perimeter_x 1.2.0 → 2.2.0

data/lib/perimeterx/configuration.rb

@@ -1,37 +1,89 @@
 require 'perimeterx/utils/px_logger'
 require 'perimeterx/utils/px_constants'
+require 'perimeterx/internal/validators/hash_schema_validator'
 
 module PxModule
   class Configuration
+    @@basic_config = nil
+    @@mutex = Mutex.new
 
     attr_accessor :configuration
-    attr_accessor :PX_DEFAULT
 
     PX_DEFAULT = {
-      :app_id                   => nil,
-      :cookie_key               => nil,
-      :auth_token               => nil,
-      :module_enabled           => true,
-      :captcha_enabled          => true,
-      :challenge_enabled        => true,
-      :encryption_enabled       => true,
-      :blocking_score           => 70,
-      :sensitive_headers        => ["http-cookie", "http-cookies"],
-      :api_connect_timeout      => 1,
-      :api_timeout              => 1,
-      :max_buffer_len           => 10,
-      :send_page_activities     => false,
-      :send_block_activities    => true,
-      :sdk_name                 => PxModule::SDK_NAME,
-      :debug                    => false,
-      :module_mode              => PxModule::ACTIVE_MODE,
-      :local_proxy              => false,
-      :sensitive_routes         => []
+      :app_id                       => nil,
+      :cookie_key                   => nil,
+      :auth_token                   => nil,
+      :module_enabled               => true,
+      :challenge_enabled            => true,
+      :encryption_enabled           => true,
+      :blocking_score               => 100,
+      :sensitive_headers            => ["http-cookie", "http-cookies"],
+      :api_timeout_connection       => 1,
+      :api_timeout                  => 1,
+      :send_page_activities         => true,
+      :send_block_activities        => true,
+      :sdk_name                     => PxModule::SDK_NAME,
+      :debug                        => false,
+      :module_mode                  => PxModule::MONITOR_MODE,
+      :sensitive_routes             => [],
+      :whitelist_routes             => [],
+      :ip_headers                   => [],
+      :ip_header_function           => nil,
+      :bypass_monitor_header        => nil,
+      :risk_cookie_max_iterations   => 5000,
+      :first_party_enabled          => true
     }
 
+    CONFIG_SCHEMA = {
+      :app_id                       => {types: [String], required: true},
+      :cookie_key                   => {types: [String], required: true},
+      :auth_token                   => {types: [String], required: true},
+      :module_enabled               => {types: [FalseClass, TrueClass], required: false},
+      :challenge_enabled            => {types: [FalseClass, TrueClass], required: false},
+      :encryption_enabled           => {types: [FalseClass, TrueClass], required: false},
+      :blocking_score               => {types: [Integer], required: false},
+      :sensitive_headers            => {types: [Array], allowed_element_types: [String], required: false},
+      :api_timeout_connection       => {types: [Integer, Float], required: false},
+      :api_timeout                  => {types: [Integer, Float], required: false},
+      :send_page_activities         => {types: [FalseClass, TrueClass], required: false},
+      :send_block_activities        => {types: [FalseClass, TrueClass], required: false},
+      :sdk_name                     => {types: [String], required: false},
+      :debug                        => {types: [FalseClass, TrueClass], required: false},
+      :module_mode                  => {types: [Integer], required: false},
+      :sensitive_routes             => {types: [Array], allowed_element_types: [String], required: false},
+      :whitelist_routes             => {types: [Array], allowed_element_types: [String, Regexp], required: false},
+      :ip_headers                   => {types: [Array], allowed_element_types: [String], required: false},
+      :ip_header_function           => {types: [Proc], required: false},
+      :bypass_monitor_header        => {types: [FalseClass, TrueClass], required: false},
+      :risk_cookie_max_iterations   => {types: [Integer], required: false},
+      :custom_verification_handler  => {types: [Proc], required: false},
+      :additional_activity_handler  => {types: [Proc], required: false},
+      :custom_logo                  => {types: [String], required: false},
+      :css_ref                      => {types: [String], required: false},
+      :js_ref                       => {types: [String], required: false},
+      :custom_uri                   => {types: [Proc], required: false},
+      :first_party_enabled          => {types: [FalseClass, TrueClass], required: false}
+
+    }
+
+    def self.set_basic_config(basic_config)
+      if @@basic_config.nil?
+        @@mutex.synchronize {          
+          @@basic_config = PX_DEFAULT.merge(basic_config)
+      }
+      end
+    end
+
     def initialize(params)
-      PX_DEFAULT[:perimeterx_server_host] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
-      @configuration = PX_DEFAULT.merge(params);
+      if ! @@basic_config.is_a?(Hash)
+        raise PxConfigurationException.new('PerimeterX: Please initialize PerimeterX first')
+      end
+      
+      # merge request configuration into the basic configuration
+      @configuration = @@basic_config.merge(params)
+      validate_hash_schema(@configuration, CONFIG_SCHEMA)
+      
+      @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
       @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -17,7 +17,12 @@ module PxModule
         @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
       end
 
