RubyGems - perimeter_x - Versions diffs - 1.0.6.pre.alpha → 1.1.0 - Mend

perimeter_x 1.0.6.pre.alpha → 1.1.0

Files changed (39) hide show

checksums.yaml +4 -4
data/.gitignore +5 -3
data/Dockerfile +5 -3
data/Gemfile +1 -1
data/Gemfile.lock +44 -2
data/LICENSE.txt +9 -12
data/Rakefile +9 -2
data/changelog.md +20 -0
data/examples/app/controllers/home_controller.rb +9 -0
data/examples/app/views/home/index.html.erb.dist +20 -0
data/examples/config/initializers/perimeterx.rb.dist +8 -0
data/examples/{routes.rb → config/routes.rb} +0 -0
data/lib/perimeter_x.rb +109 -33
data/lib/perimeterx/configuration.rb +25 -17
data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb +92 -0
data/lib/perimeterx/internal/clients/perimeter_x_risk_client.rb +28 -0
data/lib/perimeterx/internal/exceptions/px_cookie_decryption_exception.rb +5 -0
data/lib/perimeterx/internal/perimeter_x_context.rb +81 -53
data/lib/perimeterx/internal/perimeter_x_cookie.rb +140 -0
data/lib/perimeterx/internal/perimeter_x_cookie_v1.rb +42 -0
data/lib/perimeterx/internal/perimeter_x_cookie_v3.rb +37 -0
data/lib/perimeterx/internal/validators/perimeter_x_captcha_validator.rb +65 -0
data/lib/perimeterx/internal/validators/perimeter_x_cookie_validator.rb +76 -0
data/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb +114 -0
data/lib/perimeterx/utils/px_constants.rb +45 -0
data/lib/perimeterx/utils/px_http_client.rb +47 -26
data/lib/perimeterx/utils/px_logger.rb +12 -6
data/lib/perimeterx/utils/px_template_factory.rb +31 -0
data/lib/perimeterx/utils/templates/block.mustache +146 -0
data/lib/perimeterx/utils/templates/captcha.mustache +185 -0
data/lib/perimeterx/version.rb +2 -2
data/perimeter_x.gemspec +6 -1
data/readme.md +218 -34
metadata +90 -11
data/bin/console +0 -14
data/bin/setup +0 -8
data/examples/home_controller.rb.dist +0 -23
data/lib/perimeterx/internal/perimeter_x_risk_client.rb +0 -29
data/lib/perimeterx/internal/perimeter_x_s2s_validator.rb +0 -67

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb ADDED Viewed

@@ -0,0 +1,92 @@
+require 'perimeterx/internal/clients/perimeter_x_risk_client'
+module PxModule
+  class PerimeterxActivitiesClient < PerimeterxRiskClient
+    attr_accessor :activities
+    def initialize(px_config, http_client)
+      super(px_config, http_client)
+      @logger.debug("PerimeterxActivitiesClients[initialize]")
+      @activities = [];
+    end
+    def send_to_perimeterx(activity_type, px_ctx, details = [])
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]")
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: new activity #{activity_type} logged")
+      if (@px_config.key?(:additional_activity_handler))
+        @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
+      end
+      details[:module_version] = @px_config[:sdk_name]
+      px_data = {
+        :type       => activity_type,
+        :headers    => format_headers(px_ctx),
+        :timestamp  => (Time.now.to_f*1000).floor,
+        :socket_ip  => px_ctx.context[:ip],
+        :px_app_id  => @px_config[:app_id],
+        :url        => px_ctx.context[:full_url],
+        :details    => details,
+      }
+      if (px_ctx.context.key?(:vid))
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: found vid in ctx")
+        px_data[:vid] = px_ctx.context[:vid]
+      end
+      # Prepare request
+      headers = {
+          "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
+          "Content-Type" => "application/json"
+      };
+      @activities.push(px_data)
+      if (@activities.size == @px_config[:max_buffer_len])
+        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: max buffer length reached, sending activities")
+        @http_client.async_post(PxModule::API_V1_S2S, @activities, headers)
+        @activities.clear
+      end
+    end
+    def send_block_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
+      if (!@px_config[:send_page_acitivites])
+        @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
+        return
+      end
+      details = {
+        :block_uuid    => px_ctx.context[:uuid],
+        :block_score   => px_ctx.context[:score],
+        :block_reason  => px_ctx.context[:block_reason]
+      }
+      send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
+    end
+    def send_page_requested_activity(px_ctx)
+      @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
+      if (!@px_config[:send_page_acitivites])
+        return
+      end
+      details = {
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method]
+      }
+      if (px_ctx.context.key?(:decoded_cookie))
+        details[:px_cookie] = px_ctx.context[:decoded_cookie]
+      end
+      if (px_ctx.context.key?(:cookie_hmac))
+        details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
+      end
+      send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
+    end
+  end
+end

