perimeter_x 1.4.0 → 2.0.0

data/lib/perimeterx/internal/payload/perimeter_x_payload.rb

@@ -108,6 +108,9 @@ module PxModule
         px_cookie = px_cookie.gsub(' ', '+')
         salt, iterations, cipher_text = px_cookie.split(':')
         iterations = iterations.to_i
+        if (iterations > @px_config[:risk_cookie_max_iterations] || iterations < 500)
+          return
+        end
         salt = Base64.decode64(salt)
         cipher_text = Base64.decode64(cipher_text)
         digest = OpenSSL::Digest::SHA256.new

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -1,4 +1,5 @@
 require 'perimeterx/utils/px_logger'
+require 'perimeterx/utils/px_constants'
 
 module PxModule
   class PerimeterXContext
@@ -17,27 +18,45 @@ module PxModule
       @context[:made_s2s_risk_api_call] = false
       cookies = req.cookies
 
+      # Get IP from header/custom function
+      if px_config[:ip_headers].length() > 0
+        px_config[:ip_headers].each do |ip_header|
+          if req.headers[ip_header]
+            @context[:ip]  = force_utf8(req.headers[ip_header])
+          end
+        end
+      elsif px_config[:ip_header_function] != nil
+        @context[:ip] = px_config[:ip_header_function].call(req)
+      end
+
+      if @context[:ip] == nil
+        @context[:ip] = req.ip
+      end
+
       # Get token from header
       if req.headers[PxModule::TOKEN_HEADER]
         @context[:cookie_origin] = 'header'
-        token = req.headers[PxModule::TOKEN_HEADER]
+        token = force_utf8(req.headers[PxModule::TOKEN_HEADER])
         if token.include? ':'
           exploded_token = token.split(':', 2)
           cookie_sym = "v#{exploded_token[0]}".to_sym
           @context[:px_cookie][cookie_sym] = exploded_token[1]
         else  # TOKEN_HEADER exists yet there's no ':' delimiter - may indicate an error (storing original value)
-          @context[:px_cookie] = req.headers[PxModule::TOKEN_HEADER]
+          @context[:px_cookie] = force_utf8(req.headers[PxModule::TOKEN_HEADER])
         end
       elsif !cookies.empty? # Get cookie from jar
         # Prepare hashed cookies
         cookies.each do |k, v|
           case k.to_s
             when '_px3'
-              @context[:px_cookie][:v3] = v
+              @context[:px_cookie][:v3] = force_utf8(v)
             when '_px'
-              @context[:px_cookie][:v1] = v
-            when '_pxCaptcha'
-              @context[:px_captcha] = v
+              @context[:px_cookie][:v1] = force_utf8(v)
+            when '_pxvid'
+              if v.is_a?(String) && v.match(PxModule::VID_REGEX)
+                @context[:vid_source] = "vid_cookie"
+                @context[:vid] = force_utf8(v)
+              end
           end
         end #end case
       end #end empty cookies
@@ -46,7 +65,7 @@ module PxModule
         if (k.start_with? 'HTTP_')
           header = k.to_s.gsub('HTTP_', '')
           header = header.gsub('_', '-').downcase
-          @context[:headers][header.to_sym] = v
+          @context[:headers][header.to_sym] = force_utf8(v)
         end
       end #end headers foreach
 
@@ -57,14 +76,6 @@ module PxModule
       @context[:format] = req.format.symbol
       @context[:score] = 0
 
-      if px_config.key?(:custom_user_ip)
-        @context[:ip] = req.headers[px_config[:custom_user_ip]]
-      elsif px_config.key?(:px_custom_user_ip_method)
-        @context[:ip] = px_config[:px_custom_user_ip_method].call(req)
-      else
-        @context[:ip] = req.ip
-      end
-
       if req.server_protocol
           httpVer = req.server_protocol.split('/')
           if httpVer.size > 0
@@ -82,6 +93,10 @@ module PxModule
     false
 	end
 