+      if !px_ctx.context[:px_cookie].empty?
+        details[:cookie_origin] = px_ctx.context[:cookie_origin]
+      end
+
       details[:module_version] = @px_config[:sdk_name]
+
       px_data = {
         :type       => activity_type,
         :headers    => format_headers(px_ctx),
@@ -47,40 +52,61 @@ module PxModule
 
     def send_block_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_block_activities])
         @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
         return
       end
 
       details = {
-        :block_uuid    => px_ctx.context[:uuid],
-        :block_score   => px_ctx.context[:score],
-        :block_reason  => px_ctx.context[:block_reason]
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid => px_ctx.context[:uuid],
+        :block_score => px_ctx.context[:score],
+        :block_reason => px_ctx.context[:blocking_reason],
+        :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
       }
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
 
     end
 
     def send_page_requested_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_page_activities])
         return
       end
 
       details = {
         :http_version  => px_ctx.context[:http_version],
-        :http_method   => px_ctx.context[:http_method]
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid   => px_ctx.context[:uuid],
+        :pass_reason  => px_ctx.context[:pass_reason]
       }
 
       if (px_ctx.context.key?(:decoded_cookie))
         details[:px_cookie] = px_ctx.context[:decoded_cookie]
       end
 
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       if (px_ctx.context.key?(:cookie_hmac))
         details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
       end
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
       send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
     end
   end

data/lib/perimeterx/internal/exceptions/px_config_exception.rb

@@ -0,0 +1,6 @@
+class PxConfigurationException < StandardError
+    def initialize(msg)
+     super(msg)
+   end
+  end
+  

