passport-saml: [BUG] Regression between 1.2.0 and 1.3.5 for undefined values

When the IdP sends the following attribute description:

            <saml2:Attribute Name="attributeName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      />
            </saml2:Attribute>

With passport-saml 1.2.0 I get the value: undefined for profile.attributeName, as I expect. But with passport-saml 1.3.5, I get this object instead:

{
    '$': {
      'xmlns:xs': 'http://www.w3.org/2001/XMLSchema',
      'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance',
      'xsi:type': 'xs:string'
    }
  }

Was that change intended, or is it a bug ? It sure broke my application when I updated passport-saml to avoid a security issue, as I did not expect to get something like that…

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 17 (9 by maintainers)

Most upvoted comments

The low impact option would be to change attrValueMapper to something like this:

This seems like the correct solution to resolve the regression, however, I am interested in hearing comments from others about the bigger change for the next semver major release.

cjbarth on Oct 13, 2020

Started working on this here: https://github.com/node-saml/passport-saml/tree/csh-issue-459-attr-value-regression - will try to pick it up again tomorrow if I can. My next step is to understand xml2js a bit better to see if there’s a reliable way to distinguish between the three cases @cjbarth mentions.

mans0954 on Oct 8, 2020