Merge pull request #190 from PerimeterX/dev

Dev

Author: ori-gold-px

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.1.0] - 2021-11-28
+
+### Changed
+
+-   Login credentials extraction sends hashed credentials (`creds`) instead of `pass`
+-   Login credentials extraction normalizes username field to lowercase prior to hashing
+-   Login credentials extraction fields align with spec (all `snake_case`, not `camelCase`)
+-   Login credentials extraction handles body encoding based on `Content-Type` request header
+
+### Added
+
+-   Login credentials extraction paths are added as sensitive routes automatically
+-   Added `raw_username` field with default value `null` to `additional_s2s` activity
+
+
 ## [3.0.3] - 2021-11-24
 
 ### Added

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.0.3](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.1.0](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

lib/extract_field/FieldExtractor.js

@@ -1,14 +1,12 @@
 const querystring = require('querystring');
-const { sha256, accessNestedObjectValueByStringPath } = require('../pxutil');
+const { accessNestedObjectValueByStringPath } = require('../pxutil');
 
-const SENT_THROUGH = { BODY: 'body', QUERY_PARAM: 'query-param', HEADER: 'header' };
-const ENCODING_TYPE = { URL_ENCODE: 'url-encode', CLEAR_TEXT: 'clear-text', BASE64: 'base64', CUSTOM: 'custom' };
+const SentThrough = { BODY: 'body', QUERY_PARAM: 'query-param', HEADER: 'header' };
+const ContentType = { JSON: 'application/json', URL_ENCODED: 'application/x-www-form-urlencoded', MULTIPART_FORM: 'multipart/form-data' };
 
 class FieldExtractor {
-    constructor(sentThrough, contentType, encoding, fieldsToExtract) {
+    constructor(sentThrough, fieldsToExtract) {
         this.containerName = this._getContainerName(sentThrough);
-        this.contentType = contentType;
-        this._decode = this._getDecodeFunction(encoding);
         this.fieldsToExtract = fieldsToExtract instanceof Array ? fieldsToExtract : [fieldsToExtract];
     }
 
@@ -19,37 +17,32 @@ class FieldExtractor {
         }
         const fields = {};
         this.fieldsToExtract.forEach((desiredField) => {
-            const value = accessNestedObjectValueByStringPath(desiredField.origRequestFieldName, container);
+            let value = accessNestedObjectValueByStringPath(desiredField.oldFieldName, container) || container[desiredField.oldFieldName];
             if (!value || typeof value !== 'string') {
                 return;
             }
-            fields[desiredField.resultActivityFieldName] = sha256(value);
+            value = desiredField.shouldNormalize ? this._normalizeField(value) : value;
+            fields[desiredField.newFieldName] = value;
         });
         return fields;
     }
 
+    _normalizeField(fieldValue) {
+        return fieldValue.toLowerCase();
+    }
+
     _getContainerName(sentThrough) {
         switch (sentThrough) {
-            case SENT_THROUGH.QUERY_PARAM:
+            case SentThrough.QUERY_PARAM:
                 return 'query';
-            case SENT_THROUGH.HEADER:
+            case SentThrough.HEADER:
                 return 'headers';
-            case SENT_THROUGH.BODY:
+            case SentThrough.BODY:
             default:
                 return 'body';
         }
     }
 
-    _getDecodeFunction(encoding) {
-        switch (encoding) {
-            case ENCODING_TYPE.URL_ENCODE:
-                return (string) => querystring.parse(string);
-            case ENCODING_TYPE.CLEAR_TEXT:
-            default:
-                return (string) => JSON.parse(string);
-        }
-    }
-
     _getContainer(request) {
         const container = request[this.containerName];
         if (!container) {
@@ -59,7 +52,14 @@ class FieldExtractor {
         if (typeof container === 'object') {
             return container;
         }
-        return this._decode(container);
+
+        const contentType = request.headers['content-type'];
+        if (contentType.includes(ContentType.JSON)) {
+            return JSON.parse(container);
+        } else if (contentType.includes(ContentType.URL_ENCODED)) {
+            return querystring.parse(container);
+        }
+        return null;
     }
 }
 

lib/extract_field/FieldExtractorManager.js

@@ -1,8 +1,10 @@
 const FieldExtractor = require('./FieldExtractor');
 const ExtractionField = require('../models/ExtractionField');
+const { sha256 } = require('../pxutil');
 
