Skip to content

SYSTEM Cited by 1 source

REXML

REXML is a pure-Ruby XML parser, part of the Ruby standard library. It provides DOM-style parsing, XPath queries, and serialisation. It is slower than native-library-backed parsers like Nokogiri but requires no C dependencies, which made it the default choice for many Ruby libraries needing XML support.

require 'rexml/document'
doc = REXML::Document.new(xml)
sig_element = REXML::XPath.first(doc, "//ds:Signature", {"ds" => DSIG})

Method calls are prefixed with REXML::, distinguishing them visually from Nokogiri's document.at_xpath(...) idiom.

Limitations relevant to security

  • No XML canonicalisation support. Libraries needing C14N for XML-DSig verification have to import a second parser (typically Nokogiri) — establishing the two-parser seam that enables parser-differential attacks in XML signature wrapping.
  • Different handling of malformed / edge-case XML than Nokogiri's libxml2 / libgumbo / Xerces back-ends. Historic XML-roundtrip research (Juho Forsén, Mattermost 2021) and 2024-25 coverage-guided fuzzing (Trail of Bits ruzzy) both found REXML ↔ Nokogiri disagreements exploitable for authentication bypass in ruby-saml.

Role in the ruby-saml parser differential

In ruby-saml's xml_security.rb, REXML is responsible for locating the <ds:Signature> element, extracting <ds:SignatureValue>, locating <ds:SignedInfo>, extracting <ds:Reference>, and extracting <ds:DigestValue>. Nokogiri is responsible for canonicalising <ds:SignedInfo> and looking up the referenced <Assertion> by ID for digest hashing. When REXML and Nokogiri disagree about which <ds:Signature> a given XPath returns, the verification chain breaks — see sources/2025-03-15-github-sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials.

Seen in

Last updated · 319 distilled / 1,201 read