Merge pull request #77 from auth0/update-xmldom

fix: update xmldom and xml-crypto to fix security issues

lib/saml11.js

@@ -1,6 +1,6 @@
 var path = require('path');
 var utils = require('./utils');
-var Parser = require('xmldom').DOMParser;
+var Parser = require('@xmldom/xmldom').DOMParser;
 var xmlenc = require('xml-encryption');
 var moment = require('moment');
 var async = require('async');
@@ -120,7 +120,7 @@ function createAssertion(options, strategies, callback) {
     conditions[0].setAttribute('NotBefore', now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
     conditions[0].setAttribute('NotOnOrAfter', now.add(options.lifetimeInSeconds, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
   }
-  
+
   if (options.audiences) {
     var audiences = options.audiences instanceof Array ? options.audiences : [options.audiences];
     audiences.forEach(function (audience) {
@@ -135,7 +135,7 @@ function createAssertion(options, strategies, callback) {
     var statement = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'AttributeStatement')[0];
     Object.keys(options.attributes).forEach(function(prop) {
       if(typeof options.attributes[prop] === 'undefined') return;
-      
+
       // <saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/claims/identity">
       //    <saml:AttributeValue>Foo Bar</saml:AttributeValue>
       // </saml:Attribute>
@@ -162,15 +162,15 @@ function createAssertion(options, strategies, callback) {
     .setAttribute('AuthenticationInstant', now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]'));
 
   var nameID = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'NameIdentifier')[0];
-  
+
   if (options.nameIdentifier) {
     nameID.textContent = options.nameIdentifier;
-  
+
     doc.getElementsByTagName('saml:AuthenticationStatement')[0]
       .getElementsByTagName('saml:NameIdentifier')[0]
       .textContent = options.nameIdentifier;
   }
-  
+
   if (options.nameIdentifierFormat) {
     var nameIDs = doc.documentElement.getElementsByTagNameNS(NAMESPACE, 'NameIdentifier');
     nameIDs[0].setAttribute('Format', options.nameIdentifierFormat);

lib/utils.js

@@ -1,5 +1,5 @@
 var fs = require('fs');
-var Parser = require('xmldom').DOMParser;
+var Parser = require('@xmldom/xmldom').DOMParser;
 
 exports.pemToCert = function(pem) {
   var cert = /-----BEGIN CERTIFICATE-----([^-]*)-----END CERTIFICATE-----/g.exec(pem.toString());

package.json

@@ -19,13 +19,13 @@
   "author": "Matias Woloski (Auth0)",
   "license": "MIT",
   "dependencies": {
+    "@xmldom/xmldom": "^0.7.4",
     "async": "~0.2.9",
     "moment": "2.19.3",
     "valid-url": "~1.0.9",
-    "xml-crypto": "2.0.0",
+    "xml-crypto": "^2.1.3",
     "xml-encryption": "^1.2.1",
     "xml-name-validator": "~2.0.1",
-    "xmldom": "0.1.17",
     "xpath": "0.0.5"
   },
   "scripts": {

test/saml11.tests.js

@@ -2,7 +2,7 @@ var assert = require('chai').assert;
 var fs = require('fs');
 var moment = require('moment');
 var should = require('should');
-var xmldom = require('xmldom');
+var xmldom = require('@xmldom/xmldom');
 var xmlenc = require('xml-encryption');
 
 var utils = require('./utils');
@@ -27,7 +27,7 @@ describe('saml 1.1', function () {
       it: it.skip
     })
   });
-  
+
   function saml11TestSuite(options) {
     var createAssertion = options.createAssertion;
     var assertSignature = options.assertSignature;

test/saml20.tests.js

@@ -3,7 +3,7 @@ var fs = require('fs');
 var utils = require('./utils');
 var moment = require('moment');
 var should = require('should');
-var xmldom = require('xmldom');
+var xmldom = require('@xmldom/xmldom');
 var xmlenc = require('xml-encryption');
 
 var saml = require('../lib/saml20');

test/utils.js

@@ -1,5 +1,5 @@
 var xmlCrypto = require('xml-crypto');
-var xmldom = require('xmldom');
+var xmldom = require('@xmldom/xmldom');
 
 /**
  * @param {string} assertion