Add warning about the use of IdPMetadataParser class

pitbulk · pitbulk · commit f96a229d1680 · 2021-05-26T16:39:31.000+02:00
diff --git a/README.md b/README.md
@@ -72,6 +72,13 @@ In production, the **onelogin.saml2.strict** setting parameter MUST be set as **
 
 In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
+The IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed. 
+
+Usually the same administrator that handles the Service Provider also sets the URL to the IdP, which should be a trusted resource.
+
+But there are other scenarios, like a SAAS app where the administrator of the app delegates this functionality to other users. In this case, extra precaution should be taken in order to validate such URL inputs and avoid attacks like SSRF.
+
+
 ## Installation
 ### Hosting
 #### Github
diff --git a/core/src/main/java/com/onelogin/saml2/settings/IdPMetadataParser.java b/core/src/main/java/com/onelogin/saml2/settings/IdPMetadataParser.java
@@ -24,6 +24,8 @@
  *
  * A class that implements the settings parser from IdP Metadata
  *
+ * This class does not validate in any way the URL that is introduced,
+ * make sure to validate it properly before use it in a get_metadata method.
  */
 public class IdPMetadataParser {
 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@`
`24`	`24`	`*`
`25`	`25`	`* A class that implements the settings parser from IdP Metadata`
`26`	`26`	`*`
	`27`	`+ * This class does not validate in any way the URL that is introduced,`
	`28`	`+ * make sure to validate it properly before use it in a get_metadata method.`
`27`	`29`	`*/`
`28`	`30`	`public class IdPMetadataParser {`
`29`	`31`