perimeter_x 1.1.0 → 2.1.0

data/lib/perimeterx/configuration.rb

@@ -1,37 +1,86 @@
 require 'perimeterx/utils/px_logger'
 require 'perimeterx/utils/px_constants'
+require 'perimeterx/internal/validators/hash_schema_validator'
 
 module PxModule
   class Configuration
+    @@basic_config = nil
+    @@mutex = Mutex.new
 
     attr_accessor :configuration
-    attr_accessor :PX_DEFAULT
 
     PX_DEFAULT = {
-      :app_id                   => nil,
-      :cookie_key               => nil,
-      :auth_token               => nil,
-      :module_enabled           => true,
-      :captcha_enabled          => true,
-      :challenge_enabled        => true,
-      :encryption_enabled       => true,
-      :blocking_score           => 70,
-      :sensitive_headers        => ["http-cookie", "http-cookies"],
-      :api_connect_timeout      => 0,
-      :api_timeout              => 0,
-      :max_buffer_len           => 30,
-      :send_page_activities     => false,
-      :send_block_activities    => true,
-      :sdk_name                 => PxModule::SDK_NAME,
-      :debug                    => false,
-      :module_mode              => PxModule::ACTIVE_MODE,
-      :local_proxy              => false,
-      :sensitive_routes         => []
+      :app_id                       => nil,
+      :cookie_key                   => nil,
+      :auth_token                   => nil,
+      :module_enabled               => true,
+      :challenge_enabled            => true,
+      :encryption_enabled           => true,
+      :blocking_score               => 100,
+      :sensitive_headers            => ["http-cookie", "http-cookies"],
+      :api_timeout_connection       => 1,
+      :api_timeout                  => 1,
+      :send_page_activities         => true,
+      :send_block_activities        => true,
+      :sdk_name                     => PxModule::SDK_NAME,
+      :debug                        => false,
+      :module_mode                  => PxModule::MONITOR_MODE,
+      :sensitive_routes             => [],
+      :whitelist_routes             => [],
+      :ip_headers                   => [],
+      :ip_header_function           => nil,
+      :bypass_monitor_header        => nil,
+      :risk_cookie_max_iterations   => 5000
     }
 
+    CONFIG_SCHEMA = {
+      :app_id                       => {types: [String], required: true},
+      :cookie_key                   => {types: [String], required: true},
+      :auth_token                   => {types: [String], required: true},
+      :module_enabled               => {types: [FalseClass, TrueClass], required: false},
+      :challenge_enabled            => {types: [FalseClass, TrueClass], required: false},
+      :encryption_enabled           => {types: [FalseClass, TrueClass], required: false},
+      :blocking_score               => {types: [Integer], required: false},
+      :sensitive_headers            => {types: [Array], allowed_element_types: [String], required: false},
+      :api_timeout_connection       => {types: [Integer, Float], required: false},
+      :api_timeout                  => {types: [Integer, Float], required: false},
+      :send_page_activities         => {types: [FalseClass, TrueClass], required: false},
+      :send_block_activities        => {types: [FalseClass, TrueClass], required: false},
+      :sdk_name                     => {types: [String], required: false},
+      :debug                        => {types: [FalseClass, TrueClass], required: false},
+      :module_mode                  => {types: [Integer], required: false},
+      :sensitive_routes             => {types: [Array], allowed_element_types: [String], required: false},
+      :whitelist_routes             => {types: [Array], allowed_element_types: [String, Regexp], required: false},
+      :ip_headers                   => {types: [Array], allowed_element_types: [String], required: false},
+      :ip_header_function           => {types: [Proc], required: false},
+      :bypass_monitor_header        => {types: [FalseClass, TrueClass], required: false},
+      :risk_cookie_max_iterations   => {types: [Integer], required: false},
+      :custom_verification_handler  => {types: [Proc], required: false},
+      :additional_activity_handler  => {types: [Proc], required: false},
+      :custom_logo                  => {types: [String], required: false},
+      :css_ref                      => {types: [String], required: false},
+      :js_ref                       => {types: [String], required: false},
+      :custom_uri                   => {types: [Proc], required: false}
+    }
+
+    def self.set_basic_config(basic_config)
+      if @@basic_config.nil?
+        @@mutex.synchronize {          
+          @@basic_config = PX_DEFAULT.merge(basic_config)
+      }
+      end
+    end
+
     def initialize(params)
-      PX_DEFAULT[:perimeterx_server_host] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
-      @configuration = PX_DEFAULT.merge(params);
+      if ! @@basic_config.is_a?(Hash)
+        raise PxConfigurationException.new('PerimeterX: Please initialize PerimeterX first')
+      end
+      
+      # merge request configuration into the basic configuration
+      @configuration = @@basic_config.merge(params)
+      validate_hash_schema(@configuration, CONFIG_SCHEMA)
+      
+      @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
       @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -3,12 +3,10 @@ require 'perimeterx/internal/clients/perimeter_x_risk_client'
 module PxModule
   class PerimeterxActivitiesClient < PerimeterxRiskClient
 
