-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TT-1322-Fix SAML vuln and broken tests #147
Conversation
223e33e
to
89c3947
Compare
89c3947
to
4fd5888
Compare
MongoLoader.Flush: simplify type assertion in `switch` statement TestCreateDataMongoLoader: - put behind 'test_mongo' tag, as it requires a running MongoDB instance - simplified type assertion
Updating this dependency should address the following vulnerability: https://www.bleepingcomputer.com/news/security/critical-golang-xml-parser-bugs-can-cause-saml-authentication-bypass/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Just for reference, this issue was fixed by integrating github.com/mattermost/xml-roundtrip-validator into the SAML project. Currently there's no native fix in the go language.
@matiasinsaurralde please review 😬 ...We will need a release of Tib, and then include this release in dashboard (for embeded tib users) |
There's a good writeup from Mattermost here, and I think this quote is the most salient:
There was plenty of discussion on this proposal but ultimately it didn't go ahead, and I found another good quote to summarise there:
|
Description
Dependencies
configuration
package (41633ee)TestOverrideConfigWithEnvVars
was looking for a non-existent config file, so added one to itstestdata
subdirectorydata_loader
package (e1f3016)switch
statementTestCreateDataMongoLoader
:test_mongo
tag; run this test with something likego test -tags=test_mongo
instead of justgo test
providers
package (4fd5888)TestProxyProvider_GoodRegex
was looking for a string that wasn't there any moreRelated Issue
https://www.bleepingcomputer.com/news/security/critical-golang-xml-parser-bugs-can-cause-saml-authentication-bypass/
Motivation and Context
Security vulnerabilities are bad!
How This Has Been Tested
Screenshots (if appropriate)
Types of changes
Checklist
fork, don't request your
master
!master
branch (left side). Also, you should startyour branch off our latest
master
.go mod tidy && go mod vendor
go fmt -s
366a9dbgo vet