[READY] Merge master into v2.x (please don't squash commits!)

CHANGELOG.md

@@ -15,7 +15,13 @@
 * [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
 * [#711](https://github.com/SAML-Toolkits/ruby-saml/pull/711) Standardize how RubySaml reads and formats certificate and private_key PEM values, including the `RubySaml::Util#format_cert` and `#format_private_key` methods.
 
-### 1.17.0
+### 1.18.0  (???)
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+* [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
+* [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
+
+### 1.17.0  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
@@ -55,6 +61,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.3  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
 ### 1.12.2 (Apr 08, 2021)
 * [#575](https://github.com/SAML-Toolkits/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
 
@@ -182,14 +191,12 @@
   * Require Issuer element. (Must match IdP EntityID).
   * Destination value can't be blank (if present must match ACS URL).
   * Check that the EncryptedAssertion element only contains 1 Assertion element.
-
 * [#335](https://github.com/SAML-Toolkits/ruby-saml/pull/335) Explicitly parse as XML and fix setting of Nokogiri options.
 * [#345](https://github.com/SAML-Toolkits/ruby-saml/pull/345)Support multiple settings.auth_context
 * More tests to prevent XML Signature Wrapping
 * [#342](https://github.com/SAML-Toolkits/ruby-saml/pull/342) Correct the usage of Mutex
 * [352](https://github.com/SAML-Toolkits/ruby-saml/pull/352) Support multiple AttributeStatement tags
 
-
 ### 1.3.1 (July 10, 2016)
 * Fix response_test.rb of gem 1.3.0
 * Add reference to Security Guidelines
@@ -302,7 +309,6 @@
 * [#111](https://github.com/SAML-Toolkits/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
 * [#108](https://github.com/SAML-Toolkits/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
 
-
 ### 0.7.3 (Feb 20, 2014)
 Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
 

README.md

@@ -7,6 +7,9 @@
 Ruby SAML minor and tiny versions may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
+**There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409).
+Make sure you are using an updated version. (1.12.3 is safe)**
+
 ## Overview
 
 The Ruby SAML library is for implementing the client side of a SAML authorization,

lib/ruby_saml/response.rb

@@ -825,7 +825,7 @@ def validate_name_id
         end
 
         if !(settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?) && (name_id_spnamequalifier != settings.sp_entity_id)
-            return append_error('SPNameQualifier value does not match the SP entityID value.')
+          return append_error('SPNameQualifier value does not match the SP entityID value.')
         end
       end
 

test/response_test.rb

@@ -1356,25 +1356,16 @@ def generate_audience_error(expected, actual)
       end
     end
 
-    # Gets the AuthnInstant from the AuthnStatement.
-    # Could be used to require re-authentication if a long time has passed
-    # since the last user authentication.
-    # @return [String] AuthnInstant value
-    #
-    def authn_instant
-      @authn_instant ||= begin
-        node = xpath_first_from_signed_assertion('/a:AuthnStatement')
-        node.nil? ? nil : node.attributes['AuthnInstant']
+    describe "#authn_instant" do
+      it "extract the value of the AuthnInstant attribute" do
+        assert_equal "2010-11-18T21:57:37Z", response.authn_instant
       end
     end
 
-    # Gets the AuthnContextClassRef from the AuthnStatement
-    # Could be used to require re-authentication if the assertion
-    # did not met the requested authentication context class.
-    # @return [String] AuthnContextClassRef value
-    #
-    def authn_context_class_ref
-      @authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
+    describe "#authn_context_class_ref" do
+      it "extract the value of the AuthnContextClassRef attribute" do
+        assert_equal "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", response.authn_context_class_ref
+      end
     end
 
     describe "#success" do