-    attr_accessor :activities
 
     def initialize(px_config, http_client)
       super(px_config, http_client)
       @logger.debug("PerimeterxActivitiesClients[initialize]")
-      @activities = [];
     end
 
     def send_to_perimeterx(activity_type, px_ctx, details = [])
@@ -19,7 +17,12 @@ module PxModule
         @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
       end
 
+      if !px_ctx.context[:px_cookie].empty?
+        details[:cookie_origin] = px_ctx.context[:cookie_origin]
+      end
+
       details[:module_version] = @px_config[:sdk_name]
+
       px_data = {
         :type       => activity_type,
         :headers    => format_headers(px_ctx),
@@ -41,51 +44,69 @@ module PxModule
           "Content-Type" => "application/json"
       };
 
-      @activities.push(px_data)
-      if (@activities.size == @px_config[:max_buffer_len])
-        @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: max buffer length reached, sending activities")
-        @http_client.async_post(PxModule::API_V1_S2S, @activities, headers)
-
-        @activities.clear
-      end
+      s = Time.now
+      @http_client.async.post(PxModule::API_V1_S2S, px_data, headers)
+      e = Time.now
+      @logger.debug("PerimeterxActivitiesClients[send_to_perimeterx]: post runtime #{(e-s)*1000}")
     end
 
     def send_block_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_block_activities])
         @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
         return
       end
 
       details = {
-        :block_uuid    => px_ctx.context[:uuid],
-        :block_score   => px_ctx.context[:score],
-        :block_reason  => px_ctx.context[:block_reason]
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid => px_ctx.context[:uuid],
+        :block_score => px_ctx.context[:score],
+        :block_reason => px_ctx.context[:blocking_reason],
+        :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
       }
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
 
     end
 
     def send_page_requested_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_page_activities])
         return
       end
 
       details = {
         :http_version  => px_ctx.context[:http_version],
-        :http_method   => px_ctx.context[:http_method]
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid   => px_ctx.context[:uuid],
+        :pass_reason  => px_ctx.context[:pass_reason]
       }
 
       if (px_ctx.context.key?(:decoded_cookie))
         details[:px_cookie] = px_ctx.context[:decoded_cookie]
       end
 
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       if (px_ctx.context.key?(:cookie_hmac))
         details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
       end
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
       send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
     end
   end

data/lib/perimeterx/internal/exceptions/px_config_exception.rb

@@ -0,0 +1,6 @@
+class PxConfigurationException < StandardError
+    def initialize(msg)
+     super(msg)
+   end
+  end
+  

data/lib/perimeterx/internal/{perimeter_x_cookie_v1.rb → payload/perimeter_x_cookie_v1.rb}

@@ -1,5 +1,5 @@
 module PxModule
-  class PerimeterxCookieV1 < PerimeterxCookie
+  class PerimeterxCookieV1 < PerimeterxPayload
 
     attr_accessor :px_config, :px_ctx
 

data/lib/perimeterx/internal/{perimeter_x_cookie_v3.rb → payload/perimeter_x_cookie_v3.rb}

@@ -1,5 +1,5 @@
 module PxModule
-  class PerimeterxCookieV3 < PerimeterxCookie
+  class PerimeterxCookieV3 < PerimeterxPayload
 
     attr_accessor :px_config, :px_ctx, :cookie_hash
 

data/lib/perimeterx/internal/{perimeter_x_cookie.rb → payload/perimeter_x_payload.rb}

