Merge commit 'da829fc0216ed961ea7cb8a6234df65a60f51114' into multiple-authn-context

* commit 'da829fc0216ed961ea7cb8a6234df65a60f51114':
  Use crypto.randomBytes for ID generation (node-saml#235)
  BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238
  docs: Improve docs for privateKey format. Ref node-saml#230
  Drop support for Node versions < 4.
  v0.20.2

Author: cjbarth

.travis.yml

@@ -1,8 +1,5 @@
 language: node_js
 node_js:
-  - "0.10"
-  - "0.12"
-  - "iojs"
   - "4.0"
   - "stable"
 

README.md

@@ -117,7 +117,10 @@ The `decryptionCert` argument should be a public certificate matching the `decry
 
 Passport-SAML uses the HTTP Redirect Binding for its `AuthnRequest`s (unless overridden with the `authnRequestBinding` parameter), and expects to receive the messages back via the HTTP POST binding.
 
-Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the `privateCert` configuration key. For example:
+Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the `privateCert` configuration key. The certificate
+should start with `-----BEGIN PRIVATE KEY-----` on its own line and end with `-----END PRIVATE KEY-----` on its own line.
+
+For example:
 
 ```javascript
     privateCert: fs.readFileSync('./cert.pem', 'utf-8')

lib/passport-saml/saml.js

@@ -94,12 +94,7 @@ SAML.prototype.getCallbackUrl = function (req) {
 };
 
 SAML.prototype.generateUniqueID = function () {
-  var chars = "abcdef0123456789";
-  var uniqueID = "";
-  for (var i = 0; i < 20; i++) {
-    uniqueID += chars.substr(Math.floor((Math.random()*15)), 1);
-  }
-  return uniqueID;
+  return crypto.randomBytes(10).toString('hex');
 };
 
 SAML.prototype.generateInstant = function () {
@@ -517,15 +512,23 @@ SAML.prototype.validateSignature = function (fullXml, currentNode, cert) {
 
 SAML.prototype.validatePostResponse = function (container, callback) {
   var self = this;
-  var xml = new Buffer(container.SAMLResponse, 'base64').toString('utf8');
-  var doc = new xmldom.DOMParser().parseFromString(xml);
 
-  var inResponseTo = xpath(doc, "/*[local-name()='Response']/@InResponseTo");
-  if(inResponseTo){
-    inResponseTo = inResponseTo.length ? inResponseTo[0].nodeValue : null;
-  }
+  var xml, doc, inResponseTo;
 
   Q.fcall(function(){
+    xml = new Buffer(container.SAMLResponse, 'base64').toString('utf8');
+    doc = new xmldom.DOMParser({
+    }).parseFromString(xml);
+
+    if (!doc.hasOwnProperty('documentElement'))
+      throw new Error('SAMLResponse is not valid base64-encoded XML');
+
+    inResponseTo = xpath(doc, "/*[local-name()='Response']/@InResponseTo");
+
+    if(inResponseTo){
+      inResponseTo = inResponseTo.length ? inResponseTo[0].nodeValue : null;
+    }
+
     if(self.options.validateInResponseTo){
       if (inResponseTo) {
         return Q.ninvoke(self.cacheProvider, 'get', inResponseTo)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "passport-saml",
-  "version": "0.20.1",
+  "version": "0.20.2",
   "license" : "MIT",
   "keywords": [
     "saml",
@@ -45,7 +45,7 @@
     "sinon": "^2.1.0"
   },
   "engines": {
-    "node": ">= 0.10.0"
+    "node": ">= 4"
   },
   "scripts": {
     "test": "mocha",