perimeterx-js-core 0.26.0 → 0.26.2

package/lib/cjs/risk_api/client/GetRiskApiClientV2.js

@@ -21,6 +21,7 @@ var http_1 = require("../../http/index.js");
 var risk_response_1 = require("../risk_response/index.js");
 var model_1 = require("../model/index.js");
 var utils_1 = require("../utils.js");
+var utils_2 = require("../../utils/index.js");
 var GetRiskApiClientV2 = /** @class */ (function (_super) {
     __extends(GetRiskApiClientV2, _super);
     function GetRiskApiClientV2(config, httpClient) {
@@ -35,34 +36,47 @@ var GetRiskApiClientV2 = /** @class */ (function (_super) {
     };
     GetRiskApiClientV2.prototype.getRiskActivityHeaders = function (context) {
         var riskHeaders = this.getRiskHeaders();
-        var requestHeaders = this.getRequestHeadersForRisk(context);
         var riskActivityHeaders = this.riskActivityToHeaders((0, utils_1.createRiskApiActivity)(this.config, context));
-        return Object.assign(requestHeaders, riskActivityHeaders, riskHeaders);
+        return Object.assign(this.finalizeHeaders(riskActivityHeaders), riskHeaders);
     };
-    GetRiskApiClientV2.prototype.getRequestHeadersForRisk = function (context) {
+    GetRiskApiClientV2.prototype.addHeadersFromRiskActivityHeaderEntries = function (headers, headerEntries) {
         var HEADERS_TO_DELETE = [http_1.CONTENT_LENGTH_HEADER_NAME, http_1.CONTENT_TYPE_HEADER_NAME, http_1.AUTHORIZATION_HEADER_NAME];
-        var headers = {};
-        Object.entries(context.requestData.headers).forEach(function (_a) {
-            var key = _a[0], value = _a[1];
-            if (!HEADERS_TO_DELETE.includes(key.toLowerCase())) {
-                headers[key] = value.concat();
+        headerEntries.forEach(function (_a) {
+            var name = _a.name, value = _a.value;
+            if (!HEADERS_TO_DELETE.includes(name.toLowerCase())) {
+                headers[name] = [value];
             }
         });
         return headers;
     };
     GetRiskApiClientV2.prototype.riskActivityToHeaders = function (riskActivity) {
         var headers = {};
+        // order matters, risk activity field headers should override any request headers with the same name
+        this.addHeadersFromRiskActivityHeaderEntries(headers, riskActivity.request.headers);
         this.addHeadersFromObject(headers, riskActivity, model_1.RISK_ACTIVITY_FIELDS_TO_HEADER_NAMES);
         this.addHeadersFromObject(headers, riskActivity.request, model_1.RISK_ACTIVITY_REQUEST_FIELDS_TO_HEADER_NAMES);
         this.addHeadersFromObject(headers, riskActivity.additional, model_1.RISK_ACTIVITY_ADDITIONAL_FIELDS_TO_HEADER_NAMES);
         return headers;
     };
+    GetRiskApiClientV2.prototype.finalizeHeaders = function (headers) {
+        var _this = this;
+        return Object.fromEntries(Object.entries(headers).filter(function (_a) {
+            var name = _a[0], value = _a[1];
+            return _this.shouldFilterHeader(name, value);
+        }));
+    };
+    GetRiskApiClientV2.prototype.shouldFilterHeader = function (headerName, headerValue) {
+        return (0, utils_2.isAscii)(headerName) && headerValue.every(function (value) { return (0, utils_2.isAscii)(value); });
+    };
     GetRiskApiClientV2.prototype.addHeadersFromObject = function (headers, object, headerNamesMap) {
-        Object.entries(object).forEach(function (_a) {
-            var key = _a[0], value = _a[1];
-            var headerConversionObject = headerNamesMap[key];
-            if (headerConversionObject && value != null) {
-                var header = headerConversionObject.header, convertToString = headerConversionObject.convertToString;
+        Object.entries(headerNamesMap).forEach(function (_a) {
+            var key = _a[0], headerConversionObject = _a[1];
+            if (!headerConversionObject) {
+                return;
+            }
+            var header = headerConversionObject.header, convertToString = headerConversionObject.convertToString;
+            var value = object[key];
+            if (value != null) {
                 var strValue = convertToString
                     ? convertToString(value)
                     : typeof value === 'string'
@@ -70,6 +84,10 @@ var GetRiskApiClientV2 = /** @class */ (function (_super) {
                         : "".concat(value);
                 headers[header] = [strValue];
             }
+            else {
+                // delete so that user cannot spoof
+                delete headers[header];
+            }
         });
     };
     GetRiskApiClientV2.prototype.createRiskResponse = function (response) {