data/lib/perimeterx/internal/first_party/px_first_party.rb

@@ -0,0 +1,124 @@
+require 'perimeterx/internal/perimeter_x_context'
+module PxModule
+    class FirstPartyManager
+        def initialize(px_config, px_http_client, logger)
+            @px_config = px_config
+            @app_id = px_config[:app_id]
+            @px_http_client = px_http_client
+            @logger = logger
+            @from = [
+                "/#{@app_id[2..-1]}/init.js",
+                "/#{@app_id[2..-1]}/captcha",
+                "/#{@app_id[2..-1]}/xhr"
+            ]
+        end
+
+        def send_first_party_request(req)
+            uri = URI.parse(req.original_url)
+            url_path = uri.path
+            
+            headers = extract_headers(req)
+            headers["x-px-first-party"] = "1"
+            headers["x-px-enforcer-true-ip"] = PerimeterXContext.extract_ip(req, @px_config)
+
+            if url_path.start_with?(@from[0])
+                return get_client(req, uri, headers)
+            elsif url_path.start_with?(@from[1]) 
+                return get_captcha(req, uri, headers)
+            elsif url_path.start_with?(@from[2])
+                return send_xhr(req, uri, headers)
+            else
+                return nil
+            end
+        end
+
+        def get_client(req, uri, headers)
+            @logger.debug("FirstPartyManager[get_client]")
+            
+            # define host
+            headers["host"] = PxModule::CLIENT_HOST
+            
+            # define request url
+            url = "#{uri.scheme}://#{PxModule::CLIENT_HOST}/#{@app_id}/main.min.js"
+            
+            # send request
+            return @px_http_client.get(url, headers)
+        end
+
+        def get_captcha(req, uri, headers)
+            @logger.debug("FirstPartyManager[get_captcha]")
+            
+            # define host
+            headers["host"] = PxModule::CAPTCHA_HOST
+
+            # define request url
+            path_and_query = uri.request_uri
+            uri_suffix = path_and_query.sub "/#{@app_id[2..-1]}/captcha", ""
+            url = "#{uri.scheme}://#{PxModule::CAPTCHA_HOST}#{uri_suffix}"
+
+            # send request
+            return @px_http_client.get(url, headers)
+        end
+        
+        def send_xhr(req, uri, headers)
+            @logger.debug("FirstPartyManager[send_xhr]")
+
+            # handle vid cookies
+            if !req.cookies.nil?
+                if req.cookies.key?("_pxvid")
+                    vid = PerimeterXContext.force_utf8(req.cookies["_pxvid"])
+                    if headers.key?('cookie')
+                        headers['cookie'] += "; pxvid=#{vid}";
+                    else
+                        headers['cookie'] = "pxvid=#{vid}";
+                    end
+                end
+            end
+
+            # define host
+            headers["host"] = "collector-#{@app_id.downcase}.perimeterx.net"
+            
+            # define request url
+            path_and_query = uri.request_uri
+            path_suffix = path_and_query.sub "/#{@app_id[2..-1]}/xhr", ""
+            url = "#{uri.scheme}://collector-#{@app_id.downcase}.perimeterx.net#{path_suffix}"
+
+            # send request
+            return @px_http_client.post_xhr(url, req.body.string, headers)
+        end
+
+        def extract_headers(req)
+            headers = Hash.new
+            req.headers.each do |k, v|
+                if (k.start_with? 'HTTP_') && (!@px_config[:sensitive_headers].include? k)
+                    header = k.to_s.gsub('HTTP_', '')
+                    header = header.gsub('_', '-').downcase
+                    headers[header] = PerimeterXContext.force_utf8(v)
+                end
+            end
+            return headers
+        end
+
+        # -1 - not first party request
+        # 0 - /init.js
+        # 1 - /captcha
+        # 2 - /xhr
+        def get_first_party_request_type(req)
+            url_path = URI.parse(req.original_url).path
+            @from.each_with_index do |val,index|
+                if url_path.start_with?(val)
+                    return index
+                end
+            end
+            return -1
+        end
+
+        def is_first_party_request(req)
+            return get_first_party_request_type(req) != -1
+        end
+
+        def get_response_content_type(req)
+            return get_first_party_request_type(req) == 2 ? :json : :js
+        end
+    end
+end

data/lib/perimeterx/internal/{perimeter_x_cookie_v1.rb → payload/perimeter_x_cookie_v1.rb}

@@ -1,5 +1,5 @@
 module PxModule
-  class PerimeterxCookieV1 < PerimeterxCookie
+  class PerimeterxCookieV1 < PerimeterxPayload
 
     attr_accessor :px_config, :px_ctx
 

data/lib/perimeterx/internal/{perimeter_x_cookie_v3.rb → payload/perimeter_x_cookie_v3.rb}

@@ -1,5 +1,5 @@
 module PxModule
-  class PerimeterxCookieV3 < PerimeterxCookie
+  class PerimeterxCookieV3 < PerimeterxPayload
 
     attr_accessor :px_config, :px_ctx, :cookie_hash
 

data/lib/perimeterx/internal/{perimeter_x_cookie.rb → payload/perimeter_x_payload.rb}