data/lib/perimeterx/internal/clients/perimeter_x_risk_client.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require 'perimeterx/utils/px_logger'
+module PxModule
+  class PerimeterxRiskClient
+    attr_accessor :px_config
+    attr_accessor :http_client
+    def initialize(px_config, http_client)
+      @px_config = px_config
+      @http_client = http_client;
+      @logger = px_config[:logger]
+    end
+    def format_headers(px_ctx)
+      @logger.debug("PerimeterxRiskClient[format_headers]")
+      formated_headers = []
+      px_ctx.context[:headers].each do |k,v|
+        if (!@px_config[:sensitive_headers].include? k.to_s)
+          formated_headers.push({
+            :name => k.to_s,
+            :value => v
+            })
+          end #end if
+        end #end forech
+        return formated_headers
+    end #end method
+  end #end class
+end

data/lib/perimeterx/internal/exceptions/px_cookie_decryption_exception.rb ADDED Viewed

@@ -0,0 +1,5 @@
+class PxCookieDecryptionException < StandardError
+  def initialize(msg)
+   super(msg)
+ end
+end

data/lib/perimeterx/internal/perimeter_x_context.rb CHANGED Viewed

@@ -1,62 +1,90 @@
 require 'perimeterx/utils/px_logger'
-class PerimeterXContext
-  L = PxLogger.instance
-  attr_accessor :context
-  attr_accessor :px_config
-  def initialize(px_config, req)
-    L.info("PerimeterXContext: initialize")
-    @context = Hash.new
-    @context[:px_cookies] = Hash.new
-    @context[:headers] = Hash.new
-    cookies = req.cookies
-    if (!cookies.empty?)
-      # Prepare hashed cookies
-      cookies.each do |k, v|
-        case k
-          when "_px3"
-            @context[:px_cookies] = v
-          when "_px"
-            @context[:px_cookies] = v
-          when "_pxCaptcha"
-            @context[:px_captcha] = v
+module PxModule
+  class PerimeterXContext
+    attr_accessor :context
+    attr_accessor :px_config
+    def initialize(px_config, req)
+      @logger = px_config[:logger];
+      @logger.debug("PerimeterXContext[initialize] ")
+      @context = Hash.new
+      @context[:px_cookie] = Hash.new
+      @context[:headers] = Hash.new
+      cookies = req.cookies
+      if (!cookies.empty?)
+        # Prepare hashed cookies
+        cookies.each do |k, v|
+          case k.to_s
+            when "_px3"
+              @context[:px_cookie][:v3] = v
+            when "_px"
+              @context[:px_cookie][:v1] = v
+            when "_pxCaptcha"
+              @context[:px_captcha] = v
+          end
+        end #end case
+      end #end empty cookies
+      req.headers.each do |k, v|
+        if (k.start_with? "HTTP_")
+          header = k.to_s.gsub("HTTP_", "")
+          header = header.gsub("_", "-").downcase
+          @context[:headers][header.to_sym] = v
