Skip to content
This repository was archived by the owner on May 22, 2023. It is now read-only.

ls-29145 merge upstream #13

Open
wants to merge 182 commits into
base: master
Choose a base branch
from
Open

ls-29145 merge upstream #13

wants to merge 182 commits into from

Conversation

@mattcobb
Copy link

Sink with upstream saml to get fix for vuln CVE-2020-7711 in goxmldsig

Donald Hoelle and others added 30 commits June 15, 2017 17:28
bugfix: New sometimes selected the wrong EntityDescriptor when parsin…
9b49e7d 
…g a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag
@umayr
Add syntax highlight
6ab3142
@dustin-decker
expose CookieMaxAge in samlsp Options
aa4e43f
@crewjam
Merge pull request crewjam#96 from umayr/master
9477cf4 
Add syntax highlight
@BryceDFisher @crewjam
Enable persistent name id format (crewjam#107)
aa1c598 
* Enable persistent name id format
@crewjam
Merge branch 'pr90'
54c5d5a
@crewjam
Merge branch 'pr115'
a6e02ca
@sevki @crewjam
add ability to set the domain for the cookies (crewjam#95)
56801ab
@crewjam
Fixed script hash to remove JS console errors when redirecting (crewj…
50777a1 
…am#117)

@RichardKnop PR#94
@dustin-decker @crewjam
saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (
bb12e77 
…crewjam#116)
@dustin-decker @crewjam
Use dep package manager (crewjam#114)
5098b49 
* use dep package manager
* updated travis
@ptman @crewjam
Fix example code so that it compiles (crewjam#118)
febc398
@dustin-decker @crewjam
expose ForceAuthn (crewjam#119)
5e89d54
@crewjam
fix validUntil in SPSSODescriptor
bbf4ae9 
fixes crewjam#123
@beyang @crewjam
samlsp.Middleware.SecureCookie option (crewjam#128)
61c0584
@crewjam
remove cruft
90a8ae8
@crewjam
update README
f33bc82
@crewjam
fix some minor lint / style errors
b1cfb79
@orisano @crewjam
samlsp: use current time for the JWT rather than the IssueInstant fro…
804bf46 
…m the assertion (crewjam#130)

fixes crewjam#122

jwt-go not support leeway parameter
@crewjam
travis cleanup: remove older go versions (crewjam#132)
e9d713d
@crewjam
samlsp: remove X-Saml headers in favor of attaching Claims to request…
c9c2cbc 
… context (crewjam#131)
@crewjam
samlsp: move the setting and reading of cookies into an interface (cr…
f5e68a0 
…ewjam#133)

We’ve had a bunch of changes requesting the ability to customize
how cookies are set and it is getting a little messy. This change
moves the code to setting and reading cookies into two interfaces
which you can extend/customize.
@crewjam
add field to IdpAuthnRequest so you can externally control the “curre…
16d16c2 
…nt” time (crewjam#136)

The default is obviously the current time, but for various reasons you may wish to evaluate the
response at a different reference time, for example processing a response that has been deferred.

We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently.
@crewjam
idp: handle assertions where no ACS url is specified (crewjam#139)
794aa92
@crewjam
add test cases for SAML comment injection (crewjam#140)
814d1d9 
ref: CVE-2017-11427
ref: CVE-2017-11428
ref: CVE-2017-11429
ref: CVE-2017-11430
ref: CVE-2018-0489
ref: CVE-2018-7340
ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
@crewjam
Update PGP key in README.md
e231b7a
@crewjam
make MaxIssueDelay configurable at runtime (mini-hack)
d6cac45
@dherbst @crewjam
Remove the default xmlns from the expected output because the encoder…
eefba21 
… does not reset the default. Should resolve the test for issue 152. (crewjam#158)
@dherbst @crewjam
Added Travis badge (crewjam#159)
8f169cc
@dherbst @crewjam
Fixed some typos in the README.md file. (crewjam#160)
61e52e7
crewjam and others added 28 commits March 25, 2021 09:31
@crewjam
update README (crewjam#340)
c090542 
fixes crewjam#333
@github-actions @web-flow
Update go.mod (crewjam#342)
bd15f54 
* upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2

Co-authored-by: Github Actions <[email protected]>
@github-actions @crewjam
Update go.mod (crewjam#343)
af97bd2 
Co-authored-by: crewjam <[email protected]>
@KuangEleven
Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (cre…
0f63feb 
…wjam#344)

* Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go.

dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422).

form3tech-oss/jwt-go is a fork that has fixed the vulnerability.
@dependabot-preview
Upgrade to GitHub-native Dependabot (crewjam#346)
b115a40 
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
@eest
Make SP check more certs in IDP metadata (crewjam#353)
29c6295 
From
https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf
```
[E62]A use value of "signing" means that the contained key information is applicable to both signing
and TLS/SSL operations performed by the entity when acting in the enclosing role.

A use value of "encryption" means that the contained key information is suitable for use in wrapping
encryption keys for use by the entity when acting in the enclosing role.

If the use attribute is omitted, then the contained key information is applicable to both of the above uses.
```

We need to include certificates both when they have a "use" attribute of
"signing" as well as when the "use" attribute is missing.

