Replace remaining XML::XPath with XML::libXML

Author: timlegge

lib/Net/SAML2/Binding/POST.pm

@@ -4,7 +4,6 @@ use strict;
 use warnings;
 
 use Moose;
-use Net::SAML2::XML::Util qw/ no_comments /;
 
 =head1 NAME
 
@@ -57,7 +56,7 @@ sub handle_response {
     my ($self, $response) = @_;
 
     # unpack and check the signature
-    my $xml = no_comments(decode_base64($response));
+    my $xml = decode_base64($response);
     my $xml_opts = { x509 => 1 };
     $xml_opts->{ cert_text } = $self->cert_text if ($self->cert_text);
     $xml_opts->{ exclusive } = 1;

lib/Net/SAML2/Binding/SOAP.pm

@@ -135,11 +135,7 @@ sub handle_response {
     my $subject = sprintf("%s (verified)", $cert->subject);
 
     # parse the SOAP response and return the payload
-    my $dom = XML::LibXML->load_xml(
-                    string => no_comments($response),
-                    no_network => 1,
-                    load_ext_dtd => 0,
-                    expand_entities => 0 );
+    my $dom = no_comments($response);
 
     my $parser = XML::LibXML::XPathContext->new($dom);
     $parser->registerNs('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
@@ -160,11 +156,14 @@ Accepts a string containing the complete SOAP request.
 sub handle_request {
     my ($self, $request) = @_;
 
-    my $parser = XML::XPath->new( xml => no_comments($request) );
-    $parser->set_namespace('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
-    $parser->set_namespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
+    my $dom = no_comments($request);
 
-    my $saml = $parser->findnodes_as_string('/soap-env:Envelope/soap-env:Body/*');
+    my $parser = XML::LibXML::XPathContext->new($dom);
+    $parser->registerNs('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
+    $parser->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
+
+    my ($nodes) = $parser->findnodes('/soap-env:Envelope/soap-env:Body/*');
+    my $saml = $nodes->toString;
 
     if (defined $saml) {
         my $x = Net::SAML2::XML::Sig->new({ x509 => 1, cert_text => $self->idp_cert, exclusive => 1, });

lib/Net/SAML2/IdP.pm

@@ -20,6 +20,7 @@ use Crypt::OpenSSL::X509;
 use HTTP::Request::Common;
 use LWP::UserAgent;
 use XML::LibXML;
+use Net::SAML2::XML::Util qw/ no_comments /;
 
 =head2 new( )
 
@@ -73,11 +74,7 @@ document.
 sub new_from_xml {
     my($class, %args) = @_;
 
-    my $dom = XML::LibXML->load_xml(
-                    string => $args{xml},
-                    no_network => 1,
-                    load_ext_dtd => 0,
-                    expand_entities => 0 );
+    my $dom = no_comments($args{xml});
 
     my $xpath = XML::LibXML::XPathContext->new($dom);
     $xpath->registerNs('md', 'urn:oasis:names:tc:SAML:2.0:metadata');

lib/Net/SAML2/Protocol/Assertion.pm

@@ -55,11 +55,7 @@ XML data
 sub new_from_xml {
     my($class, %args) = @_;
 
-    my $dom = XML::LibXML->load_xml(
-                    string => no_comments($args{xml}),
-                    no_network => 1,
-                    load_ext_dtd => 0,
-                    expand_entities => 0 );
+    my $dom = no_comments($args{xml});
 
     my $xpath = XML::LibXML::XPathContext->new($dom);
     $xpath->registerNs('saml',  'urn:oasis:names:tc:SAML:2.0:assertion');

lib/Net/SAML2/Protocol/LogoutRequest.pm

@@ -76,11 +76,7 @@ XML data
 sub new_from_xml {
     my ($class, %args) = @_;
 
-    my $dom = XML::LibXML->load_xml(
-                    string => no_comments($args{xml}),
-                    no_network => 1,
-                    load_ext_dtd => 0,
-                    expand_entities => 0 );
+    my $dom = no_comments($args{xml});
 
     my $xpath = XML::LibXML::XPathContext->new($dom);
     $xpath->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion');

lib/Net/SAML2/Protocol/LogoutResponse.pm

@@ -71,18 +71,20 @@ XML data
 sub new_from_xml {
     my ($class, %args) = @_;
 