         end
-      end #end case
-    end #end empty cookies
-    req.headers.each do |k, v|
-      if (k.start_with? "HTTP_")
-        header = k.to_s.gsub("HTTP_", "")
-        header = header.gsub("_", "-").downcase
-        @context[:headers][header.to_sym] = v
+      end #end headers foreach
+      @context[:hostname]= req.server_name
+      @context[:user_agent] = req.user_agent ? req.user_agent : ''
+      @context[:uri] = px_config[:custom_uri] ? px_config[:custom_uri].call(req)  : req.fullpath
+      @context[:full_url] = req.original_url
+      @context[:format] = req.format.symbol
+      @context[:score] = 0
+      if px_config.key?(:custom_user_ip)
+        @context[:ip] = req.headers[px_config[:custom_user_ip]]
+      elsif px_config.key?(:px_custom_user_ip_method)
+        @context[:ip] = px_config[:px_custom_user_ip_method].call(req)
+      else
+        @context[:ip] = req.ip
       end
-    end #end headers foreach
-    @context[:hostname]= req.headers['HTTP_HOST']
-    @context[:user_agent] = req.headers['HTTP_USER_AGENT'] ? req.headers['HTTP_USER_AGENT'] : ''
-    @context[:full_url] = req.original_url
-    @context[:score] = 0
-    if px_config.key?('custom_user_ip')
-      @context[:ip] = px_config['custom_user_ip']
-    elsif px_config.key?('px_custom_user_ip_method')
-      puts "px_custom_user_ip_method triggered"
-      @context[:ip] = px_config['px_custom_user_ip_method'].call(req)
-    else
-      @context[:ip] = req.headers['REMOTE_ADDR'];
-    end
-    if req.headers['SERVER_PROTOCOL']
-      httpVer = req.headers['SERVER_PROTOCOL'].split("/")
-      if httpVer.size > 0
-        @context[:http_version] = httpVer[1];
+      if req.server_protocol
+          httpVer = req.server_protocol.split("/")
+          if httpVer.size > 0
+              @context[:http_version] = httpVer[1];
+          end
       end
+      @context[:http_method] = req.method
+	  @context[:sensitive_route] = check_sensitive_route(px_config[:sensitive_routes], @context[:uri])
+    end #end init
+	def check_sensitive_route(sensitive_routes, uri)
+		sensitive_routes.each do |sensitive_route|
+			return true if uri.start_with? sensitive_route
+		end
+		return false
+	end
+    def set_block_action_type(action)
+      @context[:block_action] = case action
+        when "c"
+          "captcha"
+        when "b"
+          return "block"
+        when "j"
+          return "challenge"
+        else
+          return "captcha"
+        end
     end
-    @context[:http_method] = req.headers['REQUEST_METHOD'];
-  end #end init
+    def get_px_cookie
+      cookie = @context[:px_cookie].key?(:v3) ? @context[:px_cookie][:v3] : @context[:px_cookie][:v1]
+      return cookie.tr(' ','+') if !cookie.nil?
+    end
-end #end class
+  end
+end