@@ -4,7 +4,7 @@ require 'openssl'
 require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
 
 module PxModule
-  class PerimeterxCookie
+  class PerimeterxPayload
     attr_accessor :px_cookie, :px_config, :px_ctx, :cookie_secret, :decoded_cookie
 
     def initialize(px_config)
@@ -13,7 +13,12 @@ module PxModule
     end
 
     def self.px_cookie_factory(px_ctx, px_config)
-      if (px_ctx.context[:px_cookie].key?(:v3))
+      if px_ctx.context[:cookie_origin] == 'header'
+        if (px_ctx.context[:px_cookie].key?(:v3))
+          return PerimeterxTokenV3.new(px_config,px_ctx)
+        end
+        return PerimeterxTokenV1.new(px_config,px_ctx)
+      elsif (px_ctx.context[:px_cookie].key?(:v3))
         return PerimeterxCookieV3.new(px_config, px_ctx)
       end
       return PerimeterxCookieV1.new(px_config, px_ctx)
@@ -103,6 +108,9 @@ module PxModule
         px_cookie = px_cookie.gsub(' ', '+')
         salt, iterations, cipher_text = px_cookie.split(':')
         iterations = iterations.to_i
+        if (iterations > @px_config[:risk_cookie_max_iterations] || iterations < 500)
+          return
+        end
         salt = Base64.decode64(salt)
         cipher_text = Base64.decode64(cipher_text)
         digest = OpenSSL::Digest::SHA256.new
@@ -131,8 +139,8 @@ module PxModule
       hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
       # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
       password_correct = ActiveSupport::SecurityUtils.secure_compare(
-      ::Digest::SHA256.hexdigest(cookie_hmac),
-      ::Digest::SHA256.hexdigest(hmac)
+          ::Digest::SHA256.hexdigest(cookie_hmac),
+          ::Digest::SHA256.hexdigest(hmac)
       )
 
     end

data/lib/perimeterx/internal/payload/perimeter_x_token_v1.rb

@@ -0,0 +1,38 @@
+module PxModule
+  class PerimeterxTokenV1 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      @px_ctx = px_ctx
+      @px_cookie = px_ctx.get_px_cookie
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug('PerimeterxTokenV1[initialize]')
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s][:b]
+    end
+
+    def cookie_hmac
+      return @decoded_cookie[:h]
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie[:s].key?(:b) && cookie.key?(:s) && cookie.key?(:v) && cookie.key?(:h)
+    end
+
+    def cookie_block_action
+      return 'c'
+    end
+
+    def secured?
+      hmac_str = "#{cookie_time}#{@decoded_cookie[:s][:a]}#{cookie_score}#{cookie_uuid}#{cookie_vid}"
+
+      return hmac_valid?(hmac_str, cookie_hmac)
+    end
+
+  end
+
+end

data/lib/perimeterx/internal/payload/perimeter_x_token_v3.rb

@@ -0,0 +1,36 @@
+module PxModule
+  class PerimeterxTokenV3 < PerimeterxPayload
+
+    attr_accessor :px_config, :px_ctx, :cookie_hash
+
+    def initialize(px_config, px_ctx)
+      super(px_config)
+      hash, cookie = px_ctx.get_px_cookie().split(':', 2)
+      @px_cookie = cookie
+      @cookie_hash = hash
+      @px_ctx = px_ctx
+      @cookie_secret = px_config[:cookie_key]
+      @logger.debug('PerimeterxTokenV3[initialize]')
+    end
+
+    def cookie_score
+      return @decoded_cookie[:s]
+    end
+
+    def cookie_hmac
+      return @cookie_hash
+    end
+
+    def valid_format?(cookie)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+    end
+
+    def cookie_block_action
+      @decoded_cookie[:a]
+    end
+
+    def secured?
+      return hmac_valid?(@px_cookie, cookie_hmac)
+    end
+  end
+end