Merge pull request #183 from PerimeterX/dev

Dev to master

Author: OmerBacharPX

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.0.2] - 2021-11-14
+
+### Added
+
+-   Nonce support in CSP header
+
 ## [3.0.1] - 2021-10-25
 
 ### Added

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.0.1](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.0.2](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

index.js

@@ -27,4 +27,5 @@ module.exports = {
     PxEnforcer: require('./lib/pxenforcer'),
     PxClient: require('./lib/pxclient'),
     PxCdEnforcer: require('./lib/pxcdenforcer'),
+    addNonce: require('./lib/nonce')
 };

lib/nonce.js

@@ -0,0 +1,36 @@
+const { CSP_HEADER, CSPRO_HEADER } = require('./utils/constants');
+const SCRIPT_SRC_STRING = 'script-src ';
+
+function addNonce(response, nonce) {
+    if (validateNonce(nonce)) {
+        addNonceToHeader(response, CSP_HEADER, nonce);
+        addNonceToHeader(response, CSPRO_HEADER, nonce);
+    } else {
+        console.error('nonce value is not valid, will not be added to CSP header');
+    }
+}
+
+function addNonceToHeader(response, headerName, nonce) {
+    let headerValue = response.getHeader(headerName);
+    if (headerValue) {
+        const matches = headerValue.match(/script-src ([^ ;]+)/);
+        if (matches && matches.length > 1) {
+            const updatedScriptSrc = `'nonce-${nonce}' ` + matches[1];
+            const index = matches.index + matches[0].length;
+            headerValue = headerValue.slice(0, matches.index + SCRIPT_SRC_STRING.length) + updatedScriptSrc + headerValue.slice(index);
+            response.setHeader(headerName, headerValue);
+        } else {
+            //add script-src
+            const index = headerValue.indexOf(';') + 1;
+            headerValue = headerValue.slice(0, index) + ` ${SCRIPT_SRC_STRING}'nonce-${nonce}';` + headerValue.slice(index);
+            response.setHeader(headerName, headerValue);
+        }
+    }
+}
+
+function validateNonce(nonce) {
+    const re = /^[A-Za-z0-9=]+$/;
+    return re.test(nonce);
+}
+
+module.exports = addNonce;

lib/pxcdenforcer.js

@@ -10,6 +10,7 @@ const CSP_DATA = {
     REPORT_URI_STRING_LENGTH: 11
 };
 const CD_COOCKIE = '__pxvid';
+const { CSP_HEADER, CSPRO_HEADER } = require('./utils/constants');
 
 function CdEnforce (cspData, req, res) {
     const cdVid = getCdCookie(req);
@@ -24,16 +25,16 @@ function handleCSP(response, cspData, vid) {
         const sessionId = uuidv4();
         if (csp) {
             csp = updateCspReportUri(csp, sessionId, vid);
-            response.setHeader('Content-Security-Policy', csp);
+            response.setHeader(CSP_HEADER, csp);
         }
 
         let cspReportOnly = getCSPROHeader(cspData, CSP_DATA.CSPRO_EXPOSURE, CSP_DATA.CSPRO, rand, sessionId, vid);
         if (cspReportOnly) {
-            response.setHeader('Content-Security-Policy-Report-Only', cspReportOnly);
+            response.setHeader(CSPRO_HEADER, cspReportOnly);
         } else {
             cspReportOnly = getCSPROHeader(cspData, CSP_DATA.CSPRO_2_EXPOSURE, CSP_DATA.CSPRO_2, rand, sessionId, vid);
             if (cspReportOnly) {
-                response.setHeader('Content-Security-Policy-Report-Only', cspReportOnly);
+                response.setHeader(CSPRO_HEADER, cspReportOnly);
             }
         }
     } catch (e) {

lib/utils/constants.js

@@ -7,12 +7,17 @@ const MILLISECONDS_IN_YEAR = MILLISECONDS_IN_SECOND * SECONDS_IN_MINUTE * MINUTE
 
 const DEFAULT_COMPROMISED_CREDENTIALS_HEADER_NAME = 'px-compromised-credentials';
 