+  def force_utf8(str)
+    return str.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+  end
+
     def set_block_action_type(action)
       @context[:block_action] = case action
         when 'c'
@@ -90,6 +105,8 @@ module PxModule
           return 'block'
         when 'j'
           return 'challenge'
+        when 'r'
+          return 'rate_limit'
         else
           return captcha
         end

data/lib/perimeterx/internal/validators/perimeter_x_cookie_validator.rb

@@ -47,16 +47,22 @@ module PxModule
         cookie = PerimeterxPayload.px_cookie_factory(px_ctx, @px_config)
         if !cookie.deserialize()
           @logger.warn("PerimeterxCookieValidator:[verify]: invalid cookie")
+          px_ctx.context[:px_orig_cookie] = px_ctx.get_px_cookie
           px_ctx.context[:s2s_call_reason] =  PxModule::COOKIE_DECRYPTION_FAILED
           return false, px_ctx
         end
         px_ctx.context[:decoded_cookie] = cookie.decoded_cookie
         px_ctx.context[:score] = cookie.cookie_score()
         px_ctx.context[:uuid] = cookie.decoded_cookie[:u]
-        px_ctx.context[:vid] = cookie.decoded_cookie[:v]
         px_ctx.context[:block_action] = px_ctx.set_block_action_type(cookie.cookie_block_action())
         px_ctx.context[:cookie_hmac] = cookie.cookie_hmac()
 
+        vid = cookie.decoded_cookie[:v]
+        if vid.is_a?(String) && vid.match(PxModule::VID_REGEX)
+          px_ctx.context[:vid_source] = "risk_cookie"
+          px_ctx.context[:vid] = vid
+        end
+
         if cookie.expired?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie expired")
           px_ctx.context[:s2s_call_reason] = PxModule::EXPIRED_COOKIE
@@ -83,10 +89,11 @@ module PxModule
 
         @logger.debug("PerimeterxCookieValidator:[verify]: cookie validation passed succesfully")
 
+        px_ctx.context[:pass_reason] = 'cookie'
         return true, px_ctx
       rescue Exception => e
         @logger.error("PerimeterxCookieValidator:[verify]: exception while verifying cookie => #{e.message}")
-        px_ctx.context[:px_orig_cookie] = cookie.px_cookie
+        px_ctx.context[:px_orig_cookie] = px_ctx.context[:px_cookie]
         px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_DECRYPTION_FAILED
         return false, px_ctx
       end

data/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb

@@ -67,11 +67,19 @@ module PxModule
       };
 
       # Custom risk handler
+      risk_start = Time.now
       if (risk_mode == PxModule::ACTIVE_MODE && @px_config.key?(:custom_risk_handler))
-        response = @px_config[:custom_risk_handler].call(PxModule::API_V2_RISK, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+        response = @px_config[:custom_risk_handler].call(PxModule::API_V3_RISK, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
       else
-        response = @http_client.post(PxModule::API_V2_RISK , request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+        response = @http_client.post(PxModule::API_V3_RISK , request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
       end
+
+      # Set risk_rtt
+      if(response)
+        risk_end = Time.now
+        px_ctx.context[:risk_rtt] = ((risk_end-risk_start)*1000).round
+      end
+
       return response
     end
 
@@ -79,6 +87,7 @@ module PxModule
       @logger.debug("PerimeterxS2SValidator[verify]")
       response = send_risk_request(px_ctx)
       if (!response)
+        px_ctx.context[:pass_reason] = "s2s_timeout"
         return px_ctx
       end
       px_ctx.context[:made_s2s_risk_api_call] = true
@@ -86,7 +95,7 @@ module PxModule
       # From here response should be valid, if success or error
       response_body = eval(response.body);
       # When success
-      if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action))
+      if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action) && response_body.key?(:status) && response_body[:status] == 0 )
         @logger.debug("PerimeterxS2SValidator[verify]: response ok")
         score = response_body[:score]
         px_ctx.context[:score] = score
@@ -97,13 +106,17 @@ module PxModule
           px_ctx.context[:blocking_reason] = 'challenge'
         elsif (score >= @px_config[:blocking_score])
           px_ctx.context[:blocking_reason] = 's2s_high_score'
+        else
+          px_ctx.context[:pass_reason] = 's2s'
         end #end challange or blocking score
       end #end success response
 
       # When error
-      if(response.code != 200)
-        @logger.warn("PerimeterxS2SValidator[verify]: bad response, return code #{response.code}")
-        px_ctx.context[:uuid] = ""
+      risk_error_status = response_body && response_body.key?(:status) && response_body[:status] == -1
+      if(response.code != 200 || risk_error_status)
+        @logger.warn("PerimeterxS2SValidator[verify]: bad response, returned code #{response.code} #{risk_error_status ? "risk status: -1" : ""}")
+        px_ctx.context[:pass_reason] = 'request_failed'
+        px_ctx.context[:uuid] = (!response_body || response_body[:uuid].nil?)? "" : response_body[:uuid]
         px_ctx.context[:s2s_error_msg] = !response_body || response_body[:message].nil? ? 'unknown' : response_body[:message]
       end
 

data/lib/perimeterx/utils/px_constants.rb

@@ -10,8 +10,7 @@ module PxModule
 
   # Routes
   API_V1_S2S = '/api/v1/collector/s2s'
-  API_CAPTCHA = '/api/v2/risk/captcha'
-  API_V2_RISK = '/api/v2/risk'
+  API_V3_RISK = '/api/v3/risk'
 
