perimeter_x 1.3.0 → 2.2.1

data/lib/perimeterx/configuration.rb

@@ -1,37 +1,89 @@
 require 'perimeterx/utils/px_logger'
 require 'perimeterx/utils/px_constants'
+require 'perimeterx/internal/validators/hash_schema_validator'
 
 module PxModule
   class Configuration
+    @@basic_config = nil
+    @@mutex = Mutex.new
 
     attr_accessor :configuration
-    attr_accessor :PX_DEFAULT
 
     PX_DEFAULT = {
-      :app_id                   => nil,
-      :cookie_key               => nil,
-      :auth_token               => nil,
-      :module_enabled           => true,
-      :captcha_enabled          => true,
-      :challenge_enabled        => true,
-      :encryption_enabled       => true,
-      :blocking_score           => 70,
-      :sensitive_headers        => ["http-cookie", "http-cookies"],
-      :api_connect_timeout      => 1,
-      :api_timeout              => 1,
-      :max_buffer_len           => 10,
-      :send_page_activities     => true,
-      :send_block_activities    => true,
-      :sdk_name                 => PxModule::SDK_NAME,
-      :debug                    => false,
-      :module_mode              => PxModule::ACTIVE_MODE,
-      :local_proxy              => false,
-      :sensitive_routes         => []
+      :app_id                       => nil,
+      :cookie_key                   => nil,
+      :auth_token                   => nil,
+      :module_enabled               => true,
+      :challenge_enabled            => true,
+      :encryption_enabled           => true,
+      :blocking_score               => 100,
+      :sensitive_headers            => ["http-cookie", "http-cookies"],
+      :api_timeout_connection       => 1,
+      :api_timeout                  => 1,
+      :send_page_activities         => true,
+      :send_block_activities        => true,
+      :sdk_name                     => PxModule::SDK_NAME,
+      :debug                        => false,
+      :module_mode                  => PxModule::MONITOR_MODE,
+      :sensitive_routes             => [],
+      :whitelist_routes             => [],
+      :ip_headers                   => [],
+      :ip_header_function           => nil,
+      :bypass_monitor_header        => nil,
+      :risk_cookie_max_iterations   => 5000,
+      :first_party_enabled          => true
     }
 
+    CONFIG_SCHEMA = {
+      :app_id                       => {types: [String], required: true},
+      :cookie_key                   => {types: [String], required: true},
+      :auth_token                   => {types: [String], required: true},
+      :module_enabled               => {types: [FalseClass, TrueClass], required: false},
+      :challenge_enabled            => {types: [FalseClass, TrueClass], required: false},
+      :encryption_enabled           => {types: [FalseClass, TrueClass], required: false},
+      :blocking_score               => {types: [Integer], required: false},
+      :sensitive_headers            => {types: [Array], allowed_element_types: [String], required: false},
+      :api_timeout_connection       => {types: [Integer, Float], required: false},
+      :api_timeout                  => {types: [Integer, Float], required: false},
+      :send_page_activities         => {types: [FalseClass, TrueClass], required: false},
+      :send_block_activities        => {types: [FalseClass, TrueClass], required: false},
+      :sdk_name                     => {types: [String], required: false},
+      :debug                        => {types: [FalseClass, TrueClass], required: false},
+      :module_mode                  => {types: [Integer], required: false},
+      :sensitive_routes             => {types: [Array], allowed_element_types: [String], required: false},
+      :whitelist_routes             => {types: [Array], allowed_element_types: [String, Regexp], required: false},
+      :ip_headers                   => {types: [Array], allowed_element_types: [String], required: false},
+      :ip_header_function           => {types: [Proc], required: false},
+      :bypass_monitor_header        => {types: [String], required: false},
+      :risk_cookie_max_iterations   => {types: [Integer], required: false},
+      :custom_verification_handler  => {types: [Proc], required: false},
+      :additional_activity_handler  => {types: [Proc], required: false},
+      :custom_logo                  => {types: [String], required: false},
+      :css_ref                      => {types: [String], required: false},
+      :js_ref                       => {types: [String], required: false},
+      :custom_uri                   => {types: [Proc], required: false},
+      :first_party_enabled          => {types: [FalseClass, TrueClass], required: false}
+
+    }
+
+    def self.set_basic_config(basic_config)
+      if @@basic_config.nil?
+        @@mutex.synchronize {          
+          @@basic_config = PX_DEFAULT.merge(basic_config)
+      }
+      end
+    end
+
     def initialize(params)
-      PX_DEFAULT[:perimeterx_server_host] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
-      @configuration = PX_DEFAULT.merge(params)
+      if ! @@basic_config.is_a?(Hash)
+        raise PxConfigurationException.new('PerimeterX: Please initialize PerimeterX first')
+      end
+      
+      # merge request configuration into the basic configuration
+      @configuration = @@basic_config.merge(params)
+      validate_hash_schema(@configuration, CONFIG_SCHEMA)
+      
+      @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
       @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -17,8 +17,11 @@ module PxModule
         @px_config[:additional_activity_handler].call(activity_type, px_ctx, details)
       end
 