Fixes crewjam#352

SAML input from @simmel.
@jlourenc
Switch from github.com/form3tech-oss/jwt-go to github.com/golang-jwt/…
d321463 
…jwt/v4 (crewjam#383)

* Switch from github.com/form3tech-oss/jwt-go to github.com/golang-jwt/jwt/v4

* Fix tests for Go 1.17 and update CI accordingly
@heymagurany
Add the NotOnOrAfter optional attribute to <LogoutRequest> (crewjam#386)
324aadd
@antipopp
Updated the trivial example to handle a basic logout flow (crewjam#382)
23acdd2 
* add /logout to initiate SLO request

* fix

* unused package

* gofmt-ed
@bharat-p
Update github.com/russellhaering/goxmldsig to v1.1.1 to address CVE-2…
9627427 
…020-7711 (crewjam#391)
@OlfaKaroui
Service Provider support for aes128-gcm algorithm (crewjam#371)
2db94e7 
* Add support for aes128-gcm algorithm

* Pass nonce to encrypt function and add some tests
@heymagurany
Add XMLName field and xml tags to StatusMessage struct (crewjam#374)
0771d8f
@pheelee
added option defaultRedirectURI (crewjam#366)
d5716f6
@crewjam @davidv1992
artifact binding (crewjam#397)
71e1cdc 
* Implemented SP support for receiving authentication results via artifact
binding.

* update test expectations

Co-authored-by: David Venhoek <[email protected]>
@crewjam
make linter happy (crewjam#398)
cc1e81b
@dependabot
Bump github.com/google/go-cmp from 0.5.5 to 0.5.6 (crewjam#356)
8308fb0 
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.5 to 0.5.6.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.5.5...v0.5.6)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@crewjam @alexanderzobnin
metadata cert chain (crewjam#399)
60a32b3 
* Support multiple X509Certificate elements in X509Data

* Update test files

* Remove unnecessary comments

* add comments

Co-authored-by: Alexander Zobnin <[email protected]>
@dependabot
Bump github.com/golang-jwt/jwt/v4 from 4.1.0 to 4.2.0 (crewjam#401)
de675fd 
Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](golang-jwt/jwt@v4.1.0...v4.2.0)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@github-actions @web-flow
Update go.mod (crewjam#403)
c81ab81 
* upgrade golang.org/x/crypto from v0.0.0-20210322153248-0c34fe9e7dc2 to v0.0.0-20211215153901-e495a2d5b3d3

Co-authored-by: Github Actions <[email protected]>
@asvoboda
Move example packages to their own go module (crewjam#407)
e007e41 
Resolves crewjam#406
@dependabot
Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 (crewjam#412)
cdfe90f 
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](google/go-cmp@v0.5.6...v0.5.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@github-actions @web-flow
Update go.mod (crewjam#409)
34d0298 
* upgrade golang.org/x/crypto from v0.0.0-20211215153901-e495a2d5b3d3 to v0.0.0-20220128200615-198e4374d7ed

Co-authored-by: Github Actions <[email protected]>
@dependabot
Bump github.com/golang-jwt/jwt/v4 from 4.2.0 to 4.4.1 (crewjam#430)
ebaef9a 
Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.2.0 to 4.4.1.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](golang-jwt/jwt@v4.2.0...v4.4.1)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@atezet
Allow to specify HTTPClient for SAML artifact resolution (crewjam#416)
224026c 
* Allow to specify HTTPClient for SAML artifact resolution

* go fmt
@atezet
Fix ArtifactResolve element and add tests for artifact binding (crewj…
d4ed82f 
…am#415)

* Fix ArtifactResolveElement and add tests

* goimports
@lakkiy
Fix: not enough arguments to call TransformExcC14n (crewjam#428)
00a79cc
@mattcobb
merge with upstream crewjam saml
013b833
@mattcobb
fix merge errors and put back aud as array
a90b6be
@mattcobb mattcobb changed the title ls-29145 goxmldsig vuln CVE-2020-7711 ls-29145 merge upstream and fix goxmldsig vuln CVE-2020-7711 Apr 29, 2022
@mattcobb mattcobb changed the title ls-29145 merge upstream and fix goxmldsig vuln CVE-2020-7711 ls-29145 merge upstream Apr 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.