Skip to content

Commit d15ec00

Browse files
pitbulkpitbulk
committed
Properly tag IDs to allow for correct validation, Thanks vikrum PR#9
1 parent 4f762d5 commit d15ec00

1 file changed

Lines changed: 19 additions & 4 deletions

File tree

com/onelogin/saml/Response.java

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@
1818
import javax.xml.parsers.DocumentBuilderFactory;
1919
import javax.xml.parsers.ParserConfigurationException;
2020

21+
import javax.xml.xpath.XPath;
22+
import javax.xml.xpath.XPathConstants;
23+
import javax.xml.xpath.XPathExpression;
24+
import javax.xml.xpath.XPathExpressionException;
25+
import javax.xml.xpath.XPathFactory;
26+
2127
import org.apache.commons.codec.binary.Base64;
2228
import org.w3c.dom.Document;
2329
import org.w3c.dom.Element;
@@ -43,17 +49,26 @@ public Response(AccountSettings accountSettings) throws CertificateException {
4349
certificate.loadCertificate(this.accountSettings.getCertificate());
4450
}
4551

46-
public void loadXml(String xml) throws ParserConfigurationException, SAXException, IOException {
52+
public void loadXml(String xml) throws ParserConfigurationException, SAXException, IOException, XPathExpressionException {
4753
DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance();
4854
fty.setNamespaceAware(true);
4955
// XMLConstants with FEATURE_SECURE_PROCESSING prevents external document access. (XXE/XEE Possible Attacks).
5056
fty.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
5157
DocumentBuilder builder = fty.newDocumentBuilder();
5258
ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
53-
xmlDoc = builder.parse(bais);
59+
xmlDoc = builder.parse(bais);
60+
// Loop through the doc and tag every element with an ID attribute as an XML ID node.
61+
XPath xpath = XPathFactory.newInstance().newXPath();
62+
XPathExpression expr = xpath.compile("//*[@ID]");
63+
NodeList nodeList = (NodeList) expr.evaluate(xmlDoc, XPathConstants.NODESET);
64+
for (int i=0; i<nodeList.getLength() ; i++) {
65+
Element elem = (Element) nodeList.item(i);
66+
Attr attr = (Attr) elem.getAttributes().getNamedItem("ID");
67+
elem.setIdAttributeNode(attr, true);
68+
}
5469
}
5570

56-
public void loadXmlFromBase64(String response) throws ParserConfigurationException, SAXException, IOException {
71+
public void loadXmlFromBase64(String response) throws ParserConfigurationException, SAXException, IOException, XPathExpressionException {
5772
Base64 base64 = new Base64();
5873
byte[] decodedB = base64.decode(response);
5974
String decodedS = new String(decodedB);
@@ -177,7 +192,7 @@ public String getAttribute(String name) {
177192
}
178193

179194
public HashMap getAttributes() {
180-
HashMap<String, ArrayList> attributes = new HashMap<>();
195+
HashMap<String, ArrayList> attributes = new HashMap<String, ArrayList>();
181196
NodeList nodes = xmlDoc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Attribute");
182197

183198
if (nodes.getLength() != 0) {

0 commit comments

Comments
 (0)