perimeter_x 1.4.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 3dca9964af5aa39c20643f7e5d6f00271862f0de
-  data.tar.gz: e0f2a81bce3aa7c8b8eb0b0b73d70cc29f272dbc
+SHA256:
+  metadata.gz: a06a83f955ae265238a23df8471c062428cf82ba37612160a439c52af3568e79
+  data.tar.gz: 0eaeb8c8b424a219d155f933494c0baec382b96e707cb7af22e676ea83a1fd4f
 SHA512:
-  metadata.gz: 257d51330a1dc51e1ca2559559d7eb4e0ca6ebc891fd8bfcdd0171b4e31a5a3b4455f4c3b4227b6db7d403eeecb3bb1bb4b62e4e7cf72024d6efa89f5636bd3f
-  data.tar.gz: 4cd74c725090a46718716b782551e1e5bae7efb939818c1b34970bde070897d6d53334b5c54bb6df7f4a24291dd5ed608e2e39723e008647a07c4e2da8de6b07
+  metadata.gz: c615587bc9e1203636e0a74284aa9faadd3027dc50056929b4bb8fc2cdd6a86bdc0df10c94f3e262f0f313e518fc0397ac2b0b76669fe3e1b5afc85ad589567d
+  data.tar.gz: 22faae3132f9fce873829a0feec4b8f9bfcda420960a380d40a5101b4dae793969b8225a5376f2937954519a8c8cb1c20eb252fca096af77bff7980d5c223f71

data/.travis.yml

@@ -1,3 +1,3 @@
 language: ruby
 rvm:
-  - 2.3
+    - 2.7.1

data/Dockerfile

@@ -1,21 +1,26 @@
 # Based on manual compile instructions at http://wiki.nginx.org/HttpLuaModule#Installation
-FROM ruby:2.3.0
+FROM ruby:2.7.1
 
-RUN apt-get update && apt-get --force-yes -qq -y install \
- nodejs
-ENV RAILS_VERSION 4.2.0
+RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg -o /root/yarn-pubkey.gpg && apt-key add /root/yarn-pubkey.gpg
+RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list
+RUN apt-get update && apt-get install -y --no-install-recommends nodejs yarn vim
+
+ENV RAILS_VERSION 6.0.3.2
 RUN gem install rails --version "$RAILS_VERSION"
 RUN gem install bundler
 RUN mkdir -p /tmp/ruby_sandbox
 WORKDIR /tmp/ruby_sandbox
-RUN git clone https://github.com/PerimeterX/perimeterx-ruby-sdk.git
+COPY lib /tmp/ruby_sandbox/lib
+COPY Gemfile /tmp/ruby_sandbox/
+COPY perimeter_x.gemspec /tmp/ruby_sandbox/
+COPY Rakefile /tmp/ruby_sandbox/
 RUN rails new webapp
 WORKDIR /tmp/ruby_sandbox/webapp
 
 RUN rails generate controller home index
 WORKDIR /tmp/ruby_sandbox/webapp
 EXPOSE 3000
-RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox/perimeterx-ruby-sdk"' /tmp/ruby_sandbox/webapp/Gemfile
+RUN sed -i '2i gem "perimeter_x", :path => "/tmp/ruby_sandbox"' /tmp/ruby_sandbox/webapp/Gemfile
 RUN bundler update
-COPY ./examples/ /tmp/ruby_sandbox/webapp
+COPY ./dev/site/ /tmp/ruby_sandbox/webapp
 CMD ["rails","server","-b","0.0.0.0"]

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    perimeter_x (1.3.0)
-      activesupport (>= 4.2.0)
+    perimeter_x (2.0.0)
+      activesupport (>= 5.2.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       mustache (~> 1.0, >= 1.0.3)
       typhoeus (~> 1.1, >= 1.1.2)
@@ -10,51 +10,52 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (5.0.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    concurrent-ruby (1.0.5)
-    diff-lcs (1.3)
-    ethon (0.10.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    concurrent-ruby (1.1.6)
+    diff-lcs (1.4.4)
+    ethon (0.12.0)
       ffi (>= 1.3.0)
-    ffi (1.9.18)
-    i18n (0.8.6)
-    metaclass (0.0.4)
-    minitest (5.10.1)
-    mocha (1.2.1)
-      metaclass (~> 0.0.1)
-    mustache (1.0.5)
-    rake (10.4.2)
-    rspec (3.5.0)
-      rspec-core (~> 3.5.0)
-      rspec-expectations (~> 3.5.0)
-      rspec-mocks (~> 3.5.0)
-    rspec-core (3.5.4)
-      rspec-support (~> 3.5.0)
-    rspec-expectations (3.5.0)
+    ffi (1.13.1)
+    i18n (1.8.3)
+      concurrent-ruby (~> 1.0)
+    minitest (5.14.1)
+    mocha (1.11.2)
+    mustache (1.1.1)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-mocks (3.5.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-support (3.5.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
     thread_safe (0.3.6)
-    typhoeus (1.1.2)
+    typhoeus (1.4.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.3)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
+    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.14)
+  bundler (>= 2.1)
   mocha (~> 1.2, >= 1.2.1)
   perimeter_x!
-  rake (~> 10.0)
+  rake (>= 12.3)
   rspec (~> 3.0)
 
