perimeter_x 1.0.6.pre.alpha → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2d1e967ee5f87625d37e4c7ca523b00ae089f512
-  data.tar.gz: b08932769740ec74416a0072dc0313c12ce4ea78
+SHA256:
+  metadata.gz: a06a83f955ae265238a23df8471c062428cf82ba37612160a439c52af3568e79
+  data.tar.gz: 0eaeb8c8b424a219d155f933494c0baec382b96e707cb7af22e676ea83a1fd4f
 SHA512:
-  metadata.gz: 52a63dd5557e73e43f7db668f804997d57c27dd3a609f252346353e264a85c8649254e5053e3cd3db86b6a531dd45f40a97bf9de3195daee89e4b21cce2dfb6b
-  data.tar.gz: 5d213eb7b31094d369959acbd2ea240d2f747298466a922a760836b1d706017a96a6f4a3b9bac7f6865c268ec70f7f718b53fb5b1bea04de61ec83a62f21b8aa
+  metadata.gz: c615587bc9e1203636e0a74284aa9faadd3027dc50056929b4bb8fc2cdd6a86bdc0df10c94f3e262f0f313e518fc0397ac2b0b76669fe3e1b5afc85ad589567d
+  data.tar.gz: 22faae3132f9fce873829a0feec4b8f9bfcda420960a380d40a5101b4dae793969b8225a5376f2937954519a8c8cb1c20eb252fca096af77bff7980d5c223f71

data/.gitignore

@@ -1,20 +1,23 @@
 *.rbc
+*.iml
 capybara-*.html
 .rspec
 /log
 /tmp
+/bin
 /dev
 /db/*.sqlite3
 /db/*.sqlite3-journal
 /public/system
 /coverage/
 /spec/tmp
-examples/home_controller.rb
+examples/config/initializers/perimeterx.rb
+examples/app/views/home/index.html.erb
 **.orig
 *.gem
 rerun.txt
 pickle-email-*.html
-dev
+
 # TODO Comment out these rules if you are OK with secrets being uploaded to the repo
 config/initializers/secret_token.rb
 config/secrets.yml
@@ -22,7 +25,7 @@ config/secrets.yml
 # dotenv
 # TODO Comment out this rule if environment variables can be committed
 .env
-.idea
+
 ## Environment normalization:
 /.bundle
 /vendor/bundle

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+    - 2.7.1

data/Dockerfile

@@ -1,48 +1,26 @@
 # Based on manual compile instructions at http://wiki.nginx.org/HttpLuaModule#Installation
-FROM ubuntu:14.04
-RUN apt-get update && apt-get --force-yes -qq -y install \
-    build-essential \
-    ca-certificates \
-    curl \
-    git \
-    libpcre3 \
-    libpcre3-dev \
-    libssl-dev \
-    libreadline-dev \
-    libyaml-dev \
-    libgdbm-dev \
-    libtool \
-    automake \
-    bison \
-    lua-cjson \
-    libncurses5-dev \
-    m4 \
-    libsqlite3-dev \
-    rsyslog \
-    sqlite3 \
-    libxml2-dev \
-    libxslt1-dev \
-    libcurl4-openssl-dev \
-    python-software-properties \
-    libffi-dev \
-    nodejs \
-    wget \
-    zlib1g-dev
+FROM ruby:2.7.1
 
-RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
-RUN /bin/bash -l -c "curl -L get.rvm.io | bash -s stable --rails"
-RUN /bin/bash -l -c "rvm install 2.3.0"
-RUN /bin/bash -l -c "rvm use 2.3.0"
-RUN /bin/bash -l -c "gem install bundler"
-RUN /bin/bash -l -c "gem install rails -v 4.2.0"
+RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg -o /root/yarn-pubkey.gpg && apt-key add /root/yarn-pubkey.gpg
+RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list
+RUN apt-get update && apt-get install -y --no-install-recommends nodejs yarn vim
+
+ENV RAILS_VERSION 6.0.3.2
+RUN gem install rails --version "$RAILS_VERSION"
+RUN gem install bundler
 RUN mkdir -p /tmp/ruby_sandbox
 WORKDIR /tmp/ruby_sandbox
-RUN /bin/bash -l -c "rails new webapp"
+COPY lib /tmp/ruby_sandbox/lib
+COPY Gemfile /tmp/ruby_sandbox/
+COPY perimeter_x.gemspec /tmp/ruby_sandbox/
+COPY Rakefile /tmp/ruby_sandbox/
+RUN rails new webapp
 WORKDIR /tmp/ruby_sandbox/webapp
-RUN /bin/bash -l -c "rails generate controller home index"
+
+RUN rails generate controller home index
 WORKDIR /tmp/ruby_sandbox/webapp
 EXPOSE 3000
-RUN sed -i "2i gem 'perimeter_x', '~> 1.0.5.pre.alpha'" /tmp/ruby_sandbox/webapp/Gemfile
-RUN /bin/bash -l -c "bundler update"
-RUN /bin/bash -l -c "gem list|grep peri"
-CMD ["/bin/bash", "-l", "-c", "rails server -b 0.0.0.0;"]
+RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox"' /tmp/ruby_sandbox/webapp/Gemfile
+RUN bundler update
+COPY ./dev/site/ /tmp/ruby_sandbox/webapp
+CMD ["rails","server","-b","0.0.0.0"]

data/Gemfile

@@ -1,3 +1,3 @@
 source "https://rubygems.org"
 
-gem 'httpclient', '2.8.2.4'
+gemspec

data/Gemfile.lock

@@ -1,13 +1,61 @@
+PATH
+  remote: .
+  specs:
+    perimeter_x (2.0.0)
+      activesupport (>= 5.2.4.3)
+      concurrent-ruby (~> 1.0, >= 1.0.5)
+      mustache (~> 1.0, >= 1.0.3)
+      typhoeus (~> 1.1, >= 1.1.2)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    httpclient (2.8.3)
+    activesupport (6.0.3.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    concurrent-ruby (1.1.6)
+    diff-lcs (1.4.4)
+    ethon (0.12.0)
+      ffi (>= 1.3.0)
+    ffi (1.13.1)
+    i18n (1.8.3)
+      concurrent-ruby (~> 1.0)
+    minitest (5.14.1)
+    mocha (1.11.2)
+    mustache (1.1.1)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    thread_safe (0.3.6)
+    typhoeus (1.4.0)
+      ethon (>= 0.9.0)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  httpclient (= 2.8.3)
+  bundler (>= 2.1)
+  mocha (~> 1.2, >= 1.2.1)
+  perimeter_x!
+  rake (>= 12.3)
+  rspec (~> 3.0)
 
 BUNDLED WITH
-   1.14.6
+   2.1.4

data/LICENSE.txt

@@ -1,6 +1,4 @@
-The MIT License (MIT)
-
-Copyright (c) 2017 nitzanpx
+Copyright © 2016 PerimeterX, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -9,13 +7,12 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -1,2 +1,10 @@
-require "bundler/gem_tasks"
-task :default => :spec
+begin
+  require 'rspec/core/rake_task'
+
+  RSpec::Core::RakeTask.new(:spec)
+
+  task :default => :spec
+  task :test => :spec
+rescue LoadError
+  # no rspec available
+end

data/changelog.md

@@ -0,0 +1,72 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [2.0.0] - 2020-07-24
+### Added
+ - Added fields to Block Activity: simulated_block, http_version, http_method, risk_rtt, px_orig_cookie
+ - Added fields to page_requested activity: pass_reason, risk_rtt, px_orig_cookie
+ - Added px_orig_cookie field to risk_api in case of cookie_decryption_failed
+ - Added support for captcha v2
+ - Added support for Advanced Blocking Response
+ - Added support for whitelise routes
+ - Added support for bypass monitor header
+ - Added support for extracting vid from _pxvid cookie
+ - Added support for rate limit
+ - Added risk_cookie_max_iterations configuration
+
+### Fixed
+ - Updated dependencies
+ - Updated sample site dockerfile
+ - Fixed monitor mode
+ - Fixed send_page_activities and send_block_activities configurations
+ - Updated risk to v3
+ - Refactored ip header extraction
+ - Renamed block_uuid field to client_uuid
+ - Renamed perimeterx_server_host configuration to backend_url
+ - Updated risk_response handling: pass the request if risk_response.status is -1
+ - Forcing http header values to be utf8
+
+## [1.4.0] - 2018-03-18
+### Fixed
+ - Incorrect assigment for s2s_call_reason
+ - Fixed empty token result correct s2s reason
+
+### Added
+ - Added support to captcha api v2
+ - Mobile sdk support for special tokens 1/2/3
+
+
+## [1.3.0] - 2017-07-27
+### Added
+ - Sending client_uuid on page_requested activities
+ - Supporting mobile sdk
+### Fixed
+ - Using `request.env` instead of `env`
+
+## [1.2.0] - 2017-06-04
+### Fixed 
+    - Default timeouts for post api requests
+    - Fixed Dockerfile
+### Changed
+    - Removed httpclient and instead using typheous
+### Added
+    - Using concurrent-ruby for async post requests
+    
+## [1.1.0] - 2017-06-04
+### Added 
+    - Added support for sensitive routes
+
+## [1.0.5] - 2017-05-07
+### Fixed
+ - Added request format into context for custom callbacks
+
+## [1.0.4] - 2017-04-27
+### Fixed
+ - Constants on px_constants
+ - Cookie Validation flow when cookie score was over the configured threshold
+ - Using symbols instead of strings for requests body
+

