This module is depending on "moment": "2.15.2", which is reported as vulnerable to a low severity regular expression denial of service vulnerability.

Suggest to update to latest moment.js package

Vulnerable: <2.19.3
Patched: >=2.19.3
Regular Expression Denial of Service
Module: moment
Published: November 27th, 2017
Reported by: Cristian-Alexandru Staicu
CVE-NONE

https://nodesecurity.io/advisories/532

Hi, we currently make use of samlp, which in turn makes use of this package "saml" on npm.

It looks like the open NSP issue for ReDOS via momentjs requires a package update in your dependencies. (https://nodesecurity.io/advisories/532)

I was wondering if you had any plans in the near future to update your momentjs dependency to 2.19.3 (patched version of moment).

Can you update the "moment" dependency in the "saml" module to 2.19.3 or later so that the vulnerability is covered?
See moment/moment#4163 for more details.
Our company's security scan identified this and asking us to change. I did not think there is any other way than asking you to change the version of moment.

Thanks so much.

best regards,
Pavan.

SAML20.js line 153. no namespace exists defining the saml prefix.

Something like below should work since it defines the saml2 prefix used.
encrypted = '<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:protocol">' + encrypted + '/saml2:EncryptedAssertion';

See this stack overflow exaplanation - http://stackoverflow.com/questions/9473380/xml-schema-validation-error-prefix-is-not-bound

Description

NPM is reporting high vulnerabilities with the moment and async dependencies.

This module depends on [email protected] and async@~0.2.9

moment

• Current: 2.19.3
• Vulnerable: < 2.29.2
• Patched: >= 2.29.2
• Report: [GHSA-8hfj-j24r-96c4](GHSA-8hfj-j24r-96c4)

async

• Current: ~0.2.9
• Vulnerable: < 2.6.4 and ( >= 3.0.0, < 3.2.2 )
• Patched: 2.6.4 and 3.2.2
• async vulnerability report: [GHSA-fwr7-v2mv-hh25](GHSA-fwr7-v2mv-hh25)

Description

npm audit finds issue GHSA-fwr7-v2mv-hh25 in async package.

Reproduction

run npm audit

Environment

any

Clock skew in the assertion consumer can cause assertions created using node-saml to be invalidated due to the NotBefore SAML condition being in the future according to the assertion consumer's clock. The lifetimeInSeconds option accounts for some clock skew in one direction, but does not account for the assertion consumer's clock being ahead of the assertion producer.

I have encountered this issue trying to use node-saml to create assertions for consumption by Salesforce. Backing up the issue instant by 60 seconds or so accommodates for the clock skew between the systems from which I am producing assertions, and Salesforce's servers.

If we had an option such as issueInstantSkewInSeconds, we could subtract this from the issue instant . Coupled with lifetimeInSeconds, we can effectively account for clock skew.

Can we get support for setting the SessionNotOnOrAfter in the AuthnStatement element for SAML2?

Details:
http://stackoverflow.com/questions/29508906/notonorafter-in-subjectconfirmationdata-and-conditions-and-sessionnotonorafter

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

No issues with npm audit

Describe the ideal solution

No issues with npm audit

Alternatives and current work-arounds

None

Additional context

Add any other context or screenshots about the feature request here.

                   === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution in node-forge debug API. │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ saml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ saml > xml-encryption > node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-5rrq-pxf6-6jx5 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ URL parsing in node-forge could lead to undesired behavior. │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ saml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ saml > xml-encryption > node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-gf8q-jrpm-jvxq │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Open Redirect in node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ saml │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ saml > xml-encryption > node-forge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-8fr3-hfg3-gpgp │
└───────────────┴──────────────────────────────────────────────────────────────┘

mocha 4 (pulled in by the * version) no longer supports Node below version 4 since 4 is the oldest still-active LTS version. Either the Mocha version should be pinned, or the node version should require >= 4 and the travis test suite should be changed accordingly

Hi, the partner I am working with requires their attribute to be of type unspecified. The name of the attribute is a string so SAML automatically generates it as type basic. Is there currently any way to trigger it to be of type of unspecified?
thanks

Description

node-saml is dependent on "xml-crypto": "~1.0.1"

according to GHSA-c27r-x354-4m68

Affected versions <= 1.5.3
Patched versions 2.0.0

Impact
An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

Patches
Version 2.0.0 has the fix.

