Merge pull request #165 from PerimeterX/dev

Dev to master

Author: OmerBacharPX

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.13.0] - 2021-06-08
+
+### Added
+
+-   CSP Support.
+
 ## [2.12.1] - 2021-05-25
 
 ### Fixed

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v2.12.1](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v2.13.0](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

index.js

@@ -26,4 +26,5 @@
 module.exports = {
     PxEnforcer: require('./lib/pxenforcer'),
     PxClient: require('./lib/pxclient'),
+    PxCdEnforcer: require('./lib/pxcdenforcer'),
 };

lib/pxcdenforcer.js

@@ -0,0 +1,79 @@
+const { v4: uuidv4 } = require('uuid');
+const CSP_DATA = {
+    CSP: 'csp',
+    CSPRO: 'cspro',
+    CSPRO_EXPOSURE: 'cspro_exposure',
+    CSPRO_2: 'cspro_p2',
+    CSPRO_2_EXPOSURE: 'cspro_p2_exposure',
+    SESSION_ID_QUERY_PARAM: 'p',
+    VID_QUERY_PARAM: 'v',
+    REPORT_URI_STRING_LENGTH: 11
+};
+const CD_COOCKIE = '__pxvid';
+
+function CdEnforce (cspData, req, res) {
+    const cdVid = getCdCookie(req);
+    handleCSP(res, cspData, cdVid);
+
+}
+
+function handleCSP(response, cspData, vid) {
+    const rand = Math.floor(Math.random() * 100) + 1; //random number between 1-100 include
+    try {
+        let csp = cspData[CSP_DATA.CSP];
+        const sessionId = uuidv4();
+        if (csp) {
+            csp = updateCspReportUri(csp, sessionId, vid);
+            response.setHeader('Content-Security-Policy', csp);
+        }
+
+        let cspReportOnly = getCSPROHeader(cspData, CSP_DATA.CSPRO_EXPOSURE, CSP_DATA.CSPRO, rand, sessionId, vid);
+        if (cspReportOnly) {
+            response.setHeader('Content-Security-Policy-Report-Only', cspReportOnly);
+        } else {
+            cspReportOnly = getCSPROHeader(cspData, CSP_DATA.CSPRO_2_EXPOSURE, CSP_DATA.CSPRO_2, rand, sessionId, vid);
+            if (cspReportOnly) {
+                response.setHeader('Content-Security-Policy-Report-Only', cspReportOnly);
+            }
+        }
+    } catch (e) {
+        // CSP couldnt be read, continue without it
+        console.log(`Exception Caught in HandleCSP. error: ${e}`);
+    }
+}
+
+function getCSPROHeader(cspData, exposureKey, policyKey, rand, sessionId, vid) {
+    const percentage = parseInt(cspData[exposureKey]);
+    if (rand <= percentage) {
+        let cspReportOnly = cspData[policyKey];
+        if (cspReportOnly) {
+            cspReportOnly = updateCspReportUri(cspReportOnly, sessionId, vid);
+            return cspReportOnly;
+        }
+    }
+}
+
+function updateCspReportUri(policy, sessionId, vid) {
+    const matches = policy.match(/report-uri ([^ ;]+)/);
+    if (matches && matches.length > 1) {
+        const reportUrl = new URL(matches[1]);
+        reportUrl.searchParams.append(CSP_DATA.SESSION_ID_QUERY_PARAM, sessionId);
+        if (vid) {
+            reportUrl.searchParams.append(CSP_DATA.VID_QUERY_PARAM, vid);
+        }
+        const result = reportUrl.toString();
+        const index = matches.index + matches[0].length;
+        policy = policy.slice(0, matches.index + CSP_DATA.REPORT_URI_STRING_LENGTH) + result + policy.slice(index);
+    }
+
+    return policy;
+}
+
+function getCdCookie(req) {
+    const cookies = req.cookies;
+    if (cookies && cookies[CD_COOCKIE]) {
+        return cookies[CD_COOCKIE];
+    }
+}
+
+module.exports = CdEnforce;

package-lock.json

@@ -1,6 +1,6 @@
 {
     "name": "perimeterx-node-core",
-    "version": "2.12.1",
+    "version": "2.13.0",
     "description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",
     "main": "index.js",
     "scripts": {
@@ -24,7 +24,8 @@
         "https-proxy-agent": "^5.0.0",
         "ip-range-check": "^0.2.0",
         "mu2": "^0.5.21",
-        "raw-body": "^2.3.2"
+        "raw-body": "^2.3.2",
+        "uuid": "^8.3.2"
     },
     "devDependencies": {
         "eslint": "^6.8.0",