   # Activity Types
   BLOCK_ACTIVITY = 'block'
@@ -27,8 +26,9 @@ module PxModule
   SENSITIVE_ROUTE = 'sensitive_route'
 
   # Templates
-  BLOCK_TEMPLATE = 'block'
+  CHALLENGE_TEMPLATE = 'block_template'
   TEMPLATE_EXT = '.mustache'
+  RATELIMIT_TEMPLATE = 'ratelimit'
 
 
   # Template Props
@@ -40,7 +40,14 @@ module PxModule
   PROP_CUSTOM_LOGO = :customLogo
   PROP_CSS_REF = :cssRef
   PROP_JS_REF = :jsRef
-  HOST_URL = :hostUrl
+  PROP_BLOCK_SCRIPT = :blockScript
+  PROP_JS_CLIENT_SRC = :jsClientSrc
+  PROP_HOST_URL = :hostUrl
+  PROP_FIRST_PARTY_ENABLED = :firstPartyEnabled
+
+  # Hosts
+  CLIENT_HOST = 'client.px-cloud.net'
+  CAPTCHA_HOST = 'captcha.px-cloud.net'
 
   VISIBLE = 'visible'
   HIDDEN = 'hidden'
@@ -49,4 +56,7 @@ module PxModule
   TOKEN_HEADER = 'X-PX-AUTHORIZATION'
   MOBILE_SDK_CONNECTION_ERROR = 'mobile_sdk_connection_error'
   MOBILE_SDK_PINNING_ERROR = 'mobile_sdk_pinning_error'
+
+  # Regular Expressions
+  VID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/
 end

data/lib/perimeterx/utils/px_http_client.rb

@@ -12,7 +12,7 @@ module PxModule
     def initialize(px_config)
       @px_config = px_config
       @logger = px_config[:logger]
-      @logger.debug("PxHttpClient[initialize]: HTTP client is being initilized with base_uri: #{px_config[:perimeterx_server_host]}")
+      @logger.debug("PxHttpClient[initialize]: HTTP client is being initilized with base_uri: #{px_config[:backend_url]}")
     end
 
     # Runs a POST command to Perimeter X servers
@@ -28,7 +28,7 @@ module PxModule
       begin
         @logger.debug("PxHttpClient[post]: posting to #{path} headers {#{headers.to_json()}} body: {#{body.to_json()}} ")
         response = Typhoeus.post(
-            "#{px_config[:perimeterx_server_host]}#{path}",
+            "#{px_config[:backend_url]}#{path}",
             headers: headers,
             body: body.to_json,
             timeout: api_timeout,

data/lib/perimeterx/utils/px_template_factory.rb

@@ -3,23 +3,24 @@ require 'perimeterx/utils/px_constants'
 module PxModule
   module PxTemplateFactory
 
-    def self.get_template(px_ctx, px_config)
+    def self.get_template(px_ctx, px_config, px_template_object)
       logger = px_config[:logger]
       if (px_config[:challenge_enabled] && px_ctx.context[:block_action] == 'challenge')
         logger.debug('PxTemplateFactory[get_template]: px challange triggered')
         return px_ctx.context[:block_action_data].html_safe
       end
 
-      logger.debug('PxTemplateFactory[get_template]: rendering template')
-      template_type = px_ctx.context[:block_action] == 'captcha' ? px_config[:captcha_provider].downcase : BLOCK_TEMPLATE
+      view = Mustache.new
 
-      template_postfix = ''
-      if px_ctx.context[:cookie_origin] == 'header'
-        template_postfix = '.mobile'
+      if (px_ctx.context[:block_action] == 'rate_limit')
+        logger.debug('PxTemplateFactory[get_template]: rendering ratelimit template')
+        template_type = RATELIMIT_TEMPLATE
+      else
+        logger.debug('PxTemplateFactory[get_template]: rendering template')
+        template_type = CHALLENGE_TEMPLATE
       end
 
