perimeter_x 2.3.1 → 2.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6018176a0638b42f0652e82640ef7e1365ab95eb2ab60eb590293abd46c6ada
-  data.tar.gz: 9f83381eebbf00b3d5ac3779471ca9b6a3b9f47d20186c73c09baf95e4cffabf
+  metadata.gz: ea98817074a862f9cf5dca2d01fd56ab31f3376e92fd695cd9a8a86c0713dea6
+  data.tar.gz: 302bf6d40f9e0e9a4776153a53fc5315bbd4047ccbc54dca5c082ecc6156900d
 SHA512:
-  metadata.gz: 5f68e2053d41f8e2a2e2e668c8db35f8d573c68840c9757210a7d5e52dcd46e38190c5579425c625afd4802df4c5333fe4069f582d71db61aadb6c78ac28c6f9
-  data.tar.gz: 1780884b590f3680969333f0c66d7e32b3ec402640fb5341e37cffcfef6904b79dc679c0de07acd291b0ddf7b6a46044add5f41a9713bff3b5bf6be0cd38c250
+  metadata.gz: 4ab3a9adfcc046a69e9c0c43c7fb603ba62b7bc793919d0560eaeec2fcf52f5521dea5b9665883ecfc9fd667017898aebe73466bebf560af522a141184b13a13
+  data.tar.gz: 6a7ee7cd89f58d34edf035fc7762361738922ead805232bc607450df2479bef4d5545a0e55243b65d355ff36442ff9fd6089fbea3abcf626fdd3b54f9ce7c8ac

data/.gitignore

@@ -17,6 +17,8 @@ examples/app/views/home/index.html.erb
 *.gem
 rerun.txt
 pickle-email-*.html
+.idea/
+.vscode/
 
 # TODO Comment out these rules if you are OK with secrets being uploaded to the repo
 config/initializers/secret_token.rb

data/Gemfile.lock

@@ -1,8 +1,7 @@
 PATH
   remote: .
   specs:
-    perimeter_x (2.0.0)
-      activesupport (>= 5.2.4.3)
+    perimeter_x (2.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       mustache (~> 1.0, >= 1.0.3)
       typhoeus (~> 1.1, >= 1.1.2)
@@ -10,20 +9,11 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.3.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    concurrent-ruby (1.1.6)
+    concurrent-ruby (1.1.10)
     diff-lcs (1.4.4)
-    ethon (0.12.0)
-      ffi (>= 1.3.0)
-    ffi (1.13.1)
-    i18n (1.8.3)
-      concurrent-ruby (~> 1.0)
-    minitest (5.14.1)
+    ethon (0.15.0)
+      ffi (>= 1.15.0)
+    ffi (1.15.5)
     mocha (1.11.2)
     mustache (1.1.1)
     rake (13.0.1)
@@ -40,12 +30,8 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.3)
-    thread_safe (0.3.6)
     typhoeus (1.4.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
-    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby

data/changelog.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.3.2] - 2022-xx-xx
+
+### Changed
+
+- Removed dependency on Active Support
+- Replaced `eval()` calls with `JSON.parse()` for improved security
+- Small spec alignment changes (risk_api and block activities)
+
 ## [2.3.1] - 2022-04-11
 
 ### Fixed

data/lib/perimeterx/configuration.rb

@@ -82,8 +82,10 @@ module PxModule
       # merge request configuration into the basic configuration
       @configuration = @@basic_config.merge(params)
       validate_hash_schema(@configuration, CONFIG_SCHEMA)
-      
-      @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
+
+      if (! @configuration.key?(:backend_url))
+        @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
+      end
       @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end

data/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb

@@ -63,6 +63,7 @@ module PxModule
         :client_uuid => px_ctx.context[:uuid],
         :block_score => px_ctx.context[:score],
         :block_reason => px_ctx.context[:blocking_reason],
+        :block_action => px_ctx.context[:block_action],
         :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
       }
 

