context, IdentityProviderElement endPoint,
_attrQuery.Subject.Items = new object[] { name };
_attrQuery.SamlAttribute = _attributes.ToArray();

var query = new XmlDocument();
var query = new XmlDocument { XmlResolver = null };
query.LoadXml(Serialization.SerializeToXmlString(_attrQuery));

XmlSignatureUtils.SignDocument(query, Id);
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20AuthnRequest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ public static Saml20AuthnRequest GetDefault()
/// <returns>The request XML.</returns>
public XmlDocument GetXml()
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(Request));

return doc;
Expand Down
6 changes: 3 additions & 3 deletions src/SAML2/Saml20EncryptedAssertion.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ public void Decrypt()
var encryptedXml = new EncryptedXml();
var plaintext = encryptedXml.DecryptData(encryptedData, sessionKey);

Assertion = new XmlDocument { PreserveWhitespace = true };
Assertion = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
try
{
Assertion.Load(new StringReader(Encoding.UTF8.GetString(plaintext)));
Expand Down Expand Up @@ -210,7 +210,7 @@ public void Encrypt()
// Create an empty EncryptedAssertion to hook into.
var encryptedAssertion = new EncryptedAssertion { EncryptedData = new Schema.XEnc.EncryptedData() };

var result = new XmlDocument();
var result = new XmlDocument { XmlResolver = null };
result.LoadXml(Serialization.SerializeToXmlString(encryptedAssertion));

var encryptedDataElement = GetElement(Schema.XEnc.EncryptedData.ElementName, Saml20Constants.Xenc, result.DocumentElement);
Expand All @@ -236,7 +236,7 @@ public void LoadXml(XmlElement element)
{
CheckEncryptedAssertionElement(element);

_encryptedAssertion = new XmlDocument();
_encryptedAssertion = new XmlDocument { XmlResolver = null };
_encryptedAssertion.AppendChild(_encryptedAssertion.ImportNode(element, true));
}

Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20LogoutRequest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ public static Saml20LogoutRequest GetDefault()
/// <returns>The request XML.</returns>
public XmlDocument GetXml()
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(Request));

return doc;
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20LogoutResponse.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ public string StatusCode
/// <returns>The XML document.</returns>
public XmlDocument GetXml()
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(Response));
return doc;
}
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Saml20MetadataDocument.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ public string ToXml()
/// <returns>The XML.</returns>
public string ToXml(Encoding encoding)
{
var doc = new XmlDocument { PreserveWhitespace = true };
var doc = new XmlDocument { PreserveWhitespace = true, XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(Entity));

// Add the correct encoding to the head element.
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Schema/XmlDSig/KeyInfo.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ public class KeyInfo
public static explicit operator System.Security.Cryptography.Xml.KeyInfo(KeyInfo ki)
{
var result = new System.Security.Cryptography.Xml.KeyInfo();
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
doc.LoadXml(Serialization.SerializeToXmlString(ki));
if (doc.DocumentElement != null)
{
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Schema/XmlDSig/SignatureMethod.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ public class SignatureMethod
/// Gets or sets the algorithm.
/// </summary>
/// <value>The algorithm.</value>
[XmlAttribute("Algorithm", DataType = "anyURI")]
[XmlAttribute("v", DataType = "anyURI")]
public string Algorithm { get; set; }

#endregion
Expand Down
2 changes: 1 addition & 1 deletion src/SAML2/Utils/Serialization.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ public static XmlDocument Serialize<T>(T item)
Serialize(item, stream);

// create the XmlDocument to return
var doc = new XmlDocument();
var doc = new XmlDocument { XmlResolver = null };
stream.Seek(0, SeekOrigin.Begin);
doc.Load(stream);

Expand Down
Loading

0 comments on commit 7440365

Please sign in to comment.