-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix transform processing regression #379
Conversation
Codecov Report
@@ Coverage Diff @@
## master #379 +/- ##
==========================================
+ Coverage 72.84% 72.98% +0.14%
==========================================
Files 9 9
Lines 880 881 +1
Branches 234 235 +1
==========================================
+ Hits 641 643 +2
Misses 149 149
+ Partials 90 89 -1
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
This is not exactly fix for regression but maybe there should be guard against situation where signature does not have any references. I.e. if this code block Lines 473 to 480 in 2e32d50
would have had something like this (in pseudo code) it would have prevented this ( #378 ) particular signature bypass situation in published versions [4.0.0, 4.1.0] .
validateReferences(doc: Document) {
+ if ( ! Array.isArray(this.references) || this.references.length <= 0) {
+ throw new Error("Missing reference(s)");
+ // or return false ....
+ }
for (const ref of this.references) {
if (!this.validateReference(ref, doc)) {
return false;
}
}
return true;
} Links to spec: https://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/#sec-SignedInfo says:
and https://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/#sec-Reference says:
|
src/c14n-canonicalization.ts
Outdated
@@ -171,7 +171,7 @@ export class C14nCanonicalization implements CanonicalizationOrTransformationAlg | |||
if (xpath.isComment(node)) { | |||
return this.renderComment(node); | |||
} | |||
if (xpath.isComment(node)) { | |||
if (xpath.isComment(node) || xpath.isTextNode(node)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
line 171
already handles xpath.isComment(node)
not related to regression bug: How this and other C14N implementations would handle XML CDATA sections (in which case node type might might be CDATA or something like that):
<library>
<book id="bookid">
<name><![CDATA[this & that < foo]]></name>
</book>
</library>
instead of
<library>
<book id="bookid">
<name>this & that < foo</name>
</book>
</library>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Regarding CDATA, MDN clarifies that we should be handling more cases where there is a .data
property: https://developer.mozilla.org/en-US/docs/Web/API/CharacterData
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't like my original fix. There is no value in complicating the code just for the sake of types. I've used a different method for now and we can revisit types later on.
I like that suggestion. I wonder if @DiegoMajluf could help with a test or two for these cases. |
@cjbarth thanks for your work. I will make some test with my testing documents, I'm still facing some issues with the canonicalization. I will let you know. |
@cjbarth @srd90, I have tested PR 379 with some of my production documents, and all of them have passed successfully. Thank you very much once again. However, as I mentioned, I'm still encountering issues related to canonicalization (or transform algorithm; I'm not very clear on the difference yet). From what I've gathered so far, it seems to be connected to the presence or absence of namespace attributes on the root element. Nevertheless, I believe this might belongs to a different issue. I will create a new issue report when I can build a more specific situation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, unblocking this for now
There was a bug introduced in the 4.x release of
xml-crypto
whereby transforms weren't added in all the cases they were supposed to.This includes code from the comment by @srd90.
Closes #378