Where to report Security Issues
what is the preferred place to report possible Security Issues in Lasso?
Thank you in advance
Updated by Benjamin Dauvergne 2 days ago
Weakness: XML Node Splitting¶
There is no security problem here, users of the Lasso library are expected to iterate the LassoMiscTextNode from the AttributeValue.any linked list to build the full string value, see for example https://git.entrouvert.org/django-mellon.git/tree/mellon/views.py#n217
Weakness: Processing multiple Assertions¶
It's not possible to add assertions as the Response is always signed also and anyway no IdP ever sent multiple assertions in production and no client I know about expected it, so it's not a real problem either (they would just be ignored). And when using the "Artifact" binding, it's not even possible to intercept AuthnResponse and modify them.
In the grand scheme of thing XMLSEC is an abomination anyway that provide only fake security. See https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt for a full report on it.
PS: the objection about signature on the AuthnResponse also apply to the first weakness, you will not be able to modify the response.