+      if !px_ctx.context[:px_cookie].empty?
+        details[:cookie_origin] = px_ctx.context[:cookie_origin]
+      end
+
       details[:module_version] = @px_config[:sdk_name]
-      details[:cookie_origin] = px_ctx.context[:cookie_origin]
 
       px_data = {
         :type       => activity_type,
@@ -49,41 +52,61 @@ module PxModule
 
     def send_block_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_block_activities])
         @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
         return
       end
 
       details = {
-        :block_uuid => px_ctx.context[:uuid],
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid => px_ctx.context[:uuid],
         :block_score => px_ctx.context[:score],
-        :block_reason => px_ctx.context[:blocking_reason]
+        :block_reason => px_ctx.context[:blocking_reason],
+        :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
       }
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
 
     end
 
     def send_page_requested_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_page_activities])
         return
       end
 
       details = {
         :http_version  => px_ctx.context[:http_version],
         :http_method   => px_ctx.context[:http_method],
-        :client_uuid   => px_ctx.context[:uuid]
+        :client_uuid   => px_ctx.context[:uuid],
+        :pass_reason  => px_ctx.context[:pass_reason]
       }
 
       if (px_ctx.context.key?(:decoded_cookie))
         details[:px_cookie] = px_ctx.context[:decoded_cookie]
       end
 
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       if (px_ctx.context.key?(:cookie_hmac))
         details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
       end
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
       send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
     end
   end

data/lib/perimeterx/internal/exceptions/px_config_exception.rb

@@ -0,0 +1,6 @@
+class PxConfigurationException < StandardError
+    def initialize(msg)
+     super(msg)
+   end
+  end
+  