package/lib/cjs/utils/constants.js

@@ -14,4 +14,4 @@ exports.PUSH_DATA_FEATURE_HEADER_NAME = 'x-px-feature';
 exports.EMAIL_ADDRESS_REGEX = /^[a-zA-Z0-9_+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/;
 exports.URL_REGEX = /^(https?:)\/\/(([^@\s:\/]+):?([^@\s\/]*)@)?(([^:\/?#]*)(?:\:([0-9]+))?)(\/?[^?#]*)(\?[^#]*|)(#.*|)$/;
 exports.REGEX_STRUCTURE = /^\/(.+?)\/([gimsuyvd]*)$/;
-exports.CORE_MODULE_VERSION = 'JS Core 0.26.0';
+exports.CORE_MODULE_VERSION = 'JS Core 0.26.2';

package/lib/cjs/utils/utils.js

@@ -36,7 +36,7 @@ var __generator = (this && this.__generator) || function (thisArg, body) {
     }
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isNullOrUndefined = exports.isValidTokenVersion = exports.telemetryConfigReplacer = exports.convertRegexStringToRegex = exports.algoToCryptoString = exports.algoToSubtleCryptoString = exports.sleep = exports.getPropertyFromObject = exports.rejectOnTimeout = exports.isStringMatch = exports.isStringInPatterns = exports.removeSensitiveHeaders = exports.redactSensitiveFields = exports.getExtension = exports.getAuthorizationHeader = exports.getCollectorDomain = exports.getScoreApiDomain = exports.isEmailAddress = exports.isValidUuid = exports.isValidEnumValue = void 0;
+exports.isAscii = exports.isNullOrUndefined = exports.isValidTokenVersion = exports.telemetryConfigReplacer = exports.convertRegexStringToRegex = exports.algoToCryptoString = exports.algoToSubtleCryptoString = exports.sleep = exports.getPropertyFromObject = exports.rejectOnTimeout = exports.isStringMatch = exports.isStringInPatterns = exports.removeSensitiveHeaders = exports.redactSensitiveFields = exports.getExtension = exports.getAuthorizationHeader = exports.getCollectorDomain = exports.getScoreApiDomain = exports.isEmailAddress = exports.isValidUuid = exports.isValidEnumValue = void 0;
 var http_1 = require("../http/index.js");
 var error_1 = require("./error/index.js");
 var constants_1 = require("./constants.js");
@@ -246,3 +246,5 @@ var isNullOrUndefined = function (value) {
     return value === null || value === undefined;
 };
 exports.isNullOrUndefined = isNullOrUndefined;
+var isAscii = function (str) { return str.split('').every(function (char) { return char <= '\x7F'; }); };
+exports.isAscii = isAscii;