+const CSP_HEADER = 'Content-Security-Policy';
+const CSPRO_HEADER = 'Content-Security-Policy-Report-Only';
+
 module.exports = {
     MILLISECONDS_IN_SECOND,
     SECONDS_IN_MINUTE,
     MINUTES_IN_HOUR,
     HOURS_IN_DAY,
     DAYS_IN_YEAR,
     MILLISECONDS_IN_YEAR,
-    DEFAULT_COMPROMISED_CREDENTIALS_HEADER_NAME
+    DEFAULT_COMPROMISED_CREDENTIALS_HEADER_NAME,
+    CSP_HEADER,
+    CSPRO_HEADER
 };

package.json

@@ -1,6 +1,6 @@
 {
     "name": "perimeterx-node-core",
-    "version": "3.0.1",
+    "version": "3.0.2",
     "description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",
     "main": "index.js",
     "scripts": {

test/mocks/response.js

@@ -0,0 +1,15 @@
+class Response {
+    constructor(headers) {
+        this.headers = headers;
+    }
+
+    getHeader(headerName) {
+        return this.headers[headerName];
+    }
+
+    setHeader(headerName, headerValue) {
+        this.headers[headerName] = headerValue;
+    }
+}
+
+module.exports = Response;

test/pxenforcer.test.js

@@ -9,6 +9,9 @@ const PxClient = rewire('../lib/pxclient');
 const PxEnforcer = require('../lib/pxenforcer');
 const proxyquire = require('proxyquire');
 const { ModuleMode } = require('../lib/enums/ModuleMode');
+const Response = require('./mocks/response');
+const addNonce = require('../lib/nonce');
+const { CSP_HEADER, CSPRO_HEADER } = require('../lib/utils/constants');
 
 describe('PX Enforcer - pxenforcer.js', () => {
     let params, enforcer, req, stub, pxClient, pxLoggerSpy, logger;
@@ -804,4 +807,36 @@ describe('PX Enforcer - pxenforcer.js', () => {
             done();
         });
     });
+
+    it('Should add Nonce to CSP header (script-src directive exists)', (done) => {
+        const nonce = 'ImN0nc3Value';
+        const headerWithoutNonce = 'connect-src \'self\' *.bazaarvoice.com *.google.com *.googleapis.com *.perimeterx.net *.px-cdn.net *.px-client.net; script-src \'self\' \'unsafe-eval\' \'unsafe-inline\' *.bazaarvoice.com *.forter.com *.google-analytics.com report-uri https://csp.px-cloud.net/report?report=1&id=8a3a7c5242c0e7646bd7d86284f408f6&app_id=PXFF0j69T5&p=d767ae06-b964-4b42-96a2-6d4089aab525';
+        const headerWithNonce = 'connect-src \'self\' *.bazaarvoice.com *.google.com *.googleapis.com *.perimeterx.net *.px-cdn.net *.px-client.net; script-src \'nonce-ImN0nc3Value\' \'self\' \'unsafe-eval\' \'unsafe-inline\' *.bazaarvoice.com *.forter.com *.google-analytics.com report-uri https://csp.px-cloud.net/report?report=1&id=8a3a7c5242c0e7646bd7d86284f408f6&app_id=PXFF0j69T5&p=d767ae06-b964-4b42-96a2-6d4089aab525';
+        nonceTestUtil(headerWithoutNonce, headerWithNonce);
+        done();
+    });
+
+    it('Should add Nonce to CSP header (script-src directive does not exists)', (done) => {
+        const headerWithoutNonce = 'connect-src \'self\' https://collector-px8u0i7rwc.px-cdn.net https://collector-px8u0i7rwc.px-cloud.net; report-uri https://csp.px-cloud.net/report?report=1&id=4bd43ac663997dde7c6a84abd14fdd7a&app_id=PX8U0i7rwC&p=70bb7c94-4807-4090-bea4-ffd1f7645126';
+        const headerWithNonce = 'connect-src \'self\' https://collector-px8u0i7rwc.px-cdn.net https://collector-px8u0i7rwc.px-cloud.net; script-src \'nonce-ImN0nc3Value\'; report-uri https://csp.px-cloud.net/report?report=1&id=4bd43ac663997dde7c6a84abd14fdd7a&app_id=PX8U0i7rwC&p=70bb7c94-4807-4090-bea4-ffd1f7645126';
+        nonceTestUtil(headerWithoutNonce, headerWithNonce);
+        done();
+    });
+
+    it('Should add Nonce to CSP header, CSP header empty', (done) => {
+        const headerWithoutNonce = ';';
+        const headerWithNonce = '; script-src \'nonce-ImN0nc3Value\';';
+        nonceTestUtil(headerWithoutNonce, headerWithNonce);
+        done();
+    });
 });
+
+const nonceTestUtil = (headerWithoutNonce, headerWithNonce) => {
+    const nonce = 'ImN0nc3Value';
+    const headers = { [CSP_HEADER]: headerWithoutNonce, [CSPRO_HEADER]: headerWithoutNonce };
+    const response = new Response(headers);
+    addNonce(response, nonce);
+
+    (response.getHeader(CSP_HEADER) === headerWithNonce).should.equal(true);
+    (response.getHeader(CSPRO_HEADER) === headerWithNonce).should.equal(true);
+};