@@ -4,7 +4,7 @@ require 'openssl'
 require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
 
 module PxModule
-  class PerimeterxCookie
+  class PerimeterxPayload
     attr_accessor :px_cookie, :px_config, :px_ctx, :cookie_secret, :decoded_cookie
 
     def initialize(px_config)
@@ -13,7 +13,12 @@ module PxModule
     end
 
     def self.px_cookie_factory(px_ctx, px_config)
-      if (px_ctx.context[:px_cookie].key?(:v3))
+      if px_ctx.context[:cookie_origin] == 'header'
+        if (px_ctx.context[:px_cookie].key?(:v3))
+          return PerimeterxTokenV3.new(px_config,px_ctx)
+        end
+        return PerimeterxTokenV1.new(px_config,px_ctx)
+      elsif (px_ctx.context[:px_cookie].key?(:v3))
         return PerimeterxCookieV3.new(px_config, px_ctx)
       end
       return PerimeterxCookieV1.new(px_config, px_ctx)
@@ -103,6 +108,9 @@ module PxModule
         px_cookie = px_cookie.gsub(' ', '+')
         salt, iterations, cipher_text = px_cookie.split(':')
         iterations = iterations.to_i
+        if (iterations > @px_config[:risk_cookie_max_iterations] || iterations < 500)
+          return
+        end
         salt = Base64.decode64(salt)
         cipher_text = Base64.decode64(cipher_text)
         digest = OpenSSL::Digest::SHA256.new
@@ -131,8 +139,8 @@ module PxModule
       hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
       # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
       password_correct = ActiveSupport::SecurityUtils.secure_compare(
-      ::Digest::SHA256.hexdigest(cookie_hmac),
-      ::Digest::SHA256.hexdigest(hmac)
+          ::Digest::SHA256.hexdigest(cookie_hmac),
+          ::Digest::SHA256.hexdigest(hmac)
       )
 
     end

data/lib/perimeterx/internal/payload/perimeter_x_token_v1.rb

@@ -0,0 +1,38 @@
+module PxModule
+  class PerimeterxTokenV1 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      @px_ctx = px_ctx
+      @px_cookie = px_ctx.get_px_cookie
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug('PerimeterxTokenV1[initialize]')
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s][:b]
+    end
+
+    def cookie_hmac
+      return @decoded_cookie[:h]
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie[:s].key?(:b) && cookie.key?(:s) && cookie.key?(:v) && cookie.key?(:h)
+    end
+
+    def cookie_block_action
+      return 'c'
+    end
+
+    def secured?
+      hmac_str = "#{cookie_time}#{@decoded_cookie[:s][:a]}#{cookie_score}#{cookie_uuid}#{cookie_vid}"
+
+      return hmac_valid?(hmac_str, cookie_hmac)
+    end
+
+  end
+
+end

data/lib/perimeterx/internal/payload/perimeter_x_token_v3.rb

@@ -0,0 +1,36 @@
+module PxModule
+  class PerimeterxTokenV3 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx, :cookie_hash
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      hash, cookie = px_ctx.get_px_cookie().split(':', 2)
+      @px_cookie = cookie
+      @cookie_hash = hash
+      @px_ctx = px_ctx
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug('PerimeterxTokenV3[initialize]')
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s]
+    end
+
+    def cookie_hmac
+      return @cookie_hash
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+    end
+
+    def cookie_block_action
+      @decoded_cookie[:a]
+    end
+
+    def secured?
+      return hmac_valid?(@px_cookie, cookie_hmac)
+    end
+  end
+end

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -1,4 +1,5 @@
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 
 module PxModule
   class PerimeterXContext
@@ -7,32 +8,68 @@ module PxModule
     attr_accessor :px_config
 
     def initialize(px_config, req)
-      @logger = px_config[:logger];
-      @logger.debug("PerimeterXContext[initialize] ")
+      @logger = px_config[:logger]
+      @logger.debug('PerimeterXContext[initialize]')
       @context = Hash.new
 