Workarounds
The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.

Reproduction

no reproduction

Environment

node-saml 0.15.0 depending on "xml-crypto": "~1.0.1"

(please note: this is my first ever issue I open on github)

There's quite a few Pull Requests awaiting review, and the last commits to master were from September. Can one of the maintainers for the repo provide some insight into if / when the next release is planned for?

As a first step, it would be great to get through one of the PR's to fix Travis builds so that other PRs can start building again.

Just curious, who are the current maintainers of the repo? It would be great to add a list of the these individuals' names to the README.

Describe the problem you'd like to have solved

As stated in saml specification, if the name id format is chosen as "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", then it may contains NameQualifer and SPNameQualifer in element as below.

saml:Subject
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="YOURDOMAIN.monday.com" SPNameQualifier="https://monday.com">Your
Unique Identifier</saml:NameID>
</saml:Subject>

However, from the source code of saml20.js, I don't see any way to set the qualifier

Describe the ideal solution

To support receiving "NameQualifier" and "SPNameQualifier" as saml creation options

Alternatives and current work-arounds

N/A

Additional context

passing an empty object ({}) in options.attributes will create a malformed assertion, as it generates the <saml:AttributeStatement> with no child tags. It has a minimum of 1 child tag, so the <saml:AttributeStatement> tag should not be generated in this case

The documentation outlines support for SAML 1.1 assertion creation, but I see a SAML 2.0 implementation included. I'm thinking either the documentation out-of-date, or it's not production ready (hoping it's the former). Please clarify at your earliest convenience. Thanks!

Description

This library is good to create saml assertion, but how to create the parent container Saml Response having Issuer, Status, Signature, and Assertion?

This function is used to generate unique UIDs throughout the SAML library. Given that SAML deals with authentication, it seems like poor practice to not generate random UIDs in a cryptographically secure manner.

Reference: https://nodejs.org/api/crypto.html#crypto_crypto_randomint_min_max_callback
Guidance: https://gist.github.com/joepie91/7105003c3b26e65efcea63f3db82dfba

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch [email protected] for the project I'm working on.

When the generated SAML assertion is immediately sent to a SAML consumer, it can happen that the consumer refuses the assertion if the consumer's system clock has not reached the 'NotBefore' timestamp.

Here is the diff that solved my problem:

diff --git a/node_modules/saml/lib/saml20.js b/node_modules/saml/lib/saml20.js
index 9db8141..5ba6ec3 100644
--- a/node_modules/saml/lib/saml20.js
+++ b/node_modules/saml/lib/saml20.js
@@ -168,7 +168,7 @@ function createAssertion(options, strategies, callback) {
   var confirmationData = doc.documentElement.getElementsByTagName('saml:SubjectConfirmationData');
 
   if (options.lifetimeInSeconds) {
-    conditions[0].setAttribute('NotBefore', now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
+    conditions[0].setAttribute('NotBefore', now.clone().subtract(1, "days").format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
     conditions[0].setAttribute('NotOnOrAfter', now.clone().add(options.lifetimeInSeconds, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
 
     confirmationData[0].setAttribute('NotOnOrAfter', now.clone().add(options.lifetimeInSeconds, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));

This issue body was partially generated by patch-package.

Im looking to sign an assertion. Trying out this lib like the readme suggest returns in undefined?

  var saml = require('saml').Saml20; // or Saml11

  var options = {
    cert, // from my X.509 certificate
    key, // from my X.509 certificate
    issuer: 'urn:issuer',
    lifetimeInSeconds: 600,
    audiences: 'urn:myapp',
    attributes: {
      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
      'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
    },
    nameIdentifier: 'foo',
    sessionIndex: '_faed468a-15a0-4668-aed6-3d9c478cc8fa'
  };
  
  var signedAssertion = saml.create(options);

  console.log(signedAssertion) // undefined (?!)

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch [email protected] for the project I'm working on.