 const USERNAME_FIELD = 'user';
 const PASSWORD_FIELD = 'pass';
+const CREDENTIALS_FIELD = 'creds';
 
 class FieldExtractorManager { 
     constructor(logger, extractObjects) {
@@ -13,8 +15,13 @@ class FieldExtractorManager {
     ExtractFields(request) {
         const key = this._generateMapKey(request.path, request.method);
         const extractor = this.extractorMap[key];
+        if (!extractor) {
+            return {};
+        }
+        this.logger.debug(`Attempting to extract credentials for ${request.method} ${request.path} request`);
         try {
-            return extractor ? extractor.ExtractFields(request) : {};
+            const fields = extractor.ExtractFields(request);
+            return this._processFields(fields);
         } catch (e) {
             this.logger.error(e);
             return {};
@@ -29,13 +36,25 @@ class FieldExtractorManager {
         const map = {};
         for (const extractFields of extractObjects) {
             const key = this._generateMapKey(extractFields.path, extractFields.method.toUpperCase());
-            map[key] = new FieldExtractor(extractFields.sentThrough, extractFields.contentType, extractFields.encoding, [
-                new ExtractionField(extractFields.userField, USERNAME_FIELD), 
-                new ExtractionField(extractFields.passField, PASSWORD_FIELD)
+            map[key] = new FieldExtractor(extractFields.sent_through, [
+                new ExtractionField(extractFields.user_field, USERNAME_FIELD, true),
+                new ExtractionField(extractFields.pass_field, PASSWORD_FIELD, false)
             ]);
         }
         return map;
     }
+
+    _processFields(fields) {
+        if (!fields || !fields[USERNAME_FIELD] || !fields[PASSWORD_FIELD]) {
+            this.logger.debug('Failed extracting credentials');
+            return {};
+        }
+        this.logger.debug('Successfully extracted credentials')
+        return {
+            [USERNAME_FIELD]: sha256(fields[USERNAME_FIELD]),
+            [CREDENTIALS_FIELD]: sha256(fields[USERNAME_FIELD] + fields[PASSWORD_FIELD])
+        };
+    }
 }
 
 module.exports = FieldExtractorManager;

lib/models/ExtractionField.js

@@ -1,7 +1,8 @@
 class ExtractionField {
-    constructor(origRequestFieldName, resultActivityFieldName) {
-        this.origRequestFieldName = origRequestFieldName;
-        this.resultActivityFieldName = resultActivityFieldName;
+    constructor(oldFieldName, newFieldName, shouldNormalize) {
+        this.oldFieldName = oldFieldName;
+        this.newFieldName = newFieldName;
+        this.shouldNormalize = shouldNormalize;
     }
 }
 

lib/pxclient.js

@@ -34,6 +34,7 @@ class PxClient {
         if (activityType === ActivityType.ADDITIONAL_S2S) {
             details['http_status_code'] = null;
             details['login_successful'] = null;
+            details['raw_username'] = null;
         } else {
             activity.headers = ctx.headers;
             activity.pxhd = ctx.pxhdClient ? ctx.pxhdClient : undefined;

lib/pxconfig.js

@@ -88,6 +88,8 @@ class PxConfig {
             );
         });
 
+        this.addLoginCredentialsExtractionPathsToSensitiveRoutes();
+
         // validate that app_id is configured
         if (this.PX_DEFAULT.PX_APP_ID !== 'PX_APP_ID') {
             // set backend url
@@ -113,6 +115,15 @@ class PxConfig {
         return Object.assign(this.PX_DEFAULT, this.PX_INTERNAL);
     }
 
+    addLoginCredentialsExtractionPathsToSensitiveRoutes() {
+        if (this.PX_DEFAULT.ENABLE_LOGIN_CREDS_EXTRACTION) {
+            this.PX_DEFAULT.SENSITIVE_ROUTES = [
+                ...this.PX_DEFAULT.SENSITIVE_ROUTES,
+                ...this.PX_DEFAULT.LOGIN_CREDS_EXTRACTION.map((extractionObject) => extractionObject.path)
+            ];
+        }
+    }
+
     mergeConfigFileParams(configParams) {
         let mergedParams = configParams;
         try {

package.json

@@ -1,6 +1,6 @@
 {
     "name": "perimeterx-node-core",
-    "version": "3.0.3",
+    "version": "3.1.0",
     "description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",
     "main": "index.js",
     "scripts": {