       @context[:px_cookie] = Hash.new
       @context[:headers] = Hash.new
+      @context[:cookie_origin] = 'cookie'
+      @context[:made_s2s_risk_api_call] = false
       cookies = req.cookies
-      if (!cookies.empty?)
+
+      # Get IP from header/custom function
+      if px_config[:ip_headers].length() > 0
+        px_config[:ip_headers].each do |ip_header|
+          if req.headers[ip_header]
+            @context[:ip]  = force_utf8(req.headers[ip_header])
+          end
+        end
+      elsif px_config[:ip_header_function] != nil
+        @context[:ip] = px_config[:ip_header_function].call(req)
+      end
+
+      if @context[:ip] == nil
+        @context[:ip] = req.ip
+      end
+
+      # Get token from header
+      if req.headers[PxModule::TOKEN_HEADER]
+        @context[:cookie_origin] = 'header'
+        token = force_utf8(req.headers[PxModule::TOKEN_HEADER])
+        if token.match(PxModule::MOBILE_TOKEN_V3_REGEX)
+          @context[:px_cookie][:v3] = token[2..-1]
+        elsif token.match(PxModule::MOBILE_ERROR_REGEX)
+          @context[:mobile_error] = token
+          if req.headers[PxModule::ORIGINAL_TOKEN_HEADER]
+            token = force_utf8(req.headers[PxModule::ORIGINAL_TOKEN_HEADER])
+            if token.match(PxModule::MOBILE_TOKEN_V3_REGEX)
+              @context[:px_cookie][:v3] = token[2..-1]
+            end
+          end
+        end
+      elsif !cookies.empty? # Get cookie from jar
         # Prepare hashed cookies
         cookies.each do |k, v|
           case k.to_s
-            when "_px3"
-              @context[:px_cookie][:v3] = v
-            when "_px"
-              @context[:px_cookie][:v1] = v
-            when "_pxCaptcha"
-              @context[:px_captcha] = v
+            when '_px3'
+              @context[:px_cookie][:v3] = force_utf8(v)
+            when '_px'
+              @context[:px_cookie][:v1] = force_utf8(v)
+            when '_pxvid'
+              if v.is_a?(String) && v.match(PxModule::VID_REGEX)
+                @context[:vid_source] = "vid_cookie"
+                @context[:vid] = force_utf8(v)
+              end
           end
         end #end case
       end #end empty cookies
 
       req.headers.each do |k, v|
-        if (k.start_with? "HTTP_")
-          header = k.to_s.gsub("HTTP_", "")
-          header = header.gsub("_", "-").downcase
-          @context[:headers][header.to_sym] = v
+        if (k.start_with? 'HTTP_')
+          header = k.to_s.gsub('HTTP_', '')
+          header = header.gsub('_', '-').downcase
+          @context[:headers][header.to_sym] = force_utf8(v)
         end
       end #end headers foreach
 
@@ -43,18 +80,10 @@ module PxModule
       @context[:format] = req.format.symbol
       @context[:score] = 0
 
-      if px_config.key?(:custom_user_ip)
-        @context[:ip] = req.headers[px_config[:custom_user_ip]]
-      elsif px_config.key?(:px_custom_user_ip_method)
-        @context[:ip] = px_config[:px_custom_user_ip_method].call(req)
-      else
-        @context[:ip] = req.ip
-      end
-
       if req.server_protocol
-          httpVer = req.server_protocol.split("/")
+          httpVer = req.server_protocol.split('/')
           if httpVer.size > 0
-              @context[:http_version] = httpVer[1];
+              @context[:http_version] = httpVer[1]
           end
       end
       @context[:http_method] = req.method
@@ -65,19 +94,25 @@ module PxModule
 		sensitive_routes.each do |sensitive_route|
 			return true if uri.start_with? sensitive_route
 		end
-		return false
+    false
 	end
 
+  def force_utf8(str)
+    return str.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+  end
+
     def set_block_action_type(action)
       @context[:block_action] = case action
-        when "c"
-          "captcha"
-        when "b"
-          return "block"
-        when "j"
-          return "challenge"
+        when 'c'
+          'captcha'
+        when 'b'
+          return 'block'
+        when 'j'
+          return 'challenge'
+        when 'r'
+          return 'rate_limit'
         else
-          return "captcha"
+          return captcha
         end
     end