Dependency-vulnerability: ruby-saml to 1.18, updates for tests to pass

[ewilloughby]

This PR upgrades ruby-saml to 1.18 to address vulnerabilities in the dependency. It also contains some minor changes so that CI testing passes on Rails > 7.1. Additional CI config changes are discussed below. I should note that ruby-saml 1.12.4 also addresses the vulnerability, but only ~1.12.4 and >=1.18 or above are patched.

• GHSA-4vc4-m8qh-g8jm : Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
• GHSA-754f-8gm6-c4r2: SAML authentication bypass via Signature Wrapping attack allowed due parser differential.
• GHSA-92rq-c8cf-prrq: Potential DOS abusing of compressed messages.

I made some choices in regard to CI testing in this PR that should be noted and I'll provide my reasoning, however these should probably be discussed.

• I removed Rails 6.1 and 7.0 from the github CI gemfile matrix. Both these versions of rails have a bug where ActiveSupport references logger but does not require it. This became an issue when concurrent-ruby 1.3.5 stopped including logger. activesupport/lib/active_support/logger_thread_safe_level.rb The issue causes failing tests all over the place and requires a bit more of a look. Also both are end-of-life. Rails 6.1 security support ended on October 1st of 2024, and Rails 7.0's security support ends in one week, on April 1st, 2025. My thought process here is that as an authentication gem, an upcoming devise-saml-authenticatable 2.x gem move forward with versions of Rails still receiving security updates. I did, however, pin concurrent-ruby in both 6.1 and 7.0 spec support gemfiles in case these configurations are needed and can work on getting passing tests for 6.1/7.0 again in this or another PR if needed.
• I removed Ruby 3.0 and 3.1 from the github CI ruby matrix. Ruby 3.0 is end of life - security support ended on April 23, 2024. It also does not work with the selenium-webdriver gem > 4.26, which had to be pinned to 4.26 for tests to pass. Ruby 3.1 is end-of-life in 1 week, on March 31, 2025. Tests pass for Ruby 3.1 with Rails 7.0-7.2, however Rails 8 requires >= Ruby 3.2.
• I added Rails 7.1, 7.2, and 8 to the CI gemfile matrix as these are the 3 currently supported versions of Rails.
• I added Ruby 3.4 to the CI ruby matrix, joining 3.2 and 3.3. These are the 3 currently supported versions of Ruby.

[adamstegman]

We probably don't need this one yet, since the latest release is still 8.0.x. We should keep the default Gemfile up to date with the latest Rails version. I'd be open to it being a symlink to this file, but either way only one should be present in the test matrix.

[ewilloughby]

Ok - the version in master currently tests multiple rails: 6.1, 7, and Gemfile. Any preference on which version? 7.1 is the lowest actively supported Rails as of today, should we test that, or should base still be 6.1? I bumped Gemfile version to rails 8.0 as you suggested. I'll merge that and the CI change in here when I hear back. Also - there are still odd failures with a test here or there related to Capybara/Selenium/Headless Chrome ( a random 1/136 Selenium::WebDriver::Error::UnknownErrortest failure on a different test each time, despite the test passing when individually run). I am seeing this being reported elsewhere as well so I'm going to try adding some additional Chrome options to the config that are working for others. Sorry about that, everything passed in my fork branch before I created this PR.

[adamstegman]

Sorry I wasn't clear! We should test all supported versions of Rails:

• Gemfile should have the latest version of Rails, in this case 8.0.x
• Gemfile.rails7.2 should have Rails 7.2.x
• Gemfile.rails7.1 should have Rails 7.1.x

And we can delete all the other Gemfiles (6.x, 8.0).

[ewilloughby]

@adamstegman I changed CI tests to run only against one Rails (7.1) in the test matrix and updated the Gemfile to use Rails 8 as you suggested. All tests pass locally and against a PR in my fork's master branch as well. If any individual job fails, please re-run the failure manually. There is currently an issue with the Chromium webdriver where occasionally Chrome does not wait for the browser to load before checking the URL, causing otherwise passing tests to fail.

[adamstegman]

Thanks for taking the time to fix these tests! I'm not too worried about occasional flakes in this project, because it doesn't get frequent updates, so even if we have to re-run a few we can still merge.

[adamstegman]

If we're not testing < 7.1, we can remove this and related branches. Happy to do this cleanup later though!

[camol]

Hi, when we can expect a release of the gem with this update @adamstegman ?

[ewilloughby]

@adamstegman All of these tests pass in my fork PR and hopefully will pass on a re-run - looks to still be the intermittent chromium issue. I had accidentally left an uneeeded Rails 8 issue workaround in the sp_template due to not saving, removed that. Added back in Rails 7.2 tests and cleaned up various workarounds for for older ruby and rails versions in the test configuration that are no longer needed.

[camol]

Hi,

When can we expect a release with this update?

[adamstegman]

@camol You shouldn’t be blocked on this change! There’s nothing in this PR blocking you from upgrading your own dependency.