sec: 2026-04 audit — patch vite, fix XXE bypass, reject unknown sig algs#613
Merged
Conversation
## Spec reference - saml-sec-consider §6.3.1 — XXE protections required of the parser. - saml-sec-consider §6.5 — algorithm agility, SHA-1 deprecation. - xmldsig-core §6.4 — algorithm registry. Full audit report: `.skills/audits/2026-04-security-audit.md`. ## Fixes ### Dependency patches (yarn audit: 0 vulnerabilities) `vite` resolved to ^6.4.2 across all transitive paths (vitest, vitepress). Closes the two open dependabot alerts: - GHSA-p9ff-h696-f583 (HIGH, CVE-2026-39363) — arbitrary file read via Vite dev-server WebSocket. - GHSA-4w7w-66w2-5vf9 (MODERATE, CVE-2026-39365) — path traversal in optimized-deps `.map` handling. Both are dev-only and not reachable from the published npm package (`files` allowlist excludes the docs/test toolchain), but they affect maintainers running `yarn docs:dev --host`. ### XXE bypass in `setDOMParserOptions` `setDOMParserOptions(options = {})` previously instantiated a fresh `DOMParser` from the caller's options alone, dropping the XXE-safe error handlers. A caller passing `{}` or any partial options object silently disabled XXE protection. Fixed by merging `XXE_SAFE_OPTIONS` as a baseline: caller options override unrelated fields, but the safe `errorHandler` is preserved unless the caller explicitly supplies its own. ### SHA-1 algorithm downgrade `libsaml.getSigningScheme(sigAlg?)` previously fell back to `pkcs1-sha1` for unknown or undefined algorithms. The fallback was reachable from `verifyMessageSignature` via the user-controlled `SigAlg` query parameter — an attacker could downgrade verification to SHA-1 (collision-broken) by sending a malformed alg URI. Fixed by: - Throwing `ERR_UNSUPPORTED_SIGNATURE_ALGORITHM` for unknown URIs. - Defaulting to RSA-SHA256 (per xmldsig-core §6.4 recommendation) when no algorithm is supplied at all. ### Tests - `test/units.ts` — three new regression tests: - `setDOMParserOptions({})` does not disable XXE protection. - `verifyMessageSignature` rejects unknown sig algs. - `constructMessageSignature` rejects unknown sig algs. - `test/index.ts` — updated the "sign with RSA-SHA1" test to pass `RSA_SHA1` explicitly (was relying on the now-removed default). ## BREAKING CHANGE `libsaml.constructMessageSignature(...)` no longer defaults to RSA-SHA1 when no algorithm is supplied. Callers omitting the `signingAlgorithm` argument now get RSA-SHA256. Pass `signatureAlgorithms.RSA_SHA1` explicitly if SHA-1 is required for an interop reason. Unknown algorithm URIs now throw `ERR_UNSUPPORTED_SIGNATURE_ALGORITHM` instead of silently downgrading to SHA-1 — this is the security fix. ## Open findings (deferred to follow-up PRs) - F-4: default `<AudienceRestriction>` enforcement (saml-core §2.5.1.4) - F-5: `InResponseTo` cache + binding (saml-profiles §4.1.4.5) - F-6: deprecate `rsa-1_5` key encryption (xmlenc-core §5.2) ## Coverage 97.22% stmts / 90.15% branches / 99.14% funcs / 97.22% lines. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
In-depth security audit of the repo at HEAD `a3b4530`. Patches all open dependabot alerts and closes two source-side findings; documents three open findings that warrant their own follow-up PRs.
Full report: `.skills/audits/2026-04-security-audit.md`.
Spec reference
Findings — fixed in this PR
Post-patch: `yarn audit` reports 0 vulnerabilities.
Findings — open (separate PRs)
These three need design discussion (cache backend for F-6) or coordinated breaking changes (F-7) — better to land each on its own branch.
Migration (⚠ breaking)
`libsaml.constructMessageSignature` no longer defaults to RSA-SHA1 when the `signingAlgorithm` argument is omitted. The new default is RSA-SHA256.
If you were relying on the implicit SHA-1 default — for example for interop with a legacy IdP — pass it explicitly:
```ts
import { algorithms } from 'samlify/build/src/urn'; // or your preferred re-export
libsaml.constructMessageSignature(
octetString, key, passphrase, /* isBase64 */ true,
algorithms.signature.RSA_SHA1,
);
```
Unknown algorithm URIs now throw `ERR_UNSUPPORTED_SIGNATURE_ALGORITHM` instead of silently downgrading. This is the security fix; please don't reverse it.
Test plan
🤖 Generated with Claude Code