Commit 8d057cf

mo <mo@mokhan.ca>
2018-02-28 02:34:35
try to reproduce CVE-2017-11428
main
1 parent fea703f
Changed files (2)
spec
saml
kit
response_spec.rb
support
user.rb
spec/saml/kit/response_spec.rb
@@ -530,6 +530,13 @@ XML
       expect(subject.name_id).to eql(user.name_id)
     end
 
+    it 'excludes comments from the name id' do
+      user.name_id = "shiro@voltron.com<!-- CVE-2017-11428 -->.evil.com"
+      subject = described_class.build(user, request)
+      expect(subject.name_id).to eql("shiro@voltron.com<!-- CVE-2017-11428 -->.evil.com")
+      expect(subject.name_id).not_to eql("shiro@voltron.com")
+    end
+
     it 'returns the single attributes' do
       subject = described_class.build(user, request)
       expect(subject.attributes).to eql('name' => 'mo')
spec/support/user.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class User
-  attr_reader :name_id, :attributes
+  attr_accessor :name_id, :attributes
 
   def initialize(name_id: SecureRandom.uuid, attributes: {})
     @name_id = name_id