Fix xss

Fix xss

Author: damikael

spid-validator/server/app/idp_demo.js

@@ -649,6 +649,12 @@ module.exports = function(app, checkAuthorisation, getEntityDir, sendLogoutRespo
             assertionConsumerURL = metadataParser.getAssertionConsumerServiceURL(assertionConsumerIndex);
         }
 
+        // if no valid AssertionConsumerURL return error
+        let existsAssertionConsumerServiceURL = metadataParser.existsAssertionConsumerServiceURL(assertionConsumerURL); 
+        if(!existsAssertionConsumerServiceURL) {
+            return res.status(400).send("AssertionConsumerServiceURL not valid");
+        }
+
         // defaults 
         let defaults = [];
         defaults = Utility.defaultParam(defaults, "Issuer", config_demo.entityID);

spid-validator/server/lib/saml-utils.js

@@ -169,6 +169,20 @@ class MetadataParser {
         return serviceProviderEntityId;
     }
 
+    existsAssertionConsumerServiceURL(url) {
+        let exists = false;
+        let doc = new DOMParser().parseFromString(this.metadata.xml);
+        let acs = select("//md:EntityDescriptor/md:SPSSODescriptor/md:AssertionConsumerService", doc);
+        for(let i in acs) {
+            let acsLocation = acs[i].getAttribute("Location");
+            if(acsLocation==url) {
+                exists = true;
+                break;
+            }
+        }
+        return exists;
+    }
+
     getAssertionConsumerServiceURL(index) {
         let assertionConsumerServiceURL = null;
         let doc = new DOMParser().parseFromString(this.metadata.xml);

spid-validator/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "spid-validator",
-  "version": "1.10.3",
+  "version": "1.10.4",
   "description": "Tool for validating Service Provider compliance to SPID response from Identity Provider",
   "main": "spid-validator",
   "author": "Michele D'Amico (damikael) - AgID",