Merge pull request #754 from johnnyshields/v2.x-master-merge-20250313

[READY] V2.x - Merge in latest master branch

Author: pitbulk

CHANGELOG.md

@@ -21,8 +21,9 @@
 * [#731](https://github.com/SAML-Toolkits/ruby-saml/pull/731) Add CI coverage for Ruby 3.4. Remove CI coverage for Ruby 1.x and 2.x.
 * [#735](https://github.com/SAML-Toolkits/ruby-saml/pull/735) Add `Settings#sp_uuid_prefix` and deprecate `Utils#set_prefix`.
 
-### 1.18.0  (???)
-* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+### 1.18.0  (Mar 12, 2025)
+* [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
 * [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
 * [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
 
@@ -67,6 +68,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.4  (Mar 12, 2025)
+* [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
+
 ### 1.12.3  (Sep 10, 2024)
 * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 
@@ -299,7 +303,7 @@
 * [#138](https://github.com/SAML-Toolkits/ruby-saml/pull/138) Change logoutrequest.rb to UTC time
 * [#136](https://github.com/SAML-Toolkits/ruby-saml/pull/136) Remote idp metadata
 * [#135](https://github.com/SAML-Toolkits/ruby-saml/pull/135) Restored support for NIL as well as empty AttributeValues
-* [#134](https://github.com/SAML-Toolkits/ruby-saml/pull/134) explicitly require "ruby_saml/logging"
+* [#134](https://github.com/SAML-Toolkits/ruby-saml/pull/134) explicitly require "onelogin/ruby-saml/logging"
 * [#133](https://github.com/SAML-Toolkits/ruby-saml/pull/133) Added license to gemspec
 * [#132](https://github.com/SAML-Toolkits/ruby-saml/pull/132) Support AttributeConsumingServiceIndex in AuthnRequest
 * [#131](https://github.com/SAML-Toolkits/ruby-saml/pull/131) Add ruby 2.1.1 to .travis.yml

lib/ruby_saml/saml_message.rb

@@ -20,15 +20,13 @@ class SamlMessage
     PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
 
     BASE64_FORMAT = %r{\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z}
-    @@mutex = Mutex.new
 
     # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
     #
     def self.schema
-      @@mutex.synchronize do
-        Dir.chdir(File.expand_path('../../lib/ruby_saml/schemas', __dir__)) do
-          ::Nokogiri::XML::Schema(File.read("saml-schema-protocol-2.0.xsd"))
-        end
+      path = File.expand_path('schemas/saml-schema-protocol-2.0.xsd', __dir__)
+      File.open(path) do |file|
+        ::Nokogiri::XML::Schema(file)
       end
     end