data/examples/app/controllers/home_controller.rb

@@ -0,0 +1,9 @@
+class HomeController < ApplicationController
+  include PxModule
+
+  before_action :px_verify_request
+
+  def index
+  end
+
+end

data/examples/app/views/home/index.html.erb.dist

@@ -0,0 +1,20 @@
+<h1>Home#index</h1>
+<p>Find me in app/views/home/index.html.erb</p>
+
+<script type="text/javascript">
+	(function(){
+		window._pxAppId ='APP_ID';
+		// Custom parameters
+		// window._pxParam1 = "<param1>";
+		var p = document.getElementsByTagName('script')[0],
+			s = document.createElement('script');
+		s.async = 1;
+		s.src = '//client.perimeterx.net/APP_ID/main.min.js';
+		p.parentNode.insertBefore(s,p);
+	}());
+</script>
+<noscript>
+	<div style="position:fixed; top:0; left:0; display:none" width="1" height="1">
+		<img src="//collector-APP_ID.perimeterx.net/api/v1/collector/noScript.gif?appId=APP_ID">
+	</div>
+</noscript>

data/examples/config/initializers/perimeterx.rb.dist

@@ -0,0 +1,8 @@
+params = {
+  :app_id => "APP_ID",
+  :cookie_key => "COOKIE_KEY",
+  :auth_token => "AUTH_TOKEN"
+}
+
+
+PxModule.configure(params)

data/lib/perimeter_x.rb

@@ -1,69 +1,224 @@
+require 'concurrent'
+require 'json'
+require 'base64'
+require 'uri'
 require 'perimeterx/configuration'
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 require 'perimeterx/utils/px_http_client'
+require 'perimeterx/utils/px_template_factory'
 require 'perimeterx/internal/perimeter_x_context'
-require 'perimeterx/internal/perimeter_x_s2s_validator'
+require 'perimeterx/internal/clients/perimeter_x_activity_client'
+require 'perimeterx/internal/validators/perimeter_x_s2s_validator'
+require 'perimeterx/internal/validators/perimeter_x_cookie_validator'
 
-module PerimeterX
-  class PxModule
-    L = PxLogger.instance
+module PxModule
+  # Module expose API
+  def px_verify_request
+    px_ctx = PerimeterX.instance.verify(request.env)
+    px_config = PerimeterX.instance.px_config
+    msg_title = 'PxModule[px_verify_request]'
 