data/lib/perimeterx/internal/perimeter_x_cookie.rb ADDED Viewed

@@ -0,0 +1,140 @@
+require 'active_support/security_utils'
+require 'base64'
+require 'openssl'
+require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
+module PxModule
+  class PerimeterxCookie
+    attr_accessor :px_cookie, :px_config, :px_ctx, :cookie_secret, :decoded_cookie
+    def initialize(px_config)
+      @px_config = px_config
+      @logger = px_config[:logger]
+    end
+    def self.px_cookie_factory(px_ctx, px_config)
+      if (px_ctx.context[:px_cookie].key?(:v3))
+        return PerimeterxCookieV3.new(px_config, px_ctx)
+      end
+      return PerimeterxCookieV1.new(px_config, px_ctx)
+    end
+    def cookie_score
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+    def cookie_hmac
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+    def valid_format?(cookie)
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+    def cookie_block_action
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+    def secured?
+      #abstract, must be implemented
+      raise Exception.new("Unimplemented method")
+    end
+    def is_valid?
+      return deserialize && !expired? && secured?
+    end
+    def cookie_time
+      return @decoded_cookie[:t]
+    end
+    def cookie_uuid
+      return @decoded_cookie[:u]
+    end
+    def cookie_vid
+      return @decoded_cookie[:v]
+    end
+    def high_score?
+      return cookie_score >= @px_config[:blocking_score]
+    end
+    def expired?
+      return cookie_time < (Time.now.to_f*1000).floor
+    end
+    def deserialize
+      if (!@decoded_cookie.nil?)
+        return true
+      end
+      # Decode or decrypt, depends on configuration
+      if (@px_config[:encryption_enabled])
+        cookie = decrypt(@px_cookie)
+      else
+        cookie = decode(@px_cookie)
+      end
+      if (cookie.nil?)
+        return false
+      end
+      if (!valid_format?(cookie))
+        return false
+      end
+      @decoded_cookie = cookie
+      return true
+    end
+    def decrypt(px_cookie)
+      begin
+        if (px_cookie.nil?)
+          return
+        end
+        px_cookie = px_cookie.gsub(' ', '+')
+        salt, iterations, cipher_text = px_cookie.split(':')
+        iterations = iterations.to_i
+        salt = Base64.decode64(salt)
+        cipher_text = Base64.decode64(cipher_text)
+        digest = OpenSSL::Digest::SHA256.new
+        value = OpenSSL::PKCS5.pbkdf2_hmac(@px_config[:cookie_key], salt, iterations, 48, digest)
+        key = value[0..31]
+        iv = value[32..-1]
+        cipher = OpenSSL::Cipher::AES256.new(:CBC)
+        cipher.decrypt
+        cipher.key = key
+        cipher.iv = iv
+        plaintext = cipher.update(cipher_text) + cipher.final
+        return eval(plaintext)
+      rescue Exception => e
+        @logger.debug("PerimeterxCookie[decrypt]: Cookie decrypt fail #{e.message}")
+        raise PxCookieDecryptionException.new("Cookie decrypt fail => #{e.message}");
+      end
+    end
+    def decode(px_cookie)
+      return eval(Base64.decode64(px_cookie))
+    end
+    def hmac_valid?(hmac_str, cookie_hmac)
+      hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
+      # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
+      password_correct = ActiveSupport::SecurityUtils.secure_compare(
+      ::Digest::SHA256.hexdigest(cookie_hmac),
+      ::Digest::SHA256.hexdigest(hmac)
+      )
+    end
+  end
+end

data/lib/perimeterx/internal/perimeter_x_cookie_v1.rb ADDED Viewed

@@ -0,0 +1,42 @@
+module PxModule
+  class PerimeterxCookieV1 < PerimeterxCookie
+    attr_accessor :px_config, :px_ctx
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      @px_ctx = px_ctx
+      @px_cookie = px_ctx.get_px_cookie
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug("PerimeterxCookieV1[initialize]")
+    end
+    def cookie_score
+      return @decoded_cookie[:s][:b]
+    end
+    def cookie_hmac
+      return @decoded_cookie[:h]
+    end
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie[:s].key?(:b) && cookie.key?(:s) && cookie.key?(:v) && cookie.key?(:h)
+    end
+    def cookie_block_action
+      return 'c'
+    end
+    def secured?
+      base_hmac_str = "#{cookie_time}#{@decoded_cookie[:s][:a]}#{cookie_score}#{cookie_uuid}#{cookie_vid}"
+      hmac_str_withip = "#{base_hmac_str}#{@px_ctx.context[:ip]}#{@px_ctx.context[:user_agent]}"
+      hmac_str_withoutip = "#{base_hmac_str}#{@px_ctx.context[:user_agent]}"
+      return (hmac_valid?(hmac_str_withoutip, cookie_hmac) || hmac_valid?(hmac_str_withip, cookie_hmac))
+    end
+  end
+end