test/response_test.rb in ruby-saml-0.9.2 vs test/response_test.rb in ruby-saml-0.9.3

@@ -122,10 +122,18 @@
         response.settings = settings
         assert response.is_valid?
         assert_equal response.name_id, "test@onelogin.com"
       end
 
+      it "Prevent node text with comment (VU#475445) attack" do
+        response_doc = File.read(File.join(File.dirname(__FILE__), "responses", 'response_node_text_attack.xml.base64'))
+        response = OneLogin::RubySaml::Response.new(response_doc)
+
+        assert_equal "support@onelogin.com", response.name_id
+        assert_equal "smith", response.attributes["surname"]
+      end
+
       it "support dynamic namespace resolution on signature elements" do
         response = OneLogin::RubySaml::Response.new(fixture("no_signature_ns.xml"))
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
         response.settings = settings
@@ -333,18 +341,18 @@
           OneLogin::RubySaml::Attributes.single_value_compatibility = true
         end
 
         it "check what happens when trying retrieve attribute that does not exists" do
           response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
-          assert_equal nil, response.attributes[:attribute_not_exists]
-          assert_equal nil, response.attributes.single(:attribute_not_exists)
-          assert_equal nil, response.attributes.multi(:attribute_not_exists)
+          assert_nil response.attributes[:attribute_not_exists]
+          assert_nil response.attributes.single(:attribute_not_exists)
+          assert_nil response.attributes.multi(:attribute_not_exists)
 
           OneLogin::RubySaml::Attributes.single_value_compatibility = false
-          assert_equal nil, response.attributes[:attribute_not_exists]
-          assert_equal nil, response.attributes.single(:attribute_not_exists)
-          assert_equal nil, response.attributes.multi(:attribute_not_exists)
+          assert_nil response.attributes[:attribute_not_exists]
+          assert_nil response.attributes.single(:attribute_not_exists)
+          assert_nil response.attributes.multi(:attribute_not_exists)
           OneLogin::RubySaml::Attributes.single_value_compatibility = true
         end
 
       end
     end
@@ -381,10 +389,10 @@
     describe '#xpath_first_from_signed_assertion' do
       it 'not allow arbitrary code execution' do
         malicious_response_document = fixture('response_eval', false)
         response = OneLogin::RubySaml::Response.new(malicious_response_document)
         response.send(:xpath_first_from_signed_assertion)
-        assert_equal($evalled, nil)
+        assert_nil $evalled
       end
     end
 
     describe '#sign_document' do
       it 'Sign an unsigned SAML Response XML and initiate the SAML object with it' do