.name_id raises NoMethodError in Ruby 2.6 default REXML version

[atyndall]

The following XML

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2055-05-05T17:55:00Z" Destination="http://fake.appbot.co/sso/sso1/saml/consume" InResponseTo="SSO_1">
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata</saml:Issuer>
    <saml:Subject>
      <saml:NameID SPNameQualifier="http://fake.appbot.co/sso/sso1/saml/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">100</saml:NameID>
    </saml:Subject>
  </saml:Assertion>
</samlp:Response>

Causes OneLogin::RubySaml::Response#name_id to raise NoMethodError (undefined method '[]' for nil:NilClass) in Ruby 2.6 and above.

Code to replicate;

require 'onelogin/ruby-saml'
require 'zlib'
require 'base64'

raw_saml = File.read('saml.xml')

deflated_saml = Zlib::Deflate.deflate(raw_saml, 9)[2..-5]
encoded_saml = Base64.encode64(deflated_saml)

response = OneLogin::RubySaml::Response.new(encoded_saml)

response.name_id

In Ruby 2.5.7;

2.5.7 :012 > response.name_id
 => nil

In Ruby 2.6.0 and 2.6.5;

2.6.5 :012 > response.name_id
Traceback (most recent call last):
       16: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:183:in `expr'
       15: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:437:in `step'
       14: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:583:in `evaluate_predicate'
       13: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:583:in `collect'
       12: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:586:in `block in evaluate_predicate'
       11: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:586:in `each_with_index'
       10: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:586:in `each'
        9: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:594:in `block (2 levels) in evaluate_predicate'
        8: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:345:in `expr'
        7: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:813:in `equality_relational_compare'
        6: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/syncenumerator.rb:27:in `each'
        5: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/syncenumerator.rb:27:in `times'
        4: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/syncenumerator.rb:28:in `block in each'
        3: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:815:in `block in equality_relational_compare'
        2: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/xpath_parser.rb:799:in `norm'
        1: from /Users/atyndall/.rvm/rubies/ruby-2.6.5/lib/ruby/2.6.0/rexml/functions.rb:139:in `string'
NoMethodError (undefined method `[]' for nil:NilClass)

This is likely due to a bug introduced when Ruby's bundled REXML was upgraded to v3.1.9. It goes away with a gem update rexml.

Given that the broken REXML is bundled by default with Ruby 2.6.x, I'm not sure if you want to note down a warning somewhere, or issue a fix to handle those borked Ruby versions.

[pitbulk]

Thanks for sharing this. I will leave your issue open so others with the same error can figure out.
I will also try to figure out how to avoid this bug.

[gsar]

just for reference, here's the PR that fixed this for me: ruby/rexml#13