Merge pull request #12 from eugeniop/master

Fixed Snyk reports by updating dependencies and fixing escape when up…
auth0 · May 12, 2017 · 14ccfdf · 14ccfdf
2 parents b7550cd + 240f8ea
commit 14ccfdf
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 15 deletions.
diff --git a/lib/interpolate.js b/lib/interpolate.js
@@ -1,16 +1,13 @@
+var utils = require('./utils');
+
 function getProp(obj, path) {
   return path.split('.').reduce(function (prev, curr) {
     return prev[curr];
   }, obj);
 }
 
 function escape (html){
-  return String(html)
-    .replace(/&(?!#?[a-zA-Z0-9]+;)/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/'/g, '&#39;')
-    .replace(/"/g, '&quot;');
+  return utils.escape(html).replace(/'/g, '&#39;')
 }
 
 module.exports = function (tmpl) {

diff --git a/lib/wsfed.js b/lib/wsfed.js
@@ -91,9 +91,8 @@ module.exports = function(options) {
         encryptionCert:       options.encryptionCert
       }, function(err, assertion) {
         if (err) return next(err);
-        var escapedWctx = utils.escape(utils.escape(ctx)); // we need an escaped value for RequestSecurityTokenResponse.Context
-        var escapedAssertion = utils.escape(assertion); // we need an escaped value for RequestSecurityTokenResponse.Context
-        assertion = '<t:RequestSecurityTokenResponse Context="'+ escapedWctx + '" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:RequestedSecurityToken>' + escapedAssertion + '</t:RequestedSecurityToken></t:RequestSecurityTokenResponse>';
+        var escapedWctx = utils.escape(ctx); 
+        assertion = '<t:RequestSecurityTokenResponse Context="'+ escapedWctx + '" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:RequestedSecurityToken>' + assertion + '</t:RequestedSecurityToken></t:RequestSecurityTokenResponse>';
 
         return renderResponse(res, postUrl, ctx, assertion);
       });

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "wsfed",
-  "version": "3.1.4",
+  "version": "3.2.0",
   "description": "WSFed server middleware",
   "main": "lib/index.js",
   "scripts": {
@@ -18,9 +18,9 @@
   "author": "Auth0",
   "license": "mit",
   "dependencies": {
-    "ejs": "~0.8.3",
+    "ejs": "2.5.5",
     "jsonwebtoken": "~5.0.4",
-    "saml": "^0.9.3",
+    "saml": "0.11.0",
     "thumbprint": "0.0.1"
   },
   "devDependencies": {
@@ -29,10 +29,10 @@
     "mocha": "~1.8.1",
     "request": "~2.14.0",
     "xmldom": "=0.1.15",
-    "cheerio": "~0.10.7",
+    "cheerio": "0.22.0",
     "xml-crypto": "~0.0.20",
     "xpath": "0.0.5",
     "xtend": "~2.0.3",
-    "xml-encryption": "~0.7.2"
+    "xml-encryption": "0.11.0"
   }
 }
diff --git a/test/wsfed-encryption.tests.js b/test/wsfed-encryption.tests.js
@@ -38,7 +38,7 @@ describe('when dwdw encrypting the assertion', function () {
         if(err) return done(err);
         body = b;
         $ = cheerio.load(body);
-        var wresult = $('input[name="wresult"]').attr('value');
+        var wresult = $('input[name="wresult"]').attr('value');        
         encryptedAssertion = /<t:RequestedSecurityToken>(.*)<\/t:RequestedSecurityToken>/.exec(wresult)[1];
         done();
       });
@@ -54,6 +54,7 @@ describe('when dwdw encrypting the assertion', function () {
 
     it('should contain a valid encrypted xml with the assertion', function(done){
       xmlenc.decrypt(encryptedAssertion, { key: credentials.key }, function(err, decrypted) {
+
         var isValid = xmlhelper.verifySignature(decrypted, credentials.cert);
         expect(isValid).to.be.ok;