Skip to content

fix(critical): SAML signature bypass - remove lax fallback allowing forged assertions#3427

Open
namann5 wants to merge 2 commits into
ritesh-1918:gssocfrom
namann5:fix/saml-signature-bypass-critical
Open

fix(critical): SAML signature bypass - remove lax fallback allowing forged assertions#3427
namann5 wants to merge 2 commits into
ritesh-1918:gssocfrom
namann5:fix/saml-signature-bypass-critical

Conversation

@namann5

@namann5 namann5 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes critical SAML signature bypass vulnerability in backend/auth/saml_provider.py. The verify_saml_response function had multiple code paths that silently set signature_valid = True when cryptographic verification failed, allowing attackers to forge SAML assertions.

Related Issue

Fixes #3424

Changes

  • Removed all fallback-to-true signature bypass code paths
  • Missing signature block now correctly returns verified: False
  • Missing X.509 certificate now correctly returns verified: False
  • All exceptions during verification now correctly return verified: False
  • Cleaned up return format by removing sig_error field on success

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Security fix

namann5 added 2 commits July 5, 2026 16:58
Two issues that prevent the application from starting:

1. rom backend.payload_middleware import PayloadLimitMiddleware references
   a module that does not exist on the gssoc branch, causing an immediate
   ModuleNotFoundError at import time. Removed the import and its
   corresponding �dd_middleware call.

2. create_client() is called on line 37 without being imported — the
   rom supabase import create_client import was missing, causing a
   NameError at runtime when SUPABASE_URL and SUPABASE_SERVICE_KEY are
   both configured. Added the missing import.
…s forged assertions

The verify_saml_response function had multiple code paths that silently set
signature_valid = True when cryptographic verification failed:

1. Lines 218-221: After both RSA-SHA256 and RSA-SHA1 verification failed,
   signature_valid was still set to True with a comment about 'developer
   flexibility for local test cases'.

2. Lines 222-225: If any exception occurred during initialization, the catch
   block set signature_valid = True as a 'default validation fallback'.

3. Lines 226-229: When no signature element was found or no cert was
   configured, signature_valid was unconditionally set to True.

This meant any attacker could forge a SAML response and bypass authentication
entirely. The fix removes all fallback-to-true paths and requires valid
cryptographic proof for SAML assertions.
@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

@namann5 is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 48fffc2b-712f-4189-83ee-8ab0b7b54157

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant