Skip to content

Commit 6831389

Browse files
waleedlatif1waleedlatif1
committed
fix(sso): escape XML special chars in script idpMetadata generation
1 parent 28e5fea commit 6831389

File tree

1 file changed

+22
-3
lines changed

1 file changed

+22
-3
lines changed

packages/db/scripts/register-sso-provider.ts

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,24 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
254254
</md:EntityDescriptor>`
255255
}
256256

257+
const escapeXml = (str: string) =>
258+
str.replace(/[<>&"']/g, (c) => {
259+
switch (c) {
260+
case '<':
261+
return '&lt;'
262+
case '>':
263+
return '&gt;'
264+
case '&':
265+
return '&amp;'
266+
case '"':
267+
return '&quot;'
268+
case "'":
269+
return '&apos;'
270+
default:
271+
return c
272+
}
273+
})
274+
257275
const idpMetadataXml = process.env.SSO_SAML_IDP_METADATA
258276
let computedIdpMetadata: string
259277
if (idpMetadataXml) {
@@ -263,8 +281,9 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
263281
.replace(/-----BEGIN CERTIFICATE-----/g, '')
264282
.replace(/-----END CERTIFICATE-----/g, '')
265283
.replace(/\s/g, '')
284+
const escapedEntryPoint = escapeXml(entryPoint)
266285
computedIdpMetadata = `<?xml version="1.0"?>
267-
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${entryPoint}">
286+
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${escapedEntryPoint}">
268287
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
269288
<KeyDescriptor use="signing">
270289
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -273,8 +292,8 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
273292
</ds:X509Data>
274293
</ds:KeyInfo>
275294
</KeyDescriptor>
276-
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${entryPoint}"/>
277-
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="${entryPoint}"/>
295+
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${escapedEntryPoint}"/>
296+
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="${escapedEntryPoint}"/>
278297
</IDPSSODescriptor>
279298
</EntityDescriptor>`
280299
}

0 commit comments

Comments
 (0)