data/lib/perimeterx/internal/first_party/px_first_party.rb

@@ -0,0 +1,124 @@
+require 'perimeterx/internal/perimeter_x_context'
+module PxModule
+    class FirstPartyManager
+        def initialize(px_config, px_http_client, logger)
+            @px_config = px_config
+            @app_id = px_config[:app_id]
+            @px_http_client = px_http_client
+            @logger = logger
+            @from = [
+                "/#{@app_id[2..-1]}/init.js",
+                "/#{@app_id[2..-1]}/captcha",
+                "/#{@app_id[2..-1]}/xhr"
+            ]
+        end
+
+        def send_first_party_request(req)
+            uri = URI.parse(req.original_url)
+            url_path = uri.path
+            
+            headers = extract_headers(req)
+            headers["x-px-first-party"] = "1"
+            headers["x-px-enforcer-true-ip"] = PerimeterXContext.extract_ip(req, @px_config)
+
+            if url_path.start_with?(@from[0])
+                return get_client(req, uri, headers)
+            elsif url_path.start_with?(@from[1]) 
+                return get_captcha(req, uri, headers)
+            elsif url_path.start_with?(@from[2])
+                return send_xhr(req, uri, headers)
+            else
+                return nil
+            end
+        end
+
+        def get_client(req, uri, headers)
+            @logger.debug("FirstPartyManager[get_client]")
+            
+            # define host
+            headers["host"] = PxModule::CLIENT_HOST
+            
+            # define request url
+            url = "#{uri.scheme}://#{PxModule::CLIENT_HOST}/#{@app_id}/main.min.js"
+            
+            # send request
+            return @px_http_client.get(url, headers)
+        end
+
+        def get_captcha(req, uri, headers)
+            @logger.debug("FirstPartyManager[get_captcha]")
+            
+            # define host
+            headers["host"] = PxModule::CAPTCHA_HOST
+
+            # define request url
+            path_and_query = uri.request_uri
+            uri_suffix = path_and_query.sub "/#{@app_id[2..-1]}/captcha", ""
+            url = "#{uri.scheme}://#{PxModule::CAPTCHA_HOST}#{uri_suffix}"
+
+            # send request
+            return @px_http_client.get(url, headers)
+        end
+        
+        def send_xhr(req, uri, headers)
+            @logger.debug("FirstPartyManager[send_xhr]")
+
+            # handle vid cookies
+            if !req.cookies.nil?
+                if req.cookies.key?("_pxvid")
+                    vid = PerimeterXContext.force_utf8(req.cookies["_pxvid"])
+                    if headers.key?('cookie')
+                        headers['cookie'] += "; pxvid=#{vid}";
+                    else
+                        headers['cookie'] = "pxvid=#{vid}";
+                    end
+                end
+            end
+
+            # define host
+            headers["host"] = "collector-#{@app_id.downcase}.perimeterx.net"
+            
+            # define request url
+            path_and_query = uri.request_uri
+            path_suffix = path_and_query.sub "/#{@app_id[2..-1]}/xhr", ""
+            url = "#{uri.scheme}://collector-#{@app_id.downcase}.perimeterx.net#{path_suffix}"
+
+            # send request
+            return @px_http_client.post_xhr(url, req.body.string, headers)
+        end
+
+        def extract_headers(req)
+            headers = Hash.new
+            req.headers.each do |k, v|
+                if (k.start_with? 'HTTP_') && (!@px_config[:sensitive_headers].include? k)
+                    header = k.to_s.gsub('HTTP_', '')
+                    header = header.gsub('_', '-').downcase
+                    headers[header] = PerimeterXContext.force_utf8(v)
+                end
+            end
+            return headers
+        end
+
+        # -1 - not first party request
+        # 0 - /init.js
+        # 1 - /captcha
+        # 2 - /xhr
+        def get_first_party_request_type(req)
+            url_path = URI.parse(req.original_url).path
+            @from.each_with_index do |val,index|
+                if url_path.start_with?(val)
+                    return index
+                end
+            end
+            return -1
+        end
+
+        def is_first_party_request(req)
+            return get_first_party_request_type(req) != -1
+        end
+
+        def get_response_content_type(req)
+            return get_first_party_request_type(req) == 2 ? :json : :js
+        end
+    end
+end

data/lib/perimeterx/internal/payload/perimeter_x_payload.rb

@@ -108,6 +108,9 @@ module PxModule
         px_cookie = px_cookie.gsub(' ', '+')
         salt, iterations, cipher_text = px_cookie.split(':')
         iterations = iterations.to_i
+        if (iterations > @px_config[:risk_cookie_max_iterations] || iterations < 500)
+          return
+        end
         salt = Base64.decode64(salt)
         cipher_text = Base64.decode64(cipher_text)
         digest = OpenSSL::Digest::SHA256.new

