Skip to content

Revealing too much info about the error using util.inspec #242

New issue
New issue
Open
Open
Revealing too much info about the error using util.inspec#242
@ipetrovic11

Description

@ipetrovic11
ipetrovic11
opened on Sep 21, 2021

Hi

While parsing auth response from the service provider, "decrypt_assertion" is called. This function is using util.inspect for errors revealing quite a lot of information - stack trace, which can't be handled properly, since it is embedded into the error message.

saml2/lib/saml2.coffee

Line 235 in fca725b

, -> cb new Error("Failed to decrypt assertion with provided key(s): #{util.inspect errors}")

{ "message": "Failed to decrypt assertion with provided key(s): [\n Error: Decrypt failed: Error: Invalid RSAES-OAEP padding.\n at Object.pkcs1.decode_rsa_oaep (/usr/src/app/packages/services/node_modules/node-forge/lib/pkcs1.js:255:11)\n at Object.decode (/usr/src/app/packages/services/node_modules/node-forge/lib/rsa.js:1190:30)\n at Object.key.decrypt (/usr/src/app/packages/services/node_modules/node-forge/lib/rsa.js:1200:19)\n at decryptKeyInfoWithScheme (/usr/src/app/packages/services/node_modules/xml-encryption/lib/xmlenc.js:253:31)\n at decryptKeyInfo (/usr/src/app/packages/services/node_modules/xml-encryption/lib/xmlenc.js:241:14)\n at Object.decrypt (/usr/src/app/packages/services/node_modules/xml-encryption/lib/xmlenc.js:182:24)\n at err (/usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:326:21)\n at replenish (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:440:21)\n at /usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:445:13\n at eachOfLimit$1 (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:471:34)\n at awaitable (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:208:32)\n at Object.eachOfSeries (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:658:16)\n at Object.awaitable (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:208:32)\n at decrypt_assertion (/usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:325:18)\n at /usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:588:14\n at nextTask (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4576:27)\n at Object.waterfall (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4587:9)\n at Object.awaitable [as waterfall] (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:208:32)\n at parse_authn_response (/usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:586:16)\n at /usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:840:22\n at nextTask (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4576:27)\n at Immediate.next (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4584:13)\n at Immediate._onImmediate (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:321:20)\n at processImmediate (internal/timers.js:463:21)\n at /usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:331:25\n at Object.decrypt (/usr/src/app/packages/services/node_modules/xml-encryption/lib/xmlenc.js:209:12)\n at err (/usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:326:21)\n at replenish (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:440:21)\n at /usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:445:13\n at eachOfLimit$1 (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:471:34)\n at awaitable (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:208:32)\n at Object.eachOfSeries (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:658:16)\n at Object.awaitable (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:208:32)\n at decrypt_assertion (/usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:325:18)\n at /usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:588:14\n at nextTask (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4576:27)\n at Object.waterfall (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4587:9)\n at Object.awaitable [as waterfall] (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:208:32)\n at parse_authn_response (/usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:586:16)\n at /usr/src/app/packages/services/node_modules/saml2-js/lib-js/saml2.js:840:22\n at nextTask (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4576:27)\n at Immediate.next (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:4584:13)\n at Immediate._onImmediate (/usr/src/app/packages/services/node_modules/saml2-js/node_modules/async/dist/async.js:321:20)\n at processImmediate (internal/timers.js:463:21)\n]" }

Would it be possible to remove util.inspect ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions