This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
yarn build- Compile TypeScript to dist/yarn test- Run all tests (unit and contract tests)yarn lint- ESLint TypeScript files in src/yarn format- Format code with Prettier
When adding tests, use the contract testing pattern:
- Add XML test data to
test/contract/data/subdirectories - Create
.test.jsonfiles with test metadata - Use embed directives like
!embed:base64:file://filename.xmlfor test data
src/validate.ts- Main SAML validation logic withvalidateSAMLResponse()andsafeValidateSAMLResponse()src/xml.ts- XML parsing utilities with XPath selectors and SAML namespace supportsrc/errors.ts- Comprehensive error class hierarchy for different validation failuressrc/index.ts- Public API exports
This library validates SAML responses against multiple attack vectors:
- XXE (XML External Entity) attacks
- XML comment injection (CVE-2017-11428 family)
- Multiple SignedInfo element attacks
- Processing instruction injection (always blocked)
- Missing signature validation
The codebase uses data-driven contract tests in test/contract/:
data/valid/- Tests that should passdata/error_cases/- Structural validation failuresdata/vulnerabilities/- Security vulnerability detection testsloader.ts- Test case loading with embed directive processingrunner.test.ts- Test execution engine
- Main config:
tsconfig.json(excludes test files) - Output: CommonJS modules to
dist/with declarations
When making changes, always run the full test suite (yarn test) to ensure security validations remain intact.