Update README.md to reflect getKeyInfoContent changes #470
Conversation
Changes in node-saml#445 was not reflected in the documentation. This PR fixes it.
| - `getKeyInfoContent` - function - default `noop` - a function that returns the content of the KeyInfo node | ||
| - `getCertFromKeyInfo` - function - default `SignedXml.getCertFromKeyInfo` - a function that returns the certificate from the `<KeyInfo />` node | ||
| - `getKeyInfoContent` - function - default `SignedXml.getKeyInfoContent` - a function that returns the content of the KeyInfo node | ||
| - `getCertFromKeyInfo` - function - default `noop` - a function that returns the certificate from the `<KeyInfo />` node |
There was a problem hiding this comment.
It seems that production code still provides possibility to use unsecure implementation (SignedXml.getCertFromKeyInfo):
Quote from version 6.0.0:
Lines 217 to 223 in 0ed7ab2
I.e. aforementioned implementation was not removed from production code meaning that anyone could use it as a value to getCertFromKeyInfo option.
Maybe README.md should state something like
DO NOT at any circumstances configure
SigndXml.getCertFromKeyInfoas a value togetCertFromKeyInfobecause that SHALL trigger this Critical vulnerability: CVE-2024-32962 aka GHSA-2xp3-57p7-qf4v
or same in markdown
DO NOT at any circumstances configure `SigndXml.getCertFromKeyInfo` as a value to `getCertFromKeyInfo` because that SHALL trigger this **Critical** vulnerability: CVE-2024-32962 aka [GHSA-2xp3-57p7-qf4v](https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v)
@cjbarth quick grepping of xml-crypto codebase didn't reveal any usage for SignedXml.getCertFromKeyInfo other than test codes (which could have test code specific implementation of getCertFromKeyInfo) and
Line 57 in 0ed7ab2
which might be possible to be replaced with SignedXml.noop
There was a problem hiding this comment.
If I'm reading this correctly, and my greping is correct, nothing in the entire node-saml project depends on this. If it weren't for the fact that this is part of the spec, we could probably remove it entirely. However, since it is part of the spec, I feel like we have to leave this particular foot-gun in place. I'm open to discussion on this.
There was a problem hiding this comment.
I fail to see any mention at the spec that forces anyone to have dead code in their projects / production codebase.
Anyone is able to implement their own foot gun instead of blindly setting aforementioned static foot gun implementation to configuration option. In that case they have full visibility to (they coded/copy pasted it and reviewed that with peer developers) and responsibility of implications of foot gun implementation.
Alternatively someone could just set from node-saml's / xml-crypto's point of view dead code foot gun implementation for whatever reason to that configuration option and forget it and if not even peer reviewers bother to deep dive to internals of recognized/de-facto nodejs xml-crypto library to see and figure out all implications then that unlucky project might be in a world of trouble.
Changes in #445 was not reflected in the documentation.
This PR attempts to fix it.