bozzltron / express-saml Goto Github PK

Note the "+2": date.getUTCHours()+2

This means your timestamps are out of whack and invalid for two hour each day.

Just in case someone is using or considers using this library (or to copy paste code from this library)...

This library has every possible SAML related vulnerability that one could list starting from the fact that it does not validate authentication response signature which means that SW that uses this library / copy paste from this library is open for everyone in the internet. Everyone can scratch authentication response with any NameID and post it to SW that uses this library in order to have authenticated session (impersonate anyone).

I.e. code linked to the end of this issue does not have any security measurements listed e.g. in these documents:

1. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0
   OASIS Standard, 15 March 2005
   https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
2. https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html
3. https://sec.okta.com/articles/2020/05/common-pitfalls-custom-saml-implementations

And that code does not follow any processing rules (which are related to security) listed in these specifications (SAML core and SAML Web SSO profile related parts):

1. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
   OASIS Standard, 15 March 2005
   https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
2. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0
   OASIS Standard, 15 March 2005
   https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Great work on adding SAML support to Node.js! I'm looking to adapt your approach to make a SAML strategy for the Passport authentication library.

I noticed there is no license information in your repository. Is the plan to have this under MIT like most Node.js code, or?