-    my $xpath = XML::XPath->new( xml => no_comments($args{xml}) );
-    $xpath->set_namespace('saml', 'urn:oasis:names:tc:SAML:2.0:assertion');
-    $xpath->set_namespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
+    my $dom = no_comments($args{xml});
+
+    my $xpath = XML::LibXML::XPathContext->new($dom);
+    $xpath->registerNs('saml', 'urn:oasis:names:tc:SAML:2.0:assertion');
+    $xpath->registerNs('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
 
     my $self = $class->new(
-        id          => $xpath->findvalue('/samlp:LogoutResponse/@ID')->value,
-        response_to => $xpath->findvalue('/samlp:LogoutResponse/@InResponseTo')->value,
-        destination => $xpath->findvalue('/samlp:LogoutResponse/@Destination')->value,
-        session     => $xpath->findvalue('/samlp:LogoutResponse/samlp:SessionIndex')->value,
-        issuer      => $xpath->findvalue('/samlp:LogoutResponse/saml:Issuer')->value,
-        status      => $xpath->findvalue('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode/@Value')->value,
-        substatus   => $xpath->findvalue('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode/samlp:StatusCode/@Value')->value,
+        id          => $xpath->findvalue('/samlp:LogoutResponse/@ID'),
+        response_to => $xpath->findvalue('/samlp:LogoutResponse/@InResponseTo'),
+        destination => $xpath->findvalue('/samlp:LogoutResponse/@Destination'),
+        session     => $xpath->findvalue('/samlp:LogoutResponse/samlp:SessionIndex'),
+        issuer      => $xpath->findvalue('/samlp:LogoutResponse/saml:Issuer'),
+        status      => $xpath->findvalue('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode/@Value'),
+        substatus   => $xpath->findvalue('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode/samlp:StatusCode/@Value'),
     );
 
     return $self;

lib/Net/SAML2/XML/Sig.pm

@@ -73,6 +73,7 @@ use base qw/Exporter/;
 
 use Digest::SHA qw(sha1 sha224 sha256 sha384 sha512);
 use XML::LibXML;
+use Net::SAML2::XML::Util qw/ no_comments /;
 use MIME::Base64;
 use Carp;
 
@@ -288,7 +289,12 @@ sub sign {
 
     local $XML::LibXML::skipXMLDeclaration = $self->{ no_xml_declaration };
 
-    my $dom = XML::LibXML->load_xml( string => $xml );
+    my $dom = no_comments($xml);
+    #my $dom = XML::LibXML->load_xml(
+    #                string => $xml,
+    #                no_network => 1,
+    #                load_ext_dtd => 0,
+    #                expand_entities => 0 );
 
     $self->{ parser } = XML::LibXML::XPathContext->new($dom);
     $self->{ parser }->registerNs('dsig', 'http://www.w3.org/2000/09/xmldsig#');
@@ -451,7 +457,12 @@ sub verify {
     delete $self->{signer_cert};
     my ($xml) = @_;
 
-    my $dom = XML::LibXML->load_xml( string => $xml );
+    my $dom = no_comments($xml);
+    #my $dom = XML::LibXML->load_xml(
+    #                string => $xml,
+    #                no_network => 1,
+    #                load_ext_dtd => 0,
+    #                expand_entities => 0 );
 
     $self->{ parser } = XML::LibXML::XPathContext->new($dom);
     $self->{ parser }->registerNs('dsig', 'http://www.w3.org/2000/09/xmldsig#');

lib/Net/SAML2/XML/Util.pm

@@ -3,7 +3,7 @@ package Net::SAML2::XML::Util;
 use strict;
 use warnings;
 
-use XML::Tidy;
+use XML::LibXML;
 
 # use 'our' on v5.6.0
 use vars qw($VERSION @EXPORT_OK %EXPORT_TAGS $DEBUG);
@@ -42,9 +42,17 @@ sub no_comments {
     my $xml = shift;
 
     # Remove comments from XML to mitigate XML comment auth bypass
-    my $tidy_obj = XML::Tidy->new(xml => $xml);
-    $tidy_obj->prune('//comment()');
-    return $tidy_obj->toString();
+    my $dom = XML::LibXML->load_xml(
+                    string => $xml,
+                    no_network => 1,
+                    load_ext_dtd => 0,
+                    expand_entities => 0 );
+
+    for my $comment_node ($dom->findnodes('//comment()')) {
+        $comment_node->parentNode->removeChild($comment_node);
+    }
+
+    return $dom;
 }
 
 1;