Sanitize document.signed_element_id via prepared statement

Lordnibbler · Lordnibbler · commit 9d75c85d9a74 · 2015-01-23T10:44:47.000-08:00
- this prevents arbitrary code injection via eval/system etc
diff --git a/Gemfile b/Gemfile
@@ -18,4 +18,5 @@ group :test do
   gem "timecop",    "<= 0.6.0"
   gem "systemu",    "~> 2"
   gem "rspec",      "~> 2"
+  gem 'pry'
 end
diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -184,8 +184,18 @@ def validate_response_state(soft = true)
       end
 
       def xpath_first_from_signed_assertion(subelt=nil)
-        node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
-        node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
+        node = REXML::XPath.first(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
         node
       end
 
diff --git a/test/response_test.rb b/test/response_test.rb
@@ -332,7 +332,7 @@ class RubySamlTest < Test::Unit::TestCase
           OneLogin::RubySaml::Attributes.single_value_compatibility = false
           assert_equal nil, response.attributes[:attribute_not_exists]
           assert_equal nil, response.attributes.single(:attribute_not_exists)
-          assert_equal nil, response.attributes.multi(:attribute_not_exists)          
+          assert_equal nil, response.attributes.multi(:attribute_not_exists)
           OneLogin::RubySaml::Attributes.single_value_compatibility = true
         end
 
@@ -368,5 +368,13 @@ class RubySamlTest < Test::Unit::TestCase
       end
     end
 
+    context '#xpath_first_from_signed_assertion' do
+      should 'not allow arbitrary code execution' do
+        malicious_response_document = fixture('response_eval', false)
+        response = OneLogin::RubySaml::Response.new(malicious_response_document)
+        response.send(:xpath_first_from_signed_assertion)
+        assert_equal($evalled, nil)
+      end
+    end
   end
 end
diff --git a/test/responses/response_eval.xml b/test/responses/response_eval.xml
@@ -0,0 +1,7 @@
+<saml:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:protocol">
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:Reference URI="#x'] or eval('$evalled = true') or /[@ID='v"/>
+    </ds:SignedInfo>
+  </ds:Signature>
+</saml:Response>