 BUNDLED WITH
-   1.14.6
+   2.1.4

data/changelog.md

@@ -5,6 +5,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.0.0] - 2020-07-24
+### Added
+ - Added fields to Block Activity: simulated_block, http_version, http_method, risk_rtt, px_orig_cookie
+ - Added fields to page_requested activity: pass_reason, risk_rtt, px_orig_cookie
+ - Added px_orig_cookie field to risk_api in case of cookie_decryption_failed
+ - Added support for captcha v2
+ - Added support for Advanced Blocking Response
+ - Added support for whitelise routes
+ - Added support for bypass monitor header
+ - Added support for extracting vid from _pxvid cookie
+ - Added support for rate limit
+ - Added risk_cookie_max_iterations configuration
+
+### Fixed
+ - Updated dependencies
+ - Updated sample site dockerfile
+ - Fixed monitor mode
+ - Fixed send_page_activities and send_block_activities configurations
+ - Updated risk to v3
+ - Refactored ip header extraction
+ - Renamed block_uuid field to client_uuid
+ - Renamed perimeterx_server_host configuration to backend_url
+ - Updated risk_response handling: pass the request if risk_response.status is -1
+ - Forcing http header values to be utf8
+
 ## [1.4.0] - 2018-03-18
 ### Fixed
  - Incorrect assigment for s2s_call_reason

data/lib/perimeter_x.rb

@@ -1,6 +1,7 @@
 require 'concurrent'
 require 'json'
 require 'base64'
+require 'uri'
 require 'perimeterx/configuration'
 require 'perimeterx/utils/px_logger'
 require 'perimeterx/utils/px_constants'
@@ -10,7 +11,6 @@ require 'perimeterx/internal/perimeter_x_context'
 require 'perimeterx/internal/clients/perimeter_x_activity_client'
 require 'perimeterx/internal/validators/perimeter_x_s2s_validator'
 require 'perimeterx/internal/validators/perimeter_x_cookie_validator'
-require 'perimeterx/internal/validators/perimeter_x_captcha_validator'
 
 module PxModule
   # Module expose API
@@ -25,10 +25,7 @@ module PxModule
       return instance_exec(px_ctx, &px_config[:custom_verification_handler])
     end
 