-      Mustache.template_file =  "#{File.dirname(__FILE__) }/templates/#{template_type}#{template_postfix}#{PxModule::TEMPLATE_EXT}"
-      view = Mustache.new
+      Mustache.template_file =  "#{File.dirname(__FILE__) }/templates/#{template_type}#{PxModule::TEMPLATE_EXT}"
 
       view[PxModule::PROP_APP_ID] = px_config[:app_id]
       view[PxModule::PROP_REF_ID] = px_ctx.context[:uuid]
@@ -28,8 +29,11 @@ module PxModule
       view[PxModule::PROP_CUSTOM_LOGO] = px_config[:custom_logo]
       view[PxModule::PROP_CSS_REF] = px_config[:css_ref]
       view[PxModule::PROP_JS_REF] = px_config[:js_ref]
-      view[PxModule::HOST_URL] = "https://collector-#{px_config[:app_id]}.perimeterx.net"
+      view[PxModule::PROP_HOST_URL] = "https://collector-#{px_config[:app_id]}.perimeterx.net"
       view[PxModule::PROP_LOGO_VISIBILITY] = px_config[:custom_logo] ? PxModule::VISIBLE : PxModule::HIDDEN
+      view[PxModule::PROP_BLOCK_SCRIPT] = px_template_object[:block_script]
+      view[PxModule::PROP_JS_CLIENT_SRC] = px_template_object[:js_client_src]
+      view[PxModule::PROP_FIRST_PARTY_ENABLED] = false
 
       return view.render.html_safe
     end

data/lib/perimeterx/utils/templates/{funcaptcha.mobile.mustache → block_template.mustache}

@@ -86,10 +86,9 @@
         }
     </style>
     <!-- Custom CSS -->
-    {{# cssRef }}
-        <link rel="stylesheet" type="text/css" href="{{ . }}"/>
-    {{/ cssRef }}
-    <script src="https://funcaptcha.com/fc/api/?onload=loadFunCaptcha" async defer></script>
+    {{#cssRef}}
+        <link rel="stylesheet" type="text/css" href="{{{cssRef}}}"/>
+    {{/cssRef}}
 </head>
 
 <body>
@@ -106,10 +105,9 @@
     </div>
     <div class="content-wrapper">
         <div class="content">
-            <p>
-                Please click "Verify" to continue
-            </p>
-            <div id="CAPTCHA"></div>
+
+            <div id="px-captcha">
+            </div>
             <p>
                 Access to this page has been denied because we believe you are using automation tools to browse the
                 website.
@@ -144,35 +142,34 @@
         </div>
     </div>
 </section>
-<!-- Captcha -->
+<!-- Px -->
 <script>
-
-    function loadFunCaptcha() {
-        var vid = '{{vid}}';
-        var uuid = '{{uuid}}';
-
-        new FunCaptcha({
-            public_key: "19E4B3B8-6CBE-35CC-4205-FC79ECDDA765",
-            target_html: "CAPTCHA",
-            callback: function () {
-                var expiryUtc = new Date(Date.now() + 1000 * 10).toUTCString();
-                var pxCaptcha = "_pxCaptcha=" + btoa(JSON.stringify({r: document.getElementById("FunCaptcha-Token").value, u: uuid, v: vid}));
-                var cookieParts = [
-                    pxCaptcha,
-                    "; expires=",
-                    expiryUtc,
-                    "; path=/"
-                ];
-
-                document.cookie = cookieParts.join("");
-                location.reload();
-            }
-        });
+    window._pxAppId = '{{appId}}';
+    window._pxJsClientSrc = '{{{jsClientSrc}}}';
+    window._pxFirstPartyEnabled = {{firstPartyEnabled}};
+    window._pxVid = '{{vid}}';
+    window._pxUuid = '{{uuid}}';
+    window._pxHostUrl = '{{{hostUrl}}}';
+</script>
+<script>
+    var s = document.createElement('script');
+    s.src = '{{{blockScript}}}';
+    var p = document.getElementsByTagName('head')[0];
+    p.insertBefore(s, null);
+    if ({{firstPartyEnabled}}) {
+        s.onerror = function () {
+            s = document.createElement('script');
+            var suffixIndex = '{{{blockScript}}}'.indexOf('captcha.js');
+            var temperedBlockScript = '{{{blockScript}}}'.substring(suffixIndex);
+            s.src = '//captcha.px-cdn.net/{{appId}}/' + temperedBlockScript;
+            p.parentNode.insertBefore(s, p);
+        };
     }
 </script>
+
 <!-- Custom Script -->
-{{# jsRef }}
-    <script src="{{ . }}"></script>
-{{/ jsRef }}
+{{#jsRef}}
+    <script src="{{{jsRef}}}"></script>
+{{/jsRef}}
 </body>
 </html>