data/lib/perimeterx/internal/payload/perimeter_x_cookie_v3.rb

@@ -22,7 +22,7 @@ module PxModule
     end
 
     def valid_format?(cookie)
-      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:a)
     end
 
     def cookie_block_action

data/lib/perimeterx/internal/payload/perimeter_x_payload.rb

@@ -1,6 +1,6 @@
-require 'active_support/security_utils'
 require 'base64'
 require 'openssl'
+require 'json'
 require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
 
 module PxModule
@@ -123,7 +123,7 @@ module PxModule
         cipher.iv = iv
         plaintext = cipher.update(cipher_text) + cipher.final
 
-        return eval(plaintext)
+        return JSON.parse(plaintext, symbolize_names: true)
       rescue Exception => e
         @logger.debug("PerimeterxCookie[decrypt]: Cookie decrypt fail #{e.message}")
         raise PxCookieDecryptionException.new("Cookie decrypt fail => #{e.message}");
@@ -131,18 +131,26 @@ module PxModule
     end
 
     def decode(px_cookie)
-      return eval(Base64.decode64(px_cookie))
+      return JSON.parse(Base64.decode64(px_cookie), symbolize_names: true)
     end
 
 
     def hmac_valid?(hmac_str, cookie_hmac)
       hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
-      # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
-      password_correct = ActiveSupport::SecurityUtils.secure_compare(
-          ::Digest::SHA256.hexdigest(cookie_hmac),
-          ::Digest::SHA256.hexdigest(hmac)
-      )
+      password_correct = secure_compare(hmac, cookie_hmac)
+    end
+
+    def secure_compare(a, b)
+      # https://github.com/rails/rails/blob/main/activesupport/lib/active_support/security_utils.rb
+      if (a.bytesize != b.bytesize)
+        return false
+      end
+
+      l = a.unpack "C#{a.bytesize}"
 
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
     end
   end
 end

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -101,17 +101,17 @@ module PxModule
 	  @context[:sensitive_route] = check_sensitive_route(px_config[:sensitive_routes], @context[:uri]) 
     end #end init
 
-	def check_sensitive_route(sensitive_routes, uri)
-		sensitive_routes.each do |sensitive_route|
-			return true if uri.start_with? sensitive_route
-		end
-    false
-	end
+    def check_sensitive_route(sensitive_routes, uri)
+      sensitive_routes.each do |sensitive_route|
+        return true if uri.start_with? sensitive_route
+      end
+      false
+    end
 
     def set_block_action_type(action)
       @context[:block_action] = case action
         when 'c'
-          'captcha'
+          return 'captcha'
         when 'b'
           return 'block'
         when 'j'
@@ -119,7 +119,7 @@ module PxModule
         when 'r'
           return 'rate_limit'
         else
-          return captcha
+          return 'captcha'
         end
     end
 

data/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb

@@ -1,3 +1,4 @@
+require 'json'
 require 'perimeterx/internal/clients/perimeter_x_risk_client'
 
 module PxModule
@@ -20,7 +21,6 @@ module PxModule
         :request => {
           :ip      => px_ctx.context[:ip],
           :headers => format_headers(px_ctx),
-          :uri     => px_ctx.context[:uri],
           :url     => px_ctx.context[:full_url]
         },
         :additional => {
@@ -103,7 +103,7 @@ module PxModule
       px_ctx.context[:made_s2s_risk_api_call] = true
 
