You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The SAML/XML parsing and signature surface is the most security-sensitive part of ex_saml. The hardening initiative in #32 centralises parsing behind SafeXml and adds a CI audit gate, but a gate only proves that new call sites cannot bypass the wrapper — it does not prove the wrapper actually withstands hostile input. Today the test suite is small (~11 test files) and has no dedicated adversarial-input corpus.
We should add a versioned corpus of malicious / edge-case XML documents, executed in CI, so that every release demonstrably resists known attack classes and so regressions become impossible to merge silently.
Goal
A test/fixtures/security/xml/ corpus + a corpus-driven test that feeds each fixture through the real parsing/validation path and asserts the expected fail-closed (or canonical) outcome.
Proposed scope
A manifest (manifest.json) listing each fixture with: input file, attack class, and expected result (:invalid_xml, :bad_signature, specific violation atom, or a golden canonical output).
Context
The SAML/XML parsing and signature surface is the most security-sensitive part of
ex_saml. The hardening initiative in #32 centralises parsing behindSafeXmland adds a CI audit gate, but a gate only proves that new call sites cannot bypass the wrapper — it does not prove the wrapper actually withstands hostile input. Today the test suite is small (~11 test files) and has no dedicated adversarial-input corpus.We should add a versioned corpus of malicious / edge-case XML documents, executed in CI, so that every release demonstrably resists known attack classes and so regressions become impossible to merge silently.
Goal
A
test/fixtures/security/xml/corpus + a corpus-driven test that feeds each fixture through the real parsing/validation path and asserts the expected fail-closed (or canonical) outcome.Proposed scope
manifest.json) listing each fixture with: input file, attack class, and expected result (:invalid_xml,:bad_signature, specific violation atom, or a golden canonical output)..c14noutputs compared byte-for-byte againstCore.Xml.C14n.Why
Out of scope
xmerlwith a different parser — this issue hardens the current path, it does not change the parser.Relates to #32.