This attack does not appear to apply to the Java DOM implementation, as the entire node value is parsed - and not just the bit up to the comment. I added a sanity test to WSS4J (which depends on Santuario) here to check that it works OK:
https://svn.apache.org/viewvc?view=revision&revision=1825555 However, I definitely encourage downstream projects to incorporate these types of tests into their builds - other Java based XML parsing libraries might be vulnerable. Colm. On Thu, Mar 8, 2018 at 12:06 PM, Tom Chiverton <[email protected]> wrote: > I was reading [1] and wondered if there is either specific protections > already in place in Apache Santuario's XML security implementation, or if > it's up to callers of the API to make sure they use it in just the right > way ? > > > As a concrete example, implementations maybe doing something like calling > o.a.x.security.signature.XMLSignature's checkSignatuteValue() with a > reference to either the SAML's X509 certificate and/or the Signature node. > If the latter is being extracted with > doc.getElementsByTagNameNS(SignatureSpecNS, > "Signature") is this sufficient protection against the new attack ? > > > [1] https://duo.com/blog/duo-finds-saml-vulnerabilities- > affecting-multiple-implementations > -- > *Tom Chiverton* > Lead Developer > e: [email protected] > p: 0161 817 2922 > t: @extravision <http://www.twitter.com/extravision> > w: www.extravision.com > [image: Extravision - email worth seeing] <http://www.extravision.com/> > Registered in the UK at: First floor, Tomorrow, MediaCityUK, Manchester, > M50 2AB. > Company Reg No: 05017214 VAT: GB 824 5386 19 > > This e-mail is intended solely for the person to whom it is addressed and > may contain confidential or privileged information. > Any views or opinions presented in this e-mail are solely of the author > and do not necessarily represent those of Extravision Ltd. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
