Strip comments from SAML Response XML during scan

[hodak]

Let's say you get this kind of email claim in SAML Response

<saml:Attribute
  Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
  <saml:AttributeValue xsi:type="xs:string">
    jon@snow.com@evil.com
  </saml:AttributeValue>
</saml:Attribute>

using Samly you will get this assertion:

%Samly.Assertion{
  attributes: %{
    "email" => "jon@snow.com@evil.com",
    ...
  },
  ...
}

but with modifying the response and adding an empty comment

<saml:Attribute
  Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
  <saml:AttributeValue xsi:type="xs:string">
    jon@snow.com<!---->@evil.com
  </saml:AttributeValue>
</saml:Attribute>

the envelope signature verification will pass, and you will get

%Samly.Assertion{
  attributes: %{
    "email" => ["jon@snow.com", "@evil.com"],
    ...
  },
  ...
}

If your app expects multiple emails and takes the first one, it might assume the identity of a different user within the same organization.

We've been running this kind of fix ourselves for a while now Recruitee/samly@056298d but now thought it might be better to update it in the core if you agree.

[CLAassistant]

All committers have signed the CLA.

[k-cross]

As of this writing, this is the top most PR.

I have not been at dropbox for a while and I was the only one actively maintaining both the samly and esaml projects. I have no controls to make any changes to these repositories anymore and so they should almost certainly be moved to the control of an independent organization.