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -1,10 +1,33 @@
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 
 module PxModule
   class PerimeterXContext
 
     attr_accessor :context
     attr_accessor :px_config
+    
+    # class methods
+
+    def self.extract_ip(req, px_config)
+      # Get IP from header/custom function
+      if px_config[:ip_headers].length() > 0
+        px_config[:ip_headers].each do |ip_header|
+          if req.headers[ip_header]
+            return PerimeterXContext.force_utf8(req.headers[ip_header])
+          end
+        end
+      elsif px_config[:ip_header_function] != nil
+        return px_config[:ip_header_function].call(req) 
+      end      
+      return req.ip
+    end
+
+    def self.force_utf8(str)
+      return str.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+    end
+
+    # instance methods
 
     def initialize(px_config, req)
       @logger = px_config[:logger]
@@ -14,27 +37,41 @@ module PxModule
       @context[:px_cookie] = Hash.new
       @context[:headers] = Hash.new
       @context[:cookie_origin] = 'cookie'
+      @context[:made_s2s_risk_api_call] = false
+      @context[:first_party_enabled] = px_config[:first_party_enabled]
+      
       cookies = req.cookies
 
+      @context[:ip] = PerimeterXContext.extract_ip(req, px_config)
+
       # Get token from header
       if req.headers[PxModule::TOKEN_HEADER]
         @context[:cookie_origin] = 'header'
-        token = req.headers[PxModule::TOKEN_HEADER]
-        if token.include? ':'
-          exploded_token = token.split(':', 2)
-          cookie_sym = "v#{exploded_token[0]}".to_sym
-          @context[:px_cookie][cookie_sym] = exploded_token[1]
+        token = PerimeterXContext.force_utf8(req.headers[PxModule::TOKEN_HEADER])
+        if token.match(PxModule::MOBILE_TOKEN_V3_REGEX)
+          @context[:px_cookie][:v3] = token[2..-1]
+        elsif token.match(PxModule::MOBILE_ERROR_REGEX)
+          @context[:mobile_error] = token
+          if req.headers[PxModule::ORIGINAL_TOKEN_HEADER]
+            token = PerimeterXContext.force_utf8(req.headers[PxModule::ORIGINAL_TOKEN_HEADER])
+            if token.match(PxModule::MOBILE_TOKEN_V3_REGEX)
+              @context[:px_cookie][:v3] = token[2..-1]
+            end
+          end
         end
       elsif !cookies.empty? # Get cookie from jar
         # Prepare hashed cookies
         cookies.each do |k, v|
           case k.to_s
             when '_px3'
-              @context[:px_cookie][:v3] = v
+              @context[:px_cookie][:v3] = PerimeterXContext.force_utf8(v)
             when '_px'
-              @context[:px_cookie][:v1] = v
-            when '_pxCaptcha'
-              @context[:px_captcha] = v
+              @context[:px_cookie][:v1] = PerimeterXContext.force_utf8(v)
+            when '_pxvid'
+              if v.is_a?(String) && v.match(PxModule::VID_REGEX)
+                @context[:vid_source] = "vid_cookie"
+                @context[:vid] = PerimeterXContext.force_utf8(v)
+              end
           end
         end #end case
       end #end empty cookies
@@ -43,10 +80,10 @@ module PxModule
         if (k.start_with? 'HTTP_')
           header = k.to_s.gsub('HTTP_', '')
           header = header.gsub('_', '-').downcase
-          @context[:headers][header.to_sym] = v
+          @context[:headers][header.to_sym] = PerimeterXContext.force_utf8(v)
         end
       end #end headers foreach
-
+      
       @context[:hostname]= req.server_name
       @context[:user_agent] = req.user_agent ? req.user_agent : ''
       @context[:uri] = px_config[:custom_uri] ? px_config[:custom_uri].call(req)  : req.fullpath 
@@ -54,14 +91,6 @@ module PxModule
       @context[:format] = req.format.symbol
       @context[:score] = 0
 
-      if px_config.key?(:custom_user_ip)
-        @context[:ip] = req.headers[px_config[:custom_user_ip]]
-      elsif px_config.key?(:px_custom_user_ip_method)
-        @context[:ip] = px_config[:px_custom_user_ip_method].call(req)
-      else
-        @context[:ip] = req.ip
-      end
-
       if req.server_protocol
           httpVer = req.server_protocol.split('/')
           if httpVer.size > 0
@@ -87,6 +116,8 @@ module PxModule
           return 'block'
         when 'j'
           return 'challenge'
+        when 'r'
+          return 'rate_limit'
         else
           return captcha
         end