I needed to add some Node elements with specific attributes as AttributeValue in order to create a certain assertion and the current version only allows for textContent to be used. Here is the diff that solved my problem:

diff --git a/node_modules/saml/lib/saml20.js b/node_modules/saml/lib/saml20.js
index 9db8141..1ff00f4 100644
--- a/node_modules/saml/lib/saml20.js
+++ b/node_modules/saml/lib/saml20.js
@@ -216,7 +216,11 @@ function createAssertion(options, strategies, callback) {
           // Ignore undefined values in Array
           var valueElement = doc.createElementNS(NAMESPACE, 'saml:AttributeValue');
           valueElement.setAttribute('xsi:type', options.typedAttributes ? getAttributeType(value) : 'xs:anyType');
-          valueElement.textContent = value;
+          if ('nodeType' in Object(value)) {
+            valueElement.appendChild(value);
+          } else {
+            valueElement.textContent = value;
+          }
           attributeElement.appendChild(valueElement);
         }
       });

This issue body was partially generated by patch-package.

Describe the problem you'd like to have solved

I would like to have my private key stored in my key signing server or HSM. Using an HSM server would provide greater security for the private keys.

Describe the ideal solution

The unsigned XML document should be passed to the HSM server and a signature returned to be embedded in the XML document. The private keys should never leave the HSM.

Alternatives and current work-arounds

No good workarounds are currently available.

Additional context

I have a PR ready for both node-saml and node-samlp, creating this issue just to follow protocol. The solution includes a simple upgrade to allow asynchronous XML signing using a custom function provided by the host application. Unit tests have been created and are passing. The necessary PR's have already been made to xml-crypto version 1.5.3.

May I create a PR for this issue?
My branch: https://github.com/troyfactor4/node-saml

Please can you just upgrade xml-encryption to ^1.0.0 so that this works on Webpack? See related issue below.

auth0/node-xml-encryption#55

Description

In my understanding, the "key" in options is used as private key to sign the assertion, but what's the purpose of "cert"? For me, it doesn't make sense to have "cert" as a mandatory option https://github.com/auth0/node-saml/blob/master/lib/saml20.js#L62

Environment

Please provide the following:

• **Version of this library used: saml2.0
• **Version of the platform or framework used, if applicable: N/A
• **Other relevant versions (language, server software, OS, browser): nodejs
• **Other modules/plugins/libraries that might be involved:N/A

In line 69 the timestamp variable now has time added to it, which mutates the original time.

now is then re-used later when setting the AuthenticationInstant, however it is not the current time being set, but the mutated one. This leads to the AuthenticationInstant having the same time as the NotOnOrAfter attribute.

A possible fix is to re-initialise the now variable, after it's mutated.

Hey Auth0,

I was using the SAML 2.0 saml.create(options, callback) API and I had some questions about options parameters. For some context, I'm looking to create encrypted, signed SAML2 assertions, and I looked at the unit tests for examples, but I still have questions.

Are the following descriptions correct for each options parameter?

• options.cert: identity provider's x.509 certificate
• options.key: identity provider's private key
• options.encryptionPublicKey: service provider's public key
• options.encryptionCert: service provider's x.509 certificate

To my understanding of SAML (which may be incorrect), assertions are encrypted using the service provider's public key / certificate (which are are the two encryption variables), and then later the service provider will decrypt using their private key. I'm not sure of the purpose for the other two parameters, cert and key.

Clarification on these parameters is appreciated. Thank you in advance!

Might be a bug, might be intended behaviour. The number 0 feels like a valid session Id to me though.
https://github.com/auth0/node-saml/blob/master/lib/saml20.js#L173

Currently getAttributeType() of saml20.js is sending out all number type as double; can this be modified to send "integer" type too?

Something like,

function getAttributeType(value){
  switch(typeof value) {
    case "string":
      return 'xs:string';
    case "boolean":
      return 'xs:boolean';
    case "number":
      if(value === parseInt(value, 10))
        return 'xs:integer';
      else
        return 'xs:double';
    default:
      return 'xs:anyType';
  }
}

Description

Outdated xml-encryption dependency contains a version of node-forge with 'High' severity vulnerability. The 'xml-encryption' dependency should be updated to v1.2.1.

Reproduction

Running an npm audit produces the following output:

Run  npm install [email protected]  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Prototype Pollution in node-forge

  Package         node-forge

  Dependency of   xml-encryption

  Path            xml-encryption > node-forge

  More info       https://npmjs.com/advisories/1561

Environment

• Version of this library used: 0.15.0