Merge branch 'master' into escape-strings-in-xml

Author: pitbulk

.github/workflows/maven.yml

@@ -0,0 +1,26 @@
+# This workflow will build a Java project with Maven
+# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
+
+name: java-saml CI with Maven
+
+on: [push, pull_request]
+
+jobs:
+  test:
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        java: [ '8', '11' ]
+        os: [ 'ubuntu-latest' ]
+    name: Java ${{ matrix.Java }} (${{ matrix.os }})
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Java
+      uses: actions/setup-java@v2
+      with:
+        distribution: 'adopt'
+        java-version: ${{ matrix.java }}
+    - name: Maven Test
+      run: mvn --batch-mode clean verify org.jacoco:jacoco-maven-plugin:report

.nvd-suppressions.xml

@@ -1,3 +1,52 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd">
+  <suppress>
+    <notes><![CDATA[
+    file name: simple-xml-2.7.1.jar
+    ]]></notes>
+    <sha1>dd91fb744c2ff921407475cb29a1e3fee397d411</sha1>
+    <cve>CVE-2017-1000190</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: guava-19.0.jar
+    ]]></notes>
+    <sha1>6ce200f6b23222af3d8abb6b6459e6c44f4bb0e9</sha1>
+    <cve>CVE-2018-10237</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: guava-19.0.jar
+    ]]></notes>
+    <sha1>6ce200f6b23222af3d8abb6b6459e6c44f4bb0e9</sha1>
+    <cve>CVE-2020-8908</cve>
+  </suppress> 
+  <suppress>
+    <notes><![CDATA[
+    file name: lang-tag-1.5.jar
+    ]]></notes>
+    <sha1>7e82e3c4c593f85addf4bd209abde4f8ff933a07</sha1>
+    <cve>CVE-2020-29242</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: lang-tag-1.5.jar
+    ]]></notes>
+    <sha1>7e82e3c4c593f85addf4bd209abde4f8ff933a07</sha1>
+    <cve>CVE-2020-29243</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: lang-tag-1.5.jar
+    ]]></notes>
+    <sha1>7e82e3c4c593f85addf4bd209abde4f8ff933a07</sha1>
+    <cve>CVE-2020-29244</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+    file name: lang-tag-1.5.jar
+    ]]></notes>
+    <sha1>7e82e3c4c593f85addf4bd209abde4f8ff933a07</sha1>
+    <cve>CVE-2020-29245</cve>
+ </suppress>
 </suppressions>

README.md

@@ -72,6 +72,13 @@ In production, the **onelogin.saml2.strict** setting parameter MUST be set as **
 
 In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
+The IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed. 
+
+Usually the same administrator that handles the Service Provider also sets the URL to the IdP, which should be a trusted resource.
+
+But there are other scenarios, like a SAAS app where the administrator of the app delegates this functionality to other users. In this case, extra precaution should be taken in order to validate such URL inputs and avoid attacks like SSRF.
+
+
 ## Installation
 ### Hosting
 #### Github
@@ -355,6 +362,15 @@ onelogin.saml2.security.digest_algorithm = http://www.w3.org/2001/04/xmlenc#sha2
 # Reject Signatures with deprecated algorithms (sha1)
 onelogin.saml2.security.reject_deprecated_alg = true
 
+# Enable trimming of parsed Name IDs and attribute values
+# SAML specification states that no trimming for string elements should be performed, so no trimming will be
+# performed by default on extracted Name IDs and attribute values. However, some SAML implementations may add
+# undesirable surrounding whitespace when outputting XML (possibly due to formatting/pretty-printing).
+# These two options allow to optionally enable value trimming on extracted Name IDs (including issuers) and 
+# attribute values.
+onelogin.saml2.parsing.trim_name_ids = false
+onelogin.saml2.parsing.trim_attribute_values = false
+
 # Organization
 onelogin.saml2.organization.name = SP Java 
 onelogin.saml2.organization.displayname = SP Java Example
@@ -433,10 +449,10 @@ The AuthNRequest will be sent signed or unsigned based on the security settings
 
 The IdP will then return the SAML Response to the user's client. The client is then forwarded to the Attribute Consumer Service of the SP with this information.
 
-We can set a 'returnTo' url parameter to the login function and that will be converted as a 'RelayState' parameter:
+We can set a 'RelayState' parameter containing a return url to the login function:
 ```
-String targetUrl = 'https://example.com';
-auth.login(returnTo=targetUrl)
+String returnUrl = 'https://example.com';
+auth.login(relayState=returnUrl)
 ```
 The login method can receive 6 more optional parameters:
 - *forceAuthn* When true the AuthNRequest will have the 'ForceAuthn' attribute set to 'true'
@@ -605,10 +621,10 @@ The Logout Request will be sent signed or unsigned based on the security setting
 
 The IdP will return the Logout Response through the user's client to the Single Logout Service of the SP.
 