       # From here response should be valid, if success or error
-      response_body = eval(response.body);
+      response_body = JSON.parse(response.body, symbolize_names: true);
       # When success
       if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action) && response_body.key?(:status) && response_body[:status] == 0 )
         @logger.debug("PerimeterxS2SValidator[verify]: response ok")

data/lib/perimeterx/version.rb

@@ -1,3 +1,3 @@
 module PxModule
-  VERSION = '2.3.1'
+  VERSION = '2.3.2'
 end

data/perimeter_x.gemspec

@@ -33,7 +33,6 @@ Gem::Specification.new do |gem|
   gem.add_dependency('concurrent-ruby', '~> 1.0', '>= 1.0.5')
   gem.add_dependency('typhoeus', '~> 1.1', '>= 1.1.2')
   gem.add_dependency('mustache', '~> 1.0', '>= 1.0.3')
-  gem.add_dependency('activesupport', '>= 5.2.4.3')
 
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'mocha', '~> 1.2', '>= 1.2.1'

data/px_metadata.json

@@ -1,5 +1,5 @@
 {
-    "version": "2.3.1",
+    "version": "2.3.2",
     "supported_features": [
         "additional_activity_handler",
         "advanced_blocking_response",

data/readme.md

@@ -5,7 +5,7 @@
 [PerimeterX](http://www.perimeterx.com) Ruby SDK
 =============================================================
 
-> Latest stable version: [v2.3.1](https://rubygems.org/gems/perimeter_x)
+> Latest stable version: [v2.3.2](https://rubygems.org/gems/perimeter_x)
 
 Table of Contents
 -----------------
@@ -161,14 +161,15 @@ params = {
 
 > Note: IP extraction, according to your network setup, is very important. It is common to have a load balancer/proxy on top of your applications, in which case the PerimeterX module will send the system's internal IP as the user's. In order to properly perform processing and detection on server-to-server calls, PerimeterX module needs the real user's IP.
 
-By default the clients IP is taken from the ``REMOTE_ADDR`` header, in case the user decides to use different header or custom function that extract the header the following key should be added to the configuration
+By default the clients IP is taken from the `REMOTE_ADDR` header, in case the user decides to use different header or custom function that extract the header the following key should be added to the configuration.
 
 ***Custom header***
+> Note: If there are multiple headers configured, the module will evaluate the headers in order and use the first value it finds.
 ```ruby
 configuration = {
   "app_id" => <APP_ID>,
   "auth_token" => <AUTH_TOKEN>,
-  "custom_user_ip" => <HTTP_HEADER_NAME>,
+  "ip_headers" => [<HTTP_HEADER_NAME>, <BACKUP_HTTP_HEADER_NAME>],
 ```
 
 ***Custom Function***
@@ -178,7 +179,7 @@ configuration = {
 configuration = {
   "app_id" => <APP_ID>,
   "auth_token" => <AUTH_TOKEN>,
-  "custom_user_ip_method" => -> (req) {
+  "ip_header_function" => -> (req) {
     # Method body
     return "1.2.3.4"
   }
@@ -214,14 +215,14 @@ params = [
 > Note: Custom logo/js/css can be added together
 
 <a name="logging"></a>**No Blocking, Monitor Only**
-Default mode: PxModule::ACTIVE_MODE
+Default mode: PxModule::MONITOR_MODE
 
 - PxModule::ACTIVE_MODE - Module blocks users crossing the predefined block threshold. Server-to-server requests are sent synchronously.
 
-- PxModule::$MONITOR_MODE - Module does not block users crossing the predefined block threshold. The `custom_block_handler` function will be eval'd in case one is supplied, upon crossing the defined block threshold.
+- PxModule::MONITOR_MODE - Module does not block users crossing the predefined block threshold. The `custom_block_handler` function will be eval'd in case one is supplied, upon crossing the defined block threshold.
 
 ```ruby
-params[:module_mode] = PxModule::MONITOR_MODE
+params[:module_mode] = PxModule::ACTIVE_MODE
 ```
 
 <a name="custom-uri"></a>**Custom URI**

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: perimeter_x
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.3.2
 platform: ruby
 authors:
 - Nitzan Goldfeder
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-04-11 00:00:00.000000000 Z
+date: 2022-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -98,20 +98,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.3
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 5.2.4.3
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 5.2.4.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement