From 240f8ea1a6802d40350f379fcec68a9e3ff36be4 Mon Sep 17 00:00:00 2001 From: Eugenio Pace Date: Fri, 12 May 2017 10:31:25 -0700 Subject: [PATCH] Fixed Snyk reports by updating dependencies and fixing escape when upgrading to ejs 2.5.5 --- lib/interpolate.js | 9 +++------ lib/wsfed.js | 5 ++--- package.json | 10 +++++----- test/wsfed-encryption.tests.js | 3 ++- 4 files changed, 12 insertions(+), 15 deletions(-) diff --git a/lib/interpolate.js b/lib/interpolate.js index aa58543..dcb4afc 100644 --- a/lib/interpolate.js +++ b/lib/interpolate.js @@ -1,3 +1,5 @@ +var utils = require('./utils'); + function getProp(obj, path) { return path.split('.').reduce(function (prev, curr) { return prev[curr]; @@ -5,12 +7,7 @@ function getProp(obj, path) { } function escape (html){ - return String(html) - .replace(/&(?!#?[a-zA-Z0-9]+;)/g, '&') - .replace(//g, '>') - .replace(/'/g, ''') - .replace(/"/g, '"'); + return utils.escape(html).replace(/'/g, ''') } module.exports = function (tmpl) { diff --git a/lib/wsfed.js b/lib/wsfed.js index 174a82a..72aeaa8 100644 --- a/lib/wsfed.js +++ b/lib/wsfed.js @@ -91,9 +91,8 @@ module.exports = function(options) { encryptionCert: options.encryptionCert }, function(err, assertion) { if (err) return next(err); - var escapedWctx = utils.escape(utils.escape(ctx)); // we need an escaped value for RequestSecurityTokenResponse.Context - var escapedAssertion = utils.escape(assertion); // we need an escaped value for RequestSecurityTokenResponse.Context - assertion = '' + escapedAssertion + ''; + var escapedWctx = utils.escape(ctx); + assertion = '' + assertion + ''; return renderResponse(res, postUrl, ctx, assertion); }); diff --git a/package.json b/package.json index f2cc004..fb68843 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "wsfed", - "version": "3.1.4", + "version": "3.2.0", "description": "WSFed server middleware", "main": "lib/index.js", "scripts": { @@ -18,9 +18,9 @@ "author": "Auth0", "license": "mit", "dependencies": { - "ejs": "~0.8.3", + "ejs": "2.5.5", "jsonwebtoken": "~5.0.4", - "saml": "^0.9.3", + "saml": "0.11.0", "thumbprint": "0.0.1" }, "devDependencies": { @@ -29,10 +29,10 @@ "mocha": "~1.8.1", "request": "~2.14.0", "xmldom": "=0.1.15", - "cheerio": "~0.10.7", + "cheerio": "0.22.0", "xml-crypto": "~0.0.20", "xpath": "0.0.5", "xtend": "~2.0.3", - "xml-encryption": "~0.7.2" + "xml-encryption": "0.11.0" } } diff --git a/test/wsfed-encryption.tests.js b/test/wsfed-encryption.tests.js index 9cfdc18..077ebe9 100644 --- a/test/wsfed-encryption.tests.js +++ b/test/wsfed-encryption.tests.js @@ -38,7 +38,7 @@ describe('when dwdw encrypting the assertion', function () { if(err) return done(err); body = b; $ = cheerio.load(body); - var wresult = $('input[name="wresult"]').attr('value'); + var wresult = $('input[name="wresult"]').attr('value'); encryptedAssertion = /(.*)<\/t:RequestedSecurityToken>/.exec(wresult)[1]; done(); }); @@ -54,6 +54,7 @@ describe('when dwdw encrypting the assertion', function () { it('should contain a valid encrypted xml with the assertion', function(done){ xmlenc.decrypt(encryptedAssertion, { key: credentials.key }, function(err, decrypted) { + var isValid = xmlhelper.verifySignature(decrypted, credentials.cert); expect(isValid).to.be.ok;