goxmldsig v2 is NOT vulnerable to the CVE-2020-29509/29510/29511 class of parser differential attacks. The switch from encoding/xml to etree for XML parsing eliminates the core vulnerability.
22 tests written to parser_diff_audit_test.go, all passing.
Researched: GitHub Advisory Database, NVD, CERT/CC, Mattermost Security Blog, project-specific advisories.
XSW attacks exploit the disconnect between signature verification and data extraction in SAML processors. The attacker moves or copies the signed content to a different location in the XML document, then inserts malicious content where the SP will read it. The signature remains valid over the original content, but the SP processes the attacker's injected content.
This is a breaking-change release. The module path will become github.com/russellhaering/gosaml2/v2. Since we're already breaking the API, we should make all the breaking changes we want in one shot.
| TBinaryProtocol.prototype.writeMessageBegin = function(name, type, seqid) { | |
| if (this.strictWrite) { | |
| this.writeI32(VERSION_1 | type); | |
| this.writeString(name); | |
| this.writeI32(seqid); | |
| } else { | |
| this.writeString(name); | |
| this.writeByte(type); | |
| this.writeI32(seqid); | |
| } |
| var https = require('https'); | |
| function main() { | |
| var fired = 0, req; | |
| req = https.request({ | |
| host: 'localhost', | |
| port: 8052, | |
| path: '/', | |
| method: 'GET' |
| PING google.com (74.125.224.112): 56 data bytes | |
| 64 bytes from 74.125.224.112: icmp_seq=0 ttl=57 time=550.263 ms | |
| 64 bytes from 74.125.224.112: icmp_seq=1 ttl=57 time=910.745 ms | |
| 64 bytes from 74.125.224.112: icmp_seq=2 ttl=57 time=874.949 ms | |
| 64 bytes from 74.125.224.112: icmp_seq=3 ttl=57 time=667.673 ms | |
| 64 bytes from 74.125.224.112: icmp_seq=4 ttl=57 time=429.829 ms | |
| 64 bytes from 74.125.224.112: icmp_seq=5 ttl=57 time=569.470 ms | |
| 64 bytes from 74.125.224.112: icmp_seq=6 ttl=57 time=759.054 ms | |
| Request timeout for icmp_seq 7 | |
| 64 bytes from 74.125.224.112: icmp_seq=7 ttl=57 time=1925.043 ms |
| #!/usr/bin/env python | |
| # | |
| # reset-onid.py - A script to allow you to keep your ONID password at Oregon | |
| # State University. This script is (literally) untested and should not be used | |
| # under any circumstances | |
| # | |
| # Dependencies: | |
| # - httplib2 | |
| # - The 'pwgen' utility | |
| # |
| // Thrift generated code | |
| scribe_Log_result.prototype.write = function(output) { | |
| output.writeStructBegin('scribe_Log_result'); | |
| if (this.success) { | |
| output.writeFieldBegin('success', Thrift.Type.I32, 0); | |
| output.writeI32(this.success); | |
| output.writeFieldEnd(); | |
| } | |
| output.writeFieldStop(); | |
| output.writeStructEnd(); |
| /** This is what a thrift service implementation in Node.js _currently_ looks like */ | |
| var CURRENT_HANDLER = { | |
| // On success, the return argument is passed as the only argument to the callback | |
| HelloWorld: function(name, callback) { | |
| callback("hello " + name); | |
| }, | |
| // When something goes wrong, there is no way to get the exception back to the client | |
| UhOhWorld: function(name, callback) { | |
| var e = new ttypes.UhOhException("I can't do that " + name); |
| /** | |
| * Note: this only currently supports the %s and %j formatters. | |
| * | |
| * The first call with any given formatter will be relatively slow, but every subsequent | |
| * call with the same formatter should be very fast (in V8). | |
| */ | |
| var cache = {}; | |
| var SINGLE_QUOTE = new RegExp('\'', 'g'); |