Merge pull request #284 from PerimeterX/bugfix/pxCookieValidator_customIsSensitive

Bugfix/px cookie validator custom is sensitive

Author: guyeisenbach

CHANGELOG.md

@@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [3.10.0] - 2023-03-28
+
+## [3.10.1] - 2023-03-29
+
+### Fixed
+- Bug fixed in pxCookieValidator which fails on invalid variable name.
+
+## [3.10.0] - 2023-03-28 (removed)
 
 ### Added
 - Support for handling graphQL requests with empty query field

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.10.0](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.10.1](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

lib/pxcookie.js

@@ -81,7 +81,7 @@ function evalCookie(ctx, config) {
             return ScoreEvaluateAction.COOKIE_INVALID;
         }
 
-        if (ctx.sensitiveRoute()) {
+        if (ctx.sensitiveRequest()) {
             config.logger.debug(`Sensitive route match, sending Risk API. path: ${ctx.uri}`);
             ctx.s2sCallReason = 'sensitive_route';
             return ScoreEvaluateAction.SENSITIVE_ROUTE;

lib/pxenforcer.js

@@ -46,12 +46,15 @@ class PxEnforcer {
         }
         this.reversePrefix = this.pxConfig.conf.PX_APP_ID.substring(2);
         this.initializeCredentialsIntelligence(this.logger, this._config);
-
     }
 
     initializeCredentialsIntelligence(logger, config) {
         if (config.ENABLE_LOGIN_CREDS_EXTRACTION && config.LOGIN_CREDS_EXTRACTION.length > 0) {
-            this.loginCredentialsExtractor = new LoginCredentialsExtractor(logger, config.CREDENTIALS_INTELLIGENCE_VERSION, config.LOGIN_CREDS_EXTRACTION);
+            this.loginCredentialsExtractor = new LoginCredentialsExtractor(
+                logger,
+                config.CREDENTIALS_INTELLIGENCE_VERSION,
+                config.LOGIN_CREDS_EXTRACTION,
+            );
             this.loginSuccessfulParser = LoginSuccessfulParserFactory.Create(config);
         }
     }
@@ -335,8 +338,8 @@ class PxEnforcer {
         const isJsonResponse =
             this._config.ADVANCED_BLOCKING_RESPONSE &&
             acceptHeaderValue &&
-            acceptHeaderValue.split(',').find((value) => value.toLowerCase() === 'application/json') &&
-            (ctx.cookieOrigin !== CookieOrigin.HEADER) &&
+            acceptHeaderValue.split(',').find((value) => value.trim().toLowerCase() === 'application/json') &&
+            ctx.cookieOrigin !== CookieOrigin.HEADER &&
             ctx.blockAction !== 'r';
 
         this.logger.debug(
@@ -346,7 +349,7 @@ class PxEnforcer {
         );
         const config = this._config;
 
-        this.generateResponse(ctx, isJsonResponse, function(responseObject) {
+        this.generateResponse(ctx, isJsonResponse, function (responseObject) {
             const response = {
                 status: '403',
                 statusDescription: 'Forbidden',
@@ -373,11 +376,11 @@ class PxEnforcer {
                     hostUrl: responseObject.hostUrl,
                     blockScript: responseObject.blockScript,
                     altBlockScript: responseObject.altBlockScript,
-                    customLogo: responseObject.customLogo
+                    customLogo: responseObject.customLogo,
                 };
                 return cb(null, response);
             }
-            
+
             pxUtil.appendContentType(response, 'text/html');
 
             response.body = responseObject;
@@ -422,7 +425,7 @@ class PxEnforcer {
         const details = {
             ...this.getActivityDetails(ctx),
             px_cookie: ctx.decodedCookie,
-            pass_reason: ctx.passReason
+            pass_reason: ctx.passReason,
         };
         if (ctx.serverInfoRegion) {
             details['server_info_region'] = ctx.serverInfoRegion;
@@ -432,7 +435,11 @@ class PxEnforcer {
             this.setS2SErrorInfo(details, ctx.s2sErrorInfo);
         }
 
-        if (this._config.ENABLE_LOGIN_CREDS_EXTRACTION && ctx.additionalFields && ctx.additionalFields.loginCredentials) {
+        if (
+            this._config.ENABLE_LOGIN_CREDS_EXTRACTION &&
+            ctx.additionalFields &&
+            ctx.additionalFields.loginCredentials
+        ) {
             this.handleCredentialsIntelligenceInPageRequestedActivity(ctx, req, details);
         }
 
@@ -451,9 +458,11 @@ class PxEnforcer {
 
         if (this._config.ENABLE_ADDITIONAL_S2S_ACTIVITY_HEADER) {
             req.headers[Constants.DEFAULT_ADDITIONAL_ACTIVITY_HEADER_NAME] = JSON.stringify(
-                this.pxClient.generateAdditionalS2SActivity(ctx, this._config)
+                this.pxClient.generateAdditionalS2SActivity(ctx, this._config),
             );
-            req.headers[Constants.DEFAULT_ADDITIONAL_ACTIVITY_URL_HEADER_NAME] = `${this._config.BACKEND_URL}${this._config.SERVER_COLLECT_URI}`;
+            req.headers[
+                Constants.DEFAULT_ADDITIONAL_ACTIVITY_URL_HEADER_NAME
+            ] = `${this._config.BACKEND_URL}${this._config.SERVER_COLLECT_URI}`;
         }
     }
 
@@ -561,9 +570,9 @@ class PxEnforcer {
 
     getProps(ctx) {
         let jsClientSrc = `//${this._config.CLIENT_HOST}/${this._config.PX_APP_ID}/main.min.js`;
-        const captchaParams = `/captcha.js?a=${ctx.blockAction}&u=${
-            ctx.uuid
-        }&v=${ctx.vid || ''}&m=${ctx.isMobile() ? '1' : '0'}`;
+        const captchaParams = `/captcha.js?a=${ctx.blockAction}&u=${ctx.uuid}&v=${ctx.vid || ''}&m=${
+            ctx.isMobile() ? '1' : '0'
+        }`;
         let captchaSrc = `//${this._config.CAPTCHA_HOST}/${this._config.PX_APP_ID}${captchaParams}`;
         let hostUrl = ctx.collectorUrl;
 
@@ -586,7 +595,7 @@ class PxEnforcer {
             firstPartyEnabled: this._config.FIRST_PARTY_ENABLED,
             isMobile: ctx.isMobile(),
             blockScript: captchaSrc,
-            altBlockScript: `${this._config.BACKUP_CAPTCHA_HOST}/${this._config.PX_APP_ID}${captchaParams}`
+            altBlockScript: `${this._config.BACKUP_CAPTCHA_HOST}/${this._config.PX_APP_ID}${captchaParams}`,
         };
     }
 

lib/pxtesthandler.js

@@ -17,7 +17,7 @@ function customRequestHandler(ctx, config, req, res) {
         headers: ctx.headers,
         user_agent: ctx.userAgent,
         is_made_s2s_api_call: ctx.hasMadeServerCall || false,
-        sensitive_route: ctx.sensitiveRoute,
+        sensitive_route: ctx.sensitiveRequest(),
         sensitive_routes_list: config.SENSITIVE_ROUTES,
         whitelist_routes: config.WHITELIST_ROUTES,
         decoded_px_cookie: ctx.decodedCookie,

package-lock.json

@@ -1,6 +1,6 @@
 {
     "name": "perimeterx-node-core",
-    "version": "3.10.0",
+    "version": "3.10.1",
     "description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",
     "main": "index.js",
     "scripts": {