From 4d5f688a445564641b4287de729d994b54094f3a Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 26 Dec 2018 17:26:17 +0100 Subject: [PATCH] saml_idp: fix bandit issues --- passbook/saml_idp/models.py | 1 + passbook/saml_idp/urls.py | 10 +++++++--- passbook/saml_idp/utils.py | 1 + passbook/saml_idp/xml_signing.py | 7 ++++--- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/passbook/saml_idp/models.py b/passbook/saml_idp/models.py index 0988a28f4..318d1fc55 100644 --- a/passbook/saml_idp/models.py +++ b/passbook/saml_idp/models.py @@ -30,6 +30,7 @@ class SAMLProvider(Provider): @property def processor(self): + """Return selected processor as instance""" if not self._processor: self._processor = path_to_class(self.processor_path)(self) return self._processor diff --git a/passbook/saml_idp/urls.py b/passbook/saml_idp/urls.py index ba8c54d33..7b4a394e1 100644 --- a/passbook/saml_idp/urls.py +++ b/passbook/saml_idp/urls.py @@ -4,9 +4,13 @@ from django.urls import path from passbook.saml_idp import views urlpatterns = [ - path('login/', views.LoginBeginView.as_view(), name="saml_login_begin"), - path('login/process/', views.LoginProcessView.as_view(), name='saml_login_process'), + path('login//', + views.LoginBeginView.as_view(), name="saml_login_begin"), + path('login//idp_init/', + views.LoginInitView.as_view(), name="saml_login_init"), + path('login//process/', + views.LoginProcessView.as_view(), name='saml_login_process'), path('logout/', views.LogoutView.as_view(), name="saml_logout"), - path('metadata//', + path('metadata//', views.DescriptorDownloadView.as_view(), name='metadata_xml'), ] diff --git a/passbook/saml_idp/utils.py b/passbook/saml_idp/utils.py index 74d266edd..a3c8527f7 100644 --- a/passbook/saml_idp/utils.py +++ b/passbook/saml_idp/utils.py @@ -44,6 +44,7 @@ class CertificateBuilder: self.__certificate = None def build(self): + """Build self-signed certificate""" one_day = datetime.timedelta(1, 0, 0) self.__private_key = rsa.generate_private_key( public_exponent=65537, diff --git a/passbook/saml_idp/xml_signing.py b/passbook/saml_idp/xml_signing.py index 2c6a4e715..78f2d48ff 100644 --- a/passbook/saml_idp/xml_signing.py +++ b/passbook/saml_idp/xml_signing.py @@ -4,7 +4,7 @@ from logging import getLogger from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from defusedxml import ElementTree -from lxml import etree +from lxml import etree # nosec from signxml import XMLSigner from passbook.lib.utils.template import render_to_string @@ -17,8 +17,9 @@ def sign_with_signxml(private_key, data, cert, reference_uri=None): key = serialization.load_pem_private_key( str.encode('\n'.join([x.strip() for x in private_key.split('\n')])), password=None, backend=default_backend()) - root = etree.fromstring(data) - # root = ElementTree.fromstring(data, forbid_entities=False) + # LXML is used here because defusedxml causes issues with serialization + # data is trusted so no issues + root = etree.fromstring(data) # nosec signer = XMLSigner(c14n_algorithm='http://www.w3.org/2001/10/xml-exc-c14n#') signed = signer.sign(root, key=key, cert=cert, reference_uri=reference_uri) return ElementTree.tostring(signed)