santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: [security] Protections against Duo Labs type attacks
Date Thu, 08 Mar 2018 12:15:39 GMT
This attack does not appear to apply to the Java DOM implementation, as the
entire node value is parsed - and not just the bit up to the comment. I
added a sanity test to WSS4J (which depends on Santuario) here to check
that it works OK:

https://svn.apache.org/viewvc?view=revision&revision=1825555

However, I definitely encourage downstream projects to incorporate these
types of tests into their builds - other Java based XML parsing libraries
might be vulnerable.

Colm.

On Thu, Mar 8, 2018 at 12:06 PM, Tom Chiverton <tc@extravision.com> wrote:

> I was reading [1] and wondered if there is either specific protections
> already in place in Apache Santuario's XML security implementation, or if
> it's up to callers of the API to make sure they use it in just the right
> way ?
>
>
> As a concrete example, implementations maybe doing something like calling
> o.a.x.security.signature.XMLSignature's checkSignatuteValue() with a
> reference to either the SAML's X509 certificate and/or the Signature node.
> If the latter is being extracted with doc.getElementsByTagNameNS(SignatureSpecNS,
> "Signature") is this sufficient protection against the new attack ?
>
>
> [1] https://duo.com/blog/duo-finds-saml-vulnerabilities-
> affecting-multiple-implementations
> --
> *Tom Chiverton*
> Lead Developer
> e:  tc@extravision.com
> p:  0161 817 2922
> t:  @extravision <http://www.twitter.com/extravision>
> w:  www.extravision.com
> [image: Extravision - email worth seeing] <http://www.extravision.com/>
> Registered in the UK at: First floor, Tomorrow, MediaCityUK, Manchester,
> M50 2AB.
> Company Reg No: 0‌‌5017214 VAT: GB 8‌‌24 5386 19
>
> This e-mail is intended solely for the person to whom it is addressed and
> may contain confidential or privileged information.
> Any views or opinions presented in this e-mail are solely of the author
> and do not necessarily represent those of Extravision Ltd.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message