-    # Invalidate _pxCaptcha, can be done only on the controller level
-    cookies[:_pxCaptcha] = {value: "", expires: -1.minutes.from_now}
-
-    unless px_ctx.nil? || px_ctx.context[:verified]
+    unless px_ctx.nil? || px_ctx.context[:verified] || (px_config[:module_mode] == PxModule::MONITOR_MODE && !px_ctx.context[:should_bypass_monitor])
       # In case custom block handler exists (soon to be deprecated)
       if px_config.key?(:custom_block_handler)
         px_config[:logger].debug("#{msg_title}: custom_block_handler triggered")
@@ -36,16 +33,50 @@ module PxModule
             "#{msg_title}: Please note that custom_block_handler is deprecated. Use custom_verification_handler instead.")
         return instance_exec(px_ctx, &px_config[:custom_block_handler])
       else
-        # Generate template
-        px_config[:logger].debug("#{msg_title}: sending default block page")
-        html = PxTemplateFactory.get_template(px_ctx, px_config)
-        response.headers['Content-Type'] = 'text/html'
-        response.status = 403
+        if px_ctx.context[:block_action]== 'rate_limit'
+          px_config[:logger].debug("#{msg_title}: sending rate limit page")
+          response.status = 429
+        else
+          px_config[:logger].debug("#{msg_title}: sending default block page")
+          response.status = 403
+        end
+
+        is_mobile = px_ctx.context[:cookie_origin] == 'header' ? '1' : '0'
+        action = px_ctx.context[:block_action][0,1]
+
+        px_template_object = {
+          block_script: "//#{PxModule::CAPTCHA_HOST}/#{px_config[:app_id]}/captcha.js?a=#{action}&u=#{px_ctx.context[:uuid]}&v=#{px_ctx.context[:vid]}&m=#{is_mobile}",
+          js_client_src: "//#{PxModule::CLIENT_HOST}/#{px_config[:app_id]}/main.min.js"
+        }
+
+        html = PxTemplateFactory.get_template(px_ctx, px_config, px_template_object)
+
         # Web handler
         if px_ctx.context[:cookie_origin] == 'cookie'
-          px_config[:logger].debug('#{msg_title}: web block')
-          response.headers['Content-Type'] = 'text/html'
-          render :html => html
+
+          accept_header_value = request.headers['accept'] || request.headers['content-type'];
+          is_json_response = px_ctx.context[:block_action] != 'rate_limit' && accept_header_value && accept_header_value.split(',').select {|e| e.downcase.include? 'application/json'}.length > 0;
+
+          if (is_json_response)
+            px_config[:logger].debug("#{msg_title}: advanced blocking response response")
+            response.headers['Content-Type'] = 'application/json'
+
+            hash_json = {
+                :appId => px_config[:app_id],
+                :jsClientSrc => px_template_object[:js_client_src],
+                :firstPartyEnabled => false,
+                :uuid => px_ctx.context[:uuid],
+                :vid => px_ctx.context[:vid],
+                :hostUrl => "https://collector-#{px_config[:app_id]}.perimeterx.net",
+                :blockScript => px_template_object[:block_script],
+            }
+
+            render :json => hash_json
+          else
+            px_config[:logger].debug('#{msg_title}: web block')
+            response.headers['Content-Type'] = 'text/html'
+            render :html => html
+          end
         else # Mobile SDK
           px_config[:logger].debug("#{msg_title}: mobile sdk block")
           response.headers['Content-Type'] = 'application/json'
@@ -99,19 +130,27 @@ module PxModule
     #Instance Methods
     def verify(env)
       begin
+
+        # check module_enabled 
         @logger.debug('PerimeterX[pxVerify]')
         if !@px_config[:module_enabled]
           @logger.warn('Module is disabled')
           return nil
         end
-        req = ActionDispatch::Request.new(env)
-        px_ctx = PerimeterXContext.new(@px_config, req)
 
-        # Captcha phase
-        captcha_verified, px_ctx = @px_captcha_validator.verify(px_ctx)
-        if captcha_verified
-          return handle_verification(px_ctx)
+        req = ActionDispatch::Request.new(env)
+        
+        # filter whitelist routes
+        url_path = URI.parse(req.original_url).path
+        if url_path && !url_path.empty?
+          if check_whitelist_routes(px_config[:whitelist_routes], url_path)
+            @logger.debug("PerimeterX[pxVerify]: whitelist route: #{url_path}")
+            return nil
+          end
         end
+        
+        # create context
+        px_ctx = PerimeterXContext.new(@px_config, req)
 
         # Cookie phase
         cookie_verified, px_ctx = @px_cookie_validator.verify(px_ctx)
@@ -136,8 +175,7 @@ module PxModule
 
       @px_cookie_validator = PerimeterxCookieValidator.new(@px_config)
       @px_s2s_validator = PerimeterxS2SValidator.new(@px_config, @px_http_client)
-      @px_captcha_validator = PerimeterxCaptchaValidator.new(@px_config, @px_http_client)
-      @logger.debug('PerimeterX[initialize]Z')
+      @logger.debug('PerimeterX[initialize]')
     end
 
     private def handle_verification(px_ctx)
@@ -145,6 +183,8 @@ module PxModule
       @logger.debug("PerimeterX[handle_verification]: processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
 
       score = px_ctx.context[:score]
+      px_ctx.context[:should_bypass_monitor] = @px_config[:bypass_monitor_header] && px_ctx.context[:headers][@px_config[:bypass_monitor_header].to_sym] == '1';
+
       px_ctx.context[:verified] = score < @px_config[:blocking_score]
       # Case PASS request
       if px_ctx.context[:verified]
@@ -157,8 +197,8 @@ module PxModule
       @px_activity_client.send_block_activity(px_ctx)
 
       # In case were in monitor mode, end here
-      if @px_config[:module_mode] == PxModule::MONITOR_MODE
-        @logger.debug('PerimeterX[handle_verification]: monitor mode is on, passing request')
+      if @px_config[:module_mode] == PxModule::MONITOR_MODE && !px_ctx.context[:should_bypass_monitor]
+        @logger.debug("PerimeterX[handle_verification]: monitor mode is on, passing request")
         return px_ctx
       end
 
