Update README.md to reflect getKeyInfoContent changes #470
Conversation
Changes in node-saml#445 was not reflected in the documentation. This PR fixes it.
| - `getKeyInfoContent` - function - default `noop` - a function that returns the content of the KeyInfo node | ||
| - `getCertFromKeyInfo` - function - default `SignedXml.getCertFromKeyInfo` - a function that returns the certificate from the `<KeyInfo />` node | ||
| - `getKeyInfoContent` - function - default `SignedXml.getKeyInfoContent` - a function that returns the content of the KeyInfo node | ||
| - `getCertFromKeyInfo` - function - default `noop` - a function that returns the certificate from the `<KeyInfo />` node |
There was a problem hiding this comment.
It seems that production code still provides possibility to use unsecure implementation (SignedXml.getCertFromKeyInfo):
Quote from version 6.0.0:
Lines 217 to 223 in 0ed7ab2
I.e. aforementioned implementation was not removed from production code meaning that anyone could use it as a value to getCertFromKeyInfo option.
Maybe README.md should state something like
DO NOT at any circumstances configure
SigndXml.getCertFromKeyInfoas a value togetCertFromKeyInfobecause that SHALL trigger this Critical vulnerability: CVE-2024-32962 aka GHSA-2xp3-57p7-qf4v
or same in markdown
DO NOT at any circumstances configure `SigndXml.getCertFromKeyInfo` as a value to `getCertFromKeyInfo` because that SHALL trigger this **Critical** vulnerability: CVE-2024-32962 aka [GHSA-2xp3-57p7-qf4v](https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v)
@cjbarth quick grepping of xml-crypto codebase didn't reveal any usage for SignedXml.getCertFromKeyInfo other than test codes (which could have test code specific implementation of getCertFromKeyInfo) and
Line 57 in 0ed7ab2
which might be possible to be replaced with SignedXml.noop
Changes in #445 was not reflected in the documentation.
This PR attempts to fix it.