-    @@singleton__instance__ = nil
-    @@singleton__mutex__ = Mutex.new
+    # In case custom verification handler is in use
+    if px_config.key?(:custom_verification_handler)
+      px_config[:logger].debug("#{msg_title}: custom_verification_handler triggered")
+      return instance_exec(px_ctx, &px_config[:custom_verification_handler])
+    end
+
+    unless px_ctx.nil? || px_ctx.context[:verified] || (px_config[:module_mode] == PxModule::MONITOR_MODE && !px_ctx.context[:should_bypass_monitor])
+      # In case custom block handler exists (soon to be deprecated)
+      if px_config.key?(:custom_block_handler)
+        px_config[:logger].debug("#{msg_title}: custom_block_handler triggered")
+        px_config[:logger].debug(
+            "#{msg_title}: Please note that custom_block_handler is deprecated. Use custom_verification_handler instead.")
+        return instance_exec(px_ctx, &px_config[:custom_block_handler])
+      else
+        if px_ctx.context[:block_action]== 'rate_limit'
+          px_config[:logger].debug("#{msg_title}: sending rate limit page")
+          response.status = 429
+        else
+          px_config[:logger].debug("#{msg_title}: sending default block page")
+          response.status = 403
+        end
+
+        is_mobile = px_ctx.context[:cookie_origin] == 'header' ? '1' : '0'
+        action = px_ctx.context[:block_action][0,1]
+
+        px_template_object = {
+          block_script: "//#{PxModule::CAPTCHA_HOST}/#{px_config[:app_id]}/captcha.js?a=#{action}&u=#{px_ctx.context[:uuid]}&v=#{px_ctx.context[:vid]}&m=#{is_mobile}",
+          js_client_src: "//#{PxModule::CLIENT_HOST}/#{px_config[:app_id]}/main.min.js"
+        }
+
+        html = PxTemplateFactory.get_template(px_ctx, px_config, px_template_object)
+
+        # Web handler
+        if px_ctx.context[:cookie_origin] == 'cookie'
+
+          accept_header_value = request.headers['accept'] || request.headers['content-type'];
+          is_json_response = px_ctx.context[:block_action] != 'rate_limit' && accept_header_value && accept_header_value.split(',').select {|e| e.downcase.include? 'application/json'}.length > 0;
+
+          if (is_json_response)
+            px_config[:logger].debug("#{msg_title}: advanced blocking response response")
+            response.headers['Content-Type'] = 'application/json'
+
+            hash_json = {
+                :appId => px_config[:app_id],
+                :jsClientSrc => px_template_object[:js_client_src],
+                :firstPartyEnabled => false,
+                :uuid => px_ctx.context[:uuid],
+                :vid => px_ctx.context[:vid],
+                :hostUrl => "https://collector-#{px_config[:app_id]}.perimeterx.net",
+                :blockScript => px_template_object[:block_script],
+            }
+
+            render :json => hash_json
+          else
+            px_config[:logger].debug('#{msg_title}: web block')
+            response.headers['Content-Type'] = 'text/html'
+            render :html => html
+          end
+        else # Mobile SDK
+          px_config[:logger].debug("#{msg_title}: mobile sdk block")
+          response.headers['Content-Type'] = 'application/json'
+          hash_json = {
+              :action => px_ctx.context[:block_action],
+              :uuid => px_ctx.context[:uuid],
+              :vid => px_ctx.context[:vid],
+              :appId => px_config[:app_id],
+              :page => Base64.strict_encode64(html),
+              :collectorUrl => "https://collector-#{px_config[:app_id]}.perimeterx.net"
+          }
+          render :json => hash_json
+        end
+      end
+    end
+
+    # Request was verified
+    return px_ctx.nil? ? true : px_ctx.context[:verified]
+  end
+
+  def self.configure(params)
+    @px_instance = PerimeterX.configure(params)
+  end
+
+
+  # PerimeterX Module
+  class PerimeterX
+    @@__instance = nil
+    @@mutex = Mutex.new
 
     attr_reader :px_config
     attr_accessor :px_http_client
+    attr_accessor :px_activity_client
 
-    def self.instance(params)
-      return @@singleton__instance__ if @@singleton__instance__
-      @@singleton__mutex__.synchronize {
-        return @@singleton__instance__ if @@singleton__instance__
-        @@singleton__instance__ = new(params)
+    #Static methods
+    def self.configure(params)
+      return true if @@__instance
+      @@mutex.synchronize {
+        return @@__instance if @@__instance
+        @@__instance = new(params)
       }
-      @@singleton__instance__
+      return true
     end
 
-
-    private def initialize(params)
-      L.info("PerimeterX[initialize]")
-      @px_config = Configuration.new(params).configuration
-      @px_http_client = PxHttpClient.new(@px_config)
+    def self.instance
+      return @@__instance if !@@__instance.nil?
+      raise Exception.new('Please initialize perimeter x first')
     end
 
