xml-crypto - npm Package Compare versions

Comparing version 0.9.0 to 0.10.0

lib/signed-xml.js

@@ -317,9 +317,21 @@ var select = require('xpath.js')
     }
+    else if (uri.indexOf("'") != -1) {
+      // xpath injection
+      throw new Error("Cannot validate a uri with quotes inside it");
+    }
     else {
+      var num_elements_for_id = 0;
       for (var index in this.idAttributes) {
         if (!this.idAttributes.hasOwnProperty(index)) continue;
-
-        elem = select(doc, "//*[@*[local-name(.)='" + this.idAttributes[index] + "']='" + uri + "']")
-        if (elem.length > 0) break;
+        tmp_elem = select(doc, "//*[@*[local-name(.)='" + this.idAttributes[index] + "']='" + uri + "']")
+        num_elements_for_id += tmp_elem.length;
+        if (tmp_elem.length > 0) {
+          elem = tmp_elem;
+        };
       }
+      if (num_elements_for_id > 1) {
+          throw new Error('Cannot validate a document which contains multiple elements with the ' +
+          'same value for the ID / Id / Id attributes, in order to prevent ' +
+          'signature wrapping attack.');
+      }
     }
@@ -326,0 +338,0 @@

package.json

 {
   "name": "xml-crypto",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "description": "Xml digital signature and encryption library for Node.js",
@@ -5,0 +5,0 @@ "engines": {

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

62047

increased by0.86%

Lines of code

1073

increased by1.23%

No dependency changes