package/lib/esm/risk_api/client/GetRiskApiClientV2.js

@@ -3,6 +3,7 @@ import { AUTHORIZATION_HEADER_NAME, CONTENT_LENGTH_HEADER_NAME, CONTENT_TYPE_HEA
 import { GetRiskResponseV2 } from '../risk_response/index.js';
 import { RISK_ACTIVITY_ADDITIONAL_FIELDS_TO_HEADER_NAMES, RISK_ACTIVITY_FIELDS_TO_HEADER_NAMES, RISK_ACTIVITY_REQUEST_FIELDS_TO_HEADER_NAMES, } from '../model/index.js';
 import { createRiskApiActivity } from '../utils.js';
+import { isAscii } from '../../utils/index.js';
 export class GetRiskApiClientV2 extends RiskApiClientBase {
     constructor(config, httpClient) {
         super(config, httpClient);
@@ -16,32 +17,41 @@ export class GetRiskApiClientV2 extends RiskApiClientBase {
     }
     getRiskActivityHeaders(context) {
         const riskHeaders = this.getRiskHeaders();
-        const requestHeaders = this.getRequestHeadersForRisk(context);
         const riskActivityHeaders = this.riskActivityToHeaders(createRiskApiActivity(this.config, context));
-        return Object.assign(requestHeaders, riskActivityHeaders, riskHeaders);
+        return Object.assign(this.finalizeHeaders(riskActivityHeaders), riskHeaders);
     }
-    getRequestHeadersForRisk(context) {
+    addHeadersFromRiskActivityHeaderEntries(headers, headerEntries) {
         const HEADERS_TO_DELETE = [CONTENT_LENGTH_HEADER_NAME, CONTENT_TYPE_HEADER_NAME, AUTHORIZATION_HEADER_NAME];
-        const headers = {};
-        Object.entries(context.requestData.headers).forEach(([key, value]) => {
-            if (!HEADERS_TO_DELETE.includes(key.toLowerCase())) {
-                headers[key] = value.concat();
+        headerEntries.forEach(({ name, value }) => {
+            if (!HEADERS_TO_DELETE.includes(name.toLowerCase())) {
+                headers[name] = [value];
             }
         });
         return headers;
     }
     riskActivityToHeaders(riskActivity) {
         const headers = {};
+        // order matters, risk activity field headers should override any request headers with the same name
+        this.addHeadersFromRiskActivityHeaderEntries(headers, riskActivity.request.headers);
         this.addHeadersFromObject(headers, riskActivity, RISK_ACTIVITY_FIELDS_TO_HEADER_NAMES);
         this.addHeadersFromObject(headers, riskActivity.request, RISK_ACTIVITY_REQUEST_FIELDS_TO_HEADER_NAMES);
         this.addHeadersFromObject(headers, riskActivity.additional, RISK_ACTIVITY_ADDITIONAL_FIELDS_TO_HEADER_NAMES);
         return headers;
     }
+    finalizeHeaders(headers) {
+        return Object.fromEntries(Object.entries(headers).filter(([name, value]) => this.shouldFilterHeader(name, value)));
+    }
+    shouldFilterHeader(headerName, headerValue) {
+        return isAscii(headerName) && headerValue.every((value) => isAscii(value));
+    }
     addHeadersFromObject(headers, object, headerNamesMap) {
-        Object.entries(object).forEach(([key, value]) => {
-            const headerConversionObject = headerNamesMap[key];
-            if (headerConversionObject && value != null) {
-                const { header, convertToString } = headerConversionObject;
+        Object.entries(headerNamesMap).forEach(([key, headerConversionObject]) => {
+            if (!headerConversionObject) {
+                return;
+            }
+            const { header, convertToString } = headerConversionObject;
+            const value = object[key];
+            if (value != null) {
                 const strValue = convertToString
                     ? convertToString(value)
                     : typeof value === 'string'
@@ -49,6 +59,10 @@ export class GetRiskApiClientV2 extends RiskApiClientBase {
                         : `${value}`;
                 headers[header] = [strValue];
             }
+            else {
+                // delete so that user cannot spoof
+                delete headers[header];
+            }
         });
     }
     createRiskResponse(response) {

package/lib/esm/utils/constants.js

@@ -11,4 +11,4 @@ export const PUSH_DATA_FEATURE_HEADER_NAME = 'x-px-feature';
 export const EMAIL_ADDRESS_REGEX = /^[a-zA-Z0-9_+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/;
 export const URL_REGEX = /^(https?:)\/\/(([^@\s:\/]+):?([^@\s\/]*)@)?(([^:\/?#]*)(?:\:([0-9]+))?)(\/?[^?#]*)(\?[^#]*|)(#.*|)$/;
 export const REGEX_STRUCTURE = /^\/(.+?)\/([gimsuyvd]*)$/;
-export const CORE_MODULE_VERSION = 'JS Core 0.26.0';
+export const CORE_MODULE_VERSION = 'JS Core 0.26.2';

package/lib/esm/utils/utils.js

@@ -170,3 +170,4 @@ export const telemetryConfigReplacer = (_key, value) => {
 };
 export const isValidTokenVersion = (tokenVersion) => Object.values(TokenVersion).includes(tokenVersion);
 export const isNullOrUndefined = (value) => value === null || value === undefined;
+export const isAscii = (str) => str.split('').every((char) => char <= '\x7F');

