Add warning about the use of IdpMetadataParser class. If Metadata URLs are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF

pitbulk · pitbulk · commit 287540a709f6 · 2021-05-25T17:44:51.000+02:00
diff --git a/README.md b/README.md
@@ -1390,6 +1390,9 @@ Auxiliary class that contains several methods to retrieve and process IdP metada
  * `parseXML` - Get IdP Metadata Info from XML.
  * `injectIntoSettings` - Inject metadata info into php-saml settings array.
 
+The class does not validate in any way the URL that is introduced on methods like parseRemoteXML in order to retrieve the remove XML. Usually is the same administrator that handles the Service Provider the ones that set the URL that should belong to a trusted third-party IdP.
+But there are other scenarios, like a SAAS app where the administrator of the app delegates on other administrators. In such case, extra protection should be taken in order to validate such URL inputs and avoid attacks like SSRF.
+
 
 For more info, look at the source code; each method is documented and details
 about what it does and how to use it are provided. Make sure to also check the doc folder where
diff --git a/src/Saml2/IdPMetadataParser.php b/src/Saml2/IdPMetadataParser.php
@@ -26,6 +26,10 @@ class IdPMetadataParser
     /**
      * Get IdP Metadata Info from URL
      *
+     * This class does not validate in any way the URL that is introduced,
+     * make sure to validate it properly before use it in the parseRemoteXML
+     * method in order to avoid security issues like SSRF attacks.
+     *
      * @param string $url                 URL where the IdP metadata is published
      * @param string $entityId            Entity Id of the desired IdP, if no
      *                                    entity Id is provided and the XML
@@ -43,6 +47,9 @@ public static function parseRemoteXML($url, $entityId = null, $desiredNameIdForm
 
         try {
             $ch = curl_init($url);
+            curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS | CURLPROTO_HTTP);
+            curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS  | CURLPROTO_HTTP);
+            curl_setopt($ch, CURLOPT_MAXREDIRS, 5);
             curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