@@ -167,6 +207,18 @@ module PxModule
       return px_ctx
     end
 
+    private def check_whitelist_routes(whitelist_routes, path)
+      whitelist_routes.each do |whitelist_route|
+        if whitelist_route.is_a?(Regexp) && path.match(whitelist_route)
+          return true
+        end
+        if whitelist_route.is_a?(String) && path.start_with?(whitelist_route)
+          return true
+        end
+      end
+      false
+    end
+
     private_class_method :new
   end
 end

data/lib/perimeterx/configuration.rb

@@ -8,29 +8,33 @@ module PxModule
     attr_accessor :PX_DEFAULT
 
     PX_DEFAULT = {
-      :app_id                   => nil,
-      :cookie_key               => nil,
-      :auth_token               => nil,
-      :module_enabled           => true,
-      :captcha_provider         => "reCaptcha",
-      :challenge_enabled        => true,
-      :encryption_enabled       => true,
-      :blocking_score           => 70,
-      :sensitive_headers        => ["http-cookie", "http-cookies"],
-      :api_connect_timeout      => 1,
-      :api_timeout              => 1,
-      :max_buffer_len           => 10,
-      :send_page_activities     => true,
-      :send_block_activities    => true,
-      :sdk_name                 => PxModule::SDK_NAME,
-      :debug                    => false,
-      :module_mode              => PxModule::ACTIVE_MODE,
-      :local_proxy              => false,
-      :sensitive_routes         => []
+      :app_id                       => nil,
+      :cookie_key                   => nil,
+      :auth_token                   => nil,
+      :module_enabled               => true,
+      :challenge_enabled            => true,
+      :encryption_enabled           => true,
+      :blocking_score               => 100,
+      :sensitive_headers            => ["http-cookie", "http-cookies"],
+      :api_connect_timeout          => 1,
+      :api_timeout                  => 1,
+      :max_buffer_len               => 10,
+      :send_page_activities         => true,
+      :send_block_activities        => true,
+      :sdk_name                     => PxModule::SDK_NAME,
+      :debug                        => false,
+      :module_mode                  => PxModule::MONITOR_MODE,
+      :local_proxy                  => false,
+      :sensitive_routes             => [],
+      :whitelist_routes             => [],
+      :ip_headers                   => [],
+      :ip_header_function           => nil,
+      :bypass_monitor_header        => nil,
+      :risk_cookie_max_iterations   => 5000
     }
 
     def initialize(params)
-      PX_DEFAULT[:perimeterx_server_host] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
+      PX_DEFAULT[:backend_url] = "https://sapi-#{params[:app_id].downcase}.perimeterx.net"
       @configuration = PX_DEFAULT.merge(params)
       @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -49,41 +49,61 @@ module PxModule
 
     def send_block_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_block_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_block_activities])
         @logger.debug("PerimeterxActivitiesClients[send_block_activity]: sending activites is disabled")
         return
       end
 
       details = {
-        :block_uuid => px_ctx.context[:uuid],
+        :http_version  => px_ctx.context[:http_version],
+        :http_method   => px_ctx.context[:http_method],
+        :client_uuid => px_ctx.context[:uuid],
         :block_score => px_ctx.context[:score],
-        :block_reason => px_ctx.context[:blocking_reason]
+        :block_reason => px_ctx.context[:blocking_reason],
+        :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
       }
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       send_to_perimeterx(PxModule::BLOCK_ACTIVITY, px_ctx, details)
 
     end
 
     def send_page_requested_activity(px_ctx)
       @logger.debug("PerimeterxActivitiesClients[send_page_requested_activity]")
-      if (!@px_config[:send_page_acitivites])
+      if (!@px_config[:send_page_activities])
         return
       end
 
       details = {
         :http_version  => px_ctx.context[:http_version],
         :http_method   => px_ctx.context[:http_method],
-        :client_uuid   => px_ctx.context[:uuid]
+        :client_uuid   => px_ctx.context[:uuid],
+        :pass_reason  => px_ctx.context[:pass_reason]
       }
 
       if (px_ctx.context.key?(:decoded_cookie))
         details[:px_cookie] = px_ctx.context[:decoded_cookie]
       end
 
+      if (px_ctx.context.key?(:px_orig_cookie))
+        details[:px_orig_cookie] = px_ctx.context[:px_orig_cookie]
+      end
+
       if (px_ctx.context.key?(:cookie_hmac))
         details[:px_cookie_hmac] = px_ctx.context[:cookie_hmac]
       end
 
+      if (px_ctx.context.key?(:risk_rtt))
+        details[:risk_rtt] = px_ctx.context[:risk_rtt]
+      end
+
       send_to_perimeterx(PxModule::PAGE_REQUESTED_ACTIVITY, px_ctx, details)
     end
   end