package/lib/types/risk_api/client/GetRiskApiClientV2.d.ts

@@ -4,12 +4,15 @@ import { IHttpClient, IIncomingResponse, OutgoingRequestImpl, ReadonlyHeaders }
 import { ReadonlyContext } from '../../context';
 import { IRiskResponse } from '../risk_response';
 import { RiskActivity } from '../model';
+import { HeaderEntry } from '../../activities';
 export declare class GetRiskApiClientV2<Req, Res, Added, Removed> extends RiskApiClientBase<Req, Res, Added, Removed> {
     constructor(config: IConfiguration<Req, Res, Added, Removed>, httpClient: IHttpClient);
     protected createRiskRequest(context: ReadonlyContext<Req, Res>): OutgoingRequestImpl;
     protected getRiskActivityHeaders(context: ReadonlyContext<Req, Res>): ReadonlyHeaders;
-    protected getRequestHeadersForRisk(context: ReadonlyContext<Req, Res>): Record<string, string[]>;
+    protected addHeadersFromRiskActivityHeaderEntries(headers: Record<string, string[]>, headerEntries: HeaderEntry[]): Record<string, string[]>;
     protected riskActivityToHeaders(riskActivity: RiskActivity): Record<string, string[]>;
+    protected finalizeHeaders(headers: Record<string, string[]>): Record<string, string[]>;
+    protected shouldFilterHeader(headerName: string, headerValue: string[]): boolean;
     private addHeadersFromObject;
     protected createRiskResponse(response: IIncomingResponse): IRiskResponse;
 }

package/lib/types/utils/constants.d.ts

@@ -11,4 +11,4 @@ export declare const PUSH_DATA_FEATURE_HEADER_NAME = "x-px-feature";
 export declare const EMAIL_ADDRESS_REGEX: RegExp;
 export declare const URL_REGEX: RegExp;
 export declare const REGEX_STRUCTURE: RegExp;
-export declare const CORE_MODULE_VERSION = "JS Core 0.26.0";
+export declare const CORE_MODULE_VERSION = "JS Core 0.26.2";

package/lib/types/utils/utils.d.ts

@@ -22,3 +22,4 @@ export declare const convertRegexStringToRegex: (regexString: string, logger?: I
 export declare const telemetryConfigReplacer: (_key: string, value: any) => string;
 export declare const isValidTokenVersion: (tokenVersion: any) => tokenVersion is TokenVersion;
 export declare const isNullOrUndefined: <T>(value: T | null | undefined) => value is null | undefined;
+export declare const isAscii: (str: string) => boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "perimeterx-js-core",
-  "version": "0.26.0",
+  "version": "0.26.2",
   "description": "",
   "type": "module",
   "typesVersions": {
@@ -35,8 +35,8 @@
     "build:esm": "tsc -p tsconfig.esm.json && tsc-alias -p tsconfig.esm.json",
     "build:dec": "tsc -p tsconfig.dec.json && tsc-alias -p tsconfig.dec.json",
     "clean": "rm -rf lib",
-    "lint": "ESLINT_USE_FLAT_CONFIG=false eslint . --ext .ts",
-    "lint:fix": "ESLINT_USE_FLAT_CONFIG=false eslint . --ext .ts --fix",
+    "lint": "eslint . --ext .ts",
+    "lint:fix": "eslint . --ext .ts --fix",
     "test": "mocha",
     "coverage": "nyc npm run test",
     "pre-commit": "./node_modules/.bin/lint-staged",
@@ -48,18 +48,18 @@
     "js-base64": "^3.7.2",
     "phin": "^3.7.0",
     "ts-essentials": "^10.0.0",
-    "uuid": "^10.0.0"
+    "uuid": "^11.1.0"
   },
   "devDependencies": {
-    "@types/chai": "^4.3.3",
-    "@types/chai-as-promised": "^7.1.5",
+    "@types/chai": "^5.2.1",
+    "@types/chai-as-promised": "^8.0.2",
     "@types/crypto-js": "^4.1.1",
     "@types/mocha": "^10.0.0",
     "@types/sinon": "^17.0.1",
     "@types/uuid": "^10.0.0",
     "@typescript-eslint/eslint-plugin": "^8.26.0",
     "@typescript-eslint/parser": "^8.26.0",
-    "chai": "^4.3.6",
+    "chai": "^5.2.0",
     "chai-as-promised": "^8.0.0",
     "core-js": "^3.19.1",
     "eslint": "^9.21.0",