Cherry pick branch 'genexuslabs:assertion_manipulation_attack' into beta

sgrampone · Beta Bot · commit 33b92fb09d10 · 2025-08-22T21:03:44.000Z
diff --git a/gamsaml20/src/main/java/com/genexus/saml20/PostBinding.java b/gamsaml20/src/main/java/com/genexus/saml20/PostBinding.java
@@ -47,8 +47,7 @@ public boolean verifySignatures(SamlParms parms) {
 			return false;
 		}else {
 			this.verifiedDoc = SamlAssertionUtils.loadDocument(verified);
-			this.xmlDoc = null;
-			logger.debug(MessageFormat.format("verifySignatures sanitized xmlDoc {0}", Encoding.documentToString(this.xmlDoc)));
+			logger.debug(MessageFormat.format("verifySignatures - sanitized xmlDoc {0}", Encoding.documentToString(this.xmlDoc)));
 			return true;
 		}
 	}
@@ -74,7 +73,7 @@ public String getRoles(String name) {
 	}
 
 	public boolean isLogout(){
-		return SamlAssertionUtils.isLogout(this.verifiedDoc);
+		return SamlAssertionUtils.isLogout(this.xmlDoc);
 	}
 
 	// EXTERNAL OBJECT PUBLIC METHODS  - END
diff --git a/gamsaml20/src/main/java/com/genexus/saml20/utils/SamlAssertionUtils.java b/gamsaml20/src/main/java/com/genexus/saml20/utils/SamlAssertionUtils.java
@@ -51,6 +51,7 @@ public static Document loadDocument(String xml) {
 
 	public static String buildXmlLogin(List<org.w3c.dom.Element> assertions, Document xmlDoc){
 		//security meassure against assertion manipulation, it assures that every assertion to be used on the app has been signed and verified
+		logger.trace("buildXmlLogin");
 		org.w3c.dom.Element element = xmlDoc.getDocumentElement();
 		Node response  = element.cloneNode(false);
 
@@ -67,8 +68,10 @@ public static String buildXmlLogin(List<org.w3c.dom.Element> assertions, Documen
 	}
 
 	public static String buildXmlLogout(List<org.w3c.dom.Element> assertions){
+		logger.trace("buildXmlLogout");
 		if(assertions.isEmpty())
 		{
+			logger.error("buildXmlLogout - There are 0 signed assertions on LogoutResponse");
 			return "";
 		}
 		org.w3c.dom.Element element =  assertions.get(0);

Original file line number	Diff line number	Diff line change
`@@ -47,8 +47,7 @@ public boolean verifySignatures(SamlParms parms) {`
`47`	`47`	`return false;`
`48`	`48`	`}else {`
`49`	`49`	`this.verifiedDoc = SamlAssertionUtils.loadDocument(verified);`
`50`		`- this.xmlDoc = null;`
`51`		`- logger.debug(MessageFormat.format("verifySignatures sanitized xmlDoc {0}", Encoding.documentToString(this.xmlDoc)));`
	`50`	`+ logger.debug(MessageFormat.format("verifySignatures - sanitized xmlDoc {0}", Encoding.documentToString(this.xmlDoc)));`
`52`	`51`	`return true;`
`53`	`52`	`}`
`54`	`53`	`}`
`@@ -74,7 +73,7 @@ public String getRoles(String name) {`
`74`	`73`	`}`
`75`	`74`
`76`	`75`	`public boolean isLogout(){`
`77`		`- return SamlAssertionUtils.isLogout(this.verifiedDoc);`
	`76`	`+ return SamlAssertionUtils.isLogout(this.xmlDoc);`
`78`	`77`	`}`
`79`	`78`
`80`	`79`	`// EXTERNAL OBJECT PUBLIC METHODS - END`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ public static Document loadDocument(String xml) {`
`51`	`51`
`52`	`52`	`public static String buildXmlLogin(List<org.w3c.dom.Element> assertions, Document xmlDoc){`
`53`	`53`	`//security meassure against assertion manipulation, it assures that every assertion to be used on the app has been signed and verified`
	`54`	`+ logger.trace("buildXmlLogin");`
`54`	`55`	`org.w3c.dom.Element element = xmlDoc.getDocumentElement();`
`55`	`56`	`Node response = element.cloneNode(false);`
`56`	`57`
`@@ -67,8 +68,10 @@ public static String buildXmlLogin(List<org.w3c.dom.Element> assertions, Documen`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`public static String buildXmlLogout(List<org.w3c.dom.Element> assertions){`
	`71`	`+ logger.trace("buildXmlLogout");`
`70`	`72`	`if(assertions.isEmpty())`
`71`	`73`	`{`
	`74`	`+ logger.error("buildXmlLogout - There are 0 signed assertions on LogoutResponse");`
`72`	`75`	`return "";`
`73`	`76`	`}`
`74`	`77`	`org.w3c.dom.Element element = assertions.get(0);`