New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defend against undefined NotOnOrAfter #289
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need a test to make sure that this doesn't break again.
assertion.$.IssueInstant | ||
); | ||
|
||
const maxTimeLimitMs = subjectNotOnOrAfter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correction to this logic should be in this.calcMaxAgeAssertionTime()
, not here. We should be able to handle bad data coming in and still return a proper value per the existing logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cjbarth, checkTimestampsValidityError
properly handles maxTimeLimitMs
that is undefined
, would you say it's acceptable to return undefined
from checkTimestampsValidityError
?
@joshgummersall, thanks for your PR. Please note the comments and we'll do our best to help you get this code landed. |
Codecov Report
@@ Coverage Diff @@
## master #289 +/- ##
==========================================
- Coverage 81.49% 81.37% -0.13%
==========================================
Files 11 11
Lines 816 816
Branches 252 253 +1
==========================================
- Hits 665 664 -1
Misses 63 63
- Partials 88 89 +1
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
For the record PR's description's this link is now referring to master branch content and thus shall start to refer to incorrect line when file is updated:
Here is link which point to the version that was at the Based on content of this PR it seems that auth response that triggered this issue had element If thats the case then IMHO that is against SAML spec. See https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf and chapter:
i.e. IMHO lines fwiw, Same lines (and following chapter 4.1.4.3) state that |
@srd90 yeah, my reading of the spec you shared is the same. It seems that |
All squared away, thanks again for the pointers! |
The docs explain that NotOnOrAfter and NotBefore will only be validated if they exist in the SAML response. I found that this produces a runtime exception that
NotOnOrAfter
is undefined, thrown here. This was the simplest fix I could find that does not affect any existing tests. Thanks for your time & a great library!