SamlIdp::Request#valid? validates the host of the ACS URL but does not check the scheme.
This allows URLs like javascript://whitelisted-host.com/%0aalert(1) to pass validation if the host is whitelisted.
When such a URL is used as a form action, it leads to XSS. This is currently reproducible in the spec/rails_app where saml_acs_url is rendered in the saml_post.html.erb template:
|
<%= form_tag(saml_acs_url) do %> |
How about enforcing http or https schemes by default in the validation logic?
def valid?
# ...
return false unless ['http', 'https'].include?(URI(response_url.to_s).scheme)
# ...
end
SamlIdp::Request#valid?validates the host of the ACS URL but does not check the scheme.This allows URLs like
javascript://whitelisted-host.com/%0aalert(1)to pass validation if the host is whitelisted.When such a URL is used as a form action, it leads to XSS. This is currently reproducible in the
spec/rails_appwheresaml_acs_urlis rendered in thesaml_post.html.erbtemplate:saml_idp/spec/rails_app/app/views/saml_idp/idp/saml_post.html.erb
Line 8 in 407602d
How about enforcing
httporhttpsschemes by default in the validation logic?