data/lib/perimeterx/utils/templates/ratelimit.mustache

@@ -0,0 +1,9 @@
+<html>
+<head>
+    <title>Too Many Requests</title>
+</head>
+<body>
+    <h1>Too Many Requests</h1>
+    <p>Reached maximum requests limitation, try again soon.</p>
+</body>
+</html>

data/lib/perimeterx/version.rb

@@ -1,3 +1,3 @@
 module PxModule
-  VERSION = '1.4.0'
+  VERSION = '2.0.0'
 end

data/perimeter_x.gemspec

@@ -22,8 +22,8 @@ Gem::Specification.new do |gem|
   gem.bindir        = "exe"
   gem.executables   = gem.files.grep(%r{^exe/}) { |f| File.basename(f) }
   gem.require_paths = ["lib"]
-  gem.add_development_dependency "bundler", "~> 1.14"
-  gem.add_development_dependency "rake", "~> 10.0"
+  gem.add_development_dependency "bundler", ">= 2.1"
+  gem.add_development_dependency "rake", ">= 12.3"
 
   gem.extra_rdoc_files = ["readme.md", "changelog.md"]
   gem.rdoc_options     = ["--line-numbers", "--inline-source", "--title", "PerimeterX"]
@@ -33,7 +33,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency('concurrent-ruby', '~> 1.0', '>= 1.0.5')
   gem.add_dependency('typhoeus', '~> 1.1', '>= 1.1.2')
   gem.add_dependency('mustache', '~> 1.0', '>= 1.0.3')
-  gem.add_dependency('activesupport', '>= 4.2.0')
+  gem.add_dependency('activesupport', '>= 5.2.4.3')
 
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'mocha', '~> 1.2', '>= 1.2.1'

data/readme.md

@@ -29,6 +29,7 @@ Table of Contents
   *   [Additional Page Activity Handler](#additional-page-activity-handler)
   *   [Monitor Only](#logging)
   *   [Debug Mode](#debug-mode)
+  *   [Whitelist Routes](#whitelist-routes)
   
   **[Contributing](#contributing)**
 
@@ -87,7 +88,7 @@ All parameters are obtainable via the PerimeterX Portal. (Applications and Polic
 
 <a name="blocking-score"></a>**Changing the Minimum Score for Blocking**
 
->Note:  Default blocking value: 70
+>Note:  Default blocking value: 100
 
 ```ruby
 params = {
@@ -138,13 +139,13 @@ params = {
   ...
   :custom_verification_handler => -> (px_ctx) {
     block_score = px_ctx.context[:score];
-    block_uuid = px_ctx.context[:uuid];
+    client_uuid = px_ctx.context[:uuid];
     full_url = px_ctx.context[:full_url];
 
     html = "<html>
             <body>
             <div>Access to #{full_url} has been blocked.</div>    
-            <div>Block reference - #{block_uuid} </div>
+            <div>Block reference - #{client_uuid} </div>
             <div>Block score - #{block_score} </div>
             </body>
             </html>".html_safe
@@ -235,12 +236,11 @@ params[:captcha_enabled] = false
 
 The CAPTCHA part of the block page can use one of the following:
 * [reCAPTCHA](https://www.google.com/recaptcha)
-* [FunCaptcha](https://www.funcaptcha.com/)
 
 Default: 'reCaptcha'
 
 ```ruby
-captchaProvider = "funCaptcha"
+captchaProvider = "reCaptcha"
 ```
 
 <a name="custom-uri"></a>**Custom URI**
@@ -306,6 +306,16 @@ Enables debug logging mode to STDOUT
   params[:debug] = true
 ```
 
+<a name="whitelist-routes"></a>**Whitelist Routes**
+Default: []
+An array of route prefixes and/or regular expressions that are always whitelisted and not validated by PerimeterX.
+A string value of a path will be treated as a prefix.
+A regexp value of a path will be treated as is.
+
+```ruby
+  params[:whitelist_routes] = ["/example", /\A\/example\z/]
+```
+
 <a name="contributing"></a># Contributing #
 ------------------------------
 The following steps are welcome when contributing to our project.