-We can set a 'returnTo' url parameter to the logout function and that will be converted as a 'RelayState' parameter:
+We can set a 'RelayState' parameter containing a return url to the login function:
 ```
-String targetUrl = 'https://example.com';
-auth.logout(returnTo=targetUrl)
+String returnUrl = 'https://example.com';
+auth.logout(relayState=returnUrl)
 ```
 
 Also there are 7 optional parameters that can be set:

core/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.onelogin</groupId>
 		<artifactId>java-saml-toolkit</artifactId>
-		<version>2.6.1-SNAPSHOT</version>
+		<version>2.7.1-SNAPSHOT</version>
 	</parent>
 
 	<packaging>jar</packaging>
@@ -60,7 +60,7 @@
 		<dependency>
 			<groupId>org.apache.santuario</groupId>
 			<artifactId>xmlsec</artifactId>
-			<version>2.2.0</version>
+			<version>2.2.2</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
@@ -72,13 +72,13 @@
 		<dependency>
 			<groupId>com.azure</groupId>
 			<artifactId>azure-security-keyvault-keys</artifactId>
-			<version>4.2.1</version>
+			<version>4.3.0</version>
 			<optional>true</optional>
 		</dependency>
 		<dependency>
 			<groupId>com.azure</groupId>
 			<artifactId>azure-identity</artifactId>
-			<version>1.0.9</version>
+			<version>1.3.3</version>
 			<optional>true</optional>
 		</dependency>
 	</dependencies>
@@ -118,7 +118,10 @@
 				<artifactId>maven-surefire-plugin</artifactId>
 				<version>2.22.2</version>
 				<configuration>
-					<argLine>${jacoco.agent.argLine}</argLine>
+                                        <encoding>${project.build.sourceEncoding}</encoding>
+					<inputEncoding>${project.build.sourceEncoding}</inputEncoding>
+					<outputEncoding>${project.build.sourceEncoding}</outputEncoding>
+					<argLine>${jacoco.agent.argLine} -Dfile.encoding=${project.build.sourceEncoding} -Dline.separator=\n</argLine>
 				</configuration>
 			</plugin>
 			<plugin>

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -11,8 +11,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.model.Organization;
+import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.util.Constants;
 import com.onelogin.saml2.util.Util;
 
@@ -101,7 +101,7 @@ public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassiv
 		this.nameIdValueReq = nameIdValueReq;
 
 		StrSubstitutor substitutor = generateSubstitutor(settings);
-		authnRequestString = substitutor.replace(getAuthnRequestTemplate());
+		authnRequestString = postProcessXml(substitutor.replace(getAuthnRequestTemplate()), settings);
 		LOGGER.debug("AuthNRequest --> " + authnRequestString);
 	}
 
@@ -121,6 +121,26 @@ public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassiv
 		this(settings, forceAuthn, isPassive, setNameIdPolicy, null);
 	}
 
+	/**
+	 * Allows for an extension class to post-process the AuthnRequest XML generated
+	 * for this request, in order to customize the result.
+	 * <p>
+	 * This method is invoked at construction time, after all the other fields of
+	 * this class have already been initialised. Its default implementation simply
+	 * returns the input XML as-is, with no change.
+	 * 
+	 * @param authnRequestXml
+	 *              the XML produced for this AuthnRequest by the standard
+	 *              implementation provided by {@link AuthnRequest}
+	 * @param settings
+	 *              the settings
+	 * @return the post-processed XML for this AuthnRequest, which will then be
+	 *         returned by any call to {@link #getAuthnRequestXml()}
+	 */
+	protected String postProcessXml(final String authnRequestXml, final Saml2Settings settings) {
+		return authnRequestXml;
+	}
+	
 	/**
 	 * @return the base64 encoded unsigned AuthnRequest (deflated or not)
 	 *
@@ -261,4 +281,13 @@ public String getId()
 	{
 		return id;
 	}
+	
+	/**
+	 * Returns the issue instant of this message.
+	 * 
+	 * @return a new {@link Calendar} instance carrying the issue instant of this message
+	 */
+	public Calendar getIssueInstant() {
+		return issueInstant == null? null: (Calendar) issueInstant.clone();
+	}
 }