-    def px_verify(env)
+
+    #Instance Methods
+    def verify(env)
       begin
-        L.info("PerimeterX[pxVerify]")
-        req = ActionDispatch::Request.new(env)
 
-        if (!@px_config['module_enabled'])
-          L.warn("Module is disabled")
-          return true
+        # check module_enabled 
+        @logger.debug('PerimeterX[pxVerify]')
+        if !@px_config[:module_enabled]
+          @logger.warn('Module is disabled')
+          return nil
         end
 
+        req = ActionDispatch::Request.new(env)
+        
+        # filter whitelist routes
+        url_path = URI.parse(req.original_url).path
+        if url_path && !url_path.empty?
+          if check_whitelist_routes(px_config[:whitelist_routes], url_path)
+            @logger.debug("PerimeterX[pxVerify]: whitelist route: #{url_path}")
+            return nil
+          end
+        end
+        
+        # create context
         px_ctx = PerimeterXContext.new(@px_config, req)
-        px_ctx.context[:s2s_call_reason] = "no_cookie"
 
-        s2sValidator = PerimeterxS2SValidator.new(px_ctx, @px_config, @px_http_client)
-        px_ctx = s2sValidator.verify()
-
-        if (px_config.key?('custom_verification_handler'))
-          return px_config['custom_verification_handler'].call(px_ctx.context)
-        else
-          return handle_verification(px_ctx)
+        # Cookie phase
+        cookie_verified, px_ctx = @px_cookie_validator.verify(px_ctx)
+        if !cookie_verified
+          @px_s2s_validator.verify(px_ctx)
         end
+
+        return handle_verification(px_ctx)
       rescue Exception => e
-        puts("#{e.backtrace.first}: #{e.message} (#{e.class})", e.backtrace.drop(1).map { |s| "\t#{s}" })
-        return true
+        @logger.error("#{e.backtrace.first}: #{e.message} (#{e.class})")
+        e.backtrace.drop(1).map {|s| @logger.error("\t#{s}")}
+        return nil
       end
     end
 
-    # private methods
+    private def initialize(params)
+      @px_config = Configuration.new(params).configuration
+      @logger = @px_config[:logger]
+      @px_http_client = PxHttpClient.new(@px_config)
+
+      @px_activity_client = PerimeterxActivitiesClient.new(@px_config, @px_http_client)
+
+      @px_cookie_validator = PerimeterxCookieValidator.new(@px_config)
+      @px_s2s_validator = PerimeterxS2SValidator.new(@px_config, @px_http_client)
+      @logger.debug('PerimeterX[initialize]')
+    end
+
     private def handle_verification(px_ctx)
-      L.info("perimeterx processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
-      return true
+      @logger.debug('PerimeterX[handle_verification]')
+      @logger.debug("PerimeterX[handle_verification]: processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
+
+      score = px_ctx.context[:score]
+      px_ctx.context[:should_bypass_monitor] = @px_config[:bypass_monitor_header] && px_ctx.context[:headers][@px_config[:bypass_monitor_header].to_sym] == '1';
+
+      px_ctx.context[:verified] = score < @px_config[:blocking_score]
+      # Case PASS request
+      if px_ctx.context[:verified]
+        @logger.debug("PerimeterX[handle_verification]: score:#{score} < blocking score, passing request")
+        @px_activity_client.send_page_requested_activity(px_ctx)
+        return px_ctx
+      end
+
+      # Case blocking activity
+      @px_activity_client.send_block_activity(px_ctx)
+
+      # In case were in monitor mode, end here
+      if @px_config[:module_mode] == PxModule::MONITOR_MODE && !px_ctx.context[:should_bypass_monitor]
+        @logger.debug("PerimeterX[handle_verification]: monitor mode is on, passing request")
+        return px_ctx
+      end
+
+      @logger.debug('PerimeterX[handle_verification]: verification ended, the request should be blocked')
+
+      return px_ctx
+    end
+
+    private def check_whitelist_routes(whitelist_routes, path)
+      whitelist_routes.each do |whitelist_route|
+        if whitelist_route.is_a?(Regexp) && path.match(whitelist_route)
+          return true
+        end
+        if whitelist_route.is_a?(String) && path.start_with?(whitelist_route)
+          return true
+        end
+      end
+      false
     end
 
     private_class_method :new
   end
-
 end