The ruby-saml library is a vital component for implementing single sign-on services, but it has vulnerabilities due to errors in parsing XML values, allowing hackers to impersonate other users.
This vulnerability was identified through the GitHub Vulnerability Reporting Project, which is considering switching to the ruby-saml library after using it since 2014. However, they removed it and used their own library. Upon reconsideration, they opened a test environment for researchers to assess.
ruby-saml relies on two XML reading libraries, REXML and Nokogiri. Researchers aimed to uncover Parser differentials, finding discrepancies in reading the same data from both libraries. In some cases, actual differences were found, opening the door for hackers to manipulate XML obtained from normal logins into other system users.
One contributing factor to this vulnerability is that Nokogiri reports parsing errors, but ruby-saml does not capture them. When Nokogiri reports parsing errors in parse results, it adds an “errors” field instead of clearly indicating the error, leading to exceptions.
This vulnerability has been patched since March 12th, and GitLab issued a warning a month ago due to using the same library. As part of a long-term fix, ruby-saml plans to consolidate to a single XML parser.
TLDR: The ruby-saml library has vulnerabilities due to parsing errors, allowing hackers to impersonate users. GitLab and GitHub are taking steps to address this issue by consolidating the XML parser.
Leave a Comment