Summary
The SAML Assertion Consumer Service (ACS) uses fragile regular expressions to parse XML responses. Values extracted via regex are vulnerable to namespace changes, encoding variations, and crafted XML attacks.
Affected File
services/auth-service/index.js:1388-1434
Root Cause
const nameID = body.match(/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/)?.[1];
This regex approach has multiple issues:
- XML namespace changes (
saml2: prefix could be different)
- XML encoding variations (CDATA sections, entity encoding)
- Whitespace differences (newlines between elements)
- Crafted XML can bypass the regex (nested elements, attribute-based values)
- No XML signature verification or schema validation
Impact
- SAML SSO can be bypassed with crafted XML responses
- Attacker can inject arbitrary NameID values
- IDP metadata validation is not properly enforced
- Fragile parsing may break with different IDP configurations
Fix Required
Replace regex-based XML parsing with a proper XML parser:
const parser = new xml2js.Parser({ explicitArray: false });
const result = await parser.parseStringPromise(body);
// Extract values using XPath or structured access
const nameID = result['saml2:Response']['saml2:Assertion']['saml2:Subject']['saml2:NameID']['_'];
// Verify XML signature (already partially implemented but needs proper validation)Consider using a mature SAML library like @boxyhq/saml20 or passport-saml.
Summary
The SAML Assertion Consumer Service (ACS) uses fragile regular expressions to parse XML responses. Values extracted via regex are vulnerable to namespace changes, encoding variations, and crafted XML attacks.
Affected File
services/auth-service/index.js:1388-1434Root Cause
This regex approach has multiple issues:
saml2:prefix could be different)Impact
Fix Required
Replace regex-based XML parsing with a proper XML parser:
Consider using a mature SAML library like
@boxyhq/saml20orpassport-saml.