Merge pull request #201 from PerimeterX/dev

Dev to master

Author: OmerBacharPX

CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.1.1] - 2021-12-29
+
+### Added
+
+- server_info_origin to all Enforcer activities, indicates which CDN POP/Datacenter the request hit
+- sensitive route based on GraphQL payload
+
+### Fixed
+
+- Enforced route bugfix
+
 ## [3.1.0] - 2021-11-28
 
 ### Changed

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.1.0](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.1.1](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

lib/enums/GraphqlOperationType.js

@@ -0,0 +1,8 @@
+const GraphqlOperationType = {
+    QUERY: 'query',
+    MUTATION: 'mutation'
+};
+
+module.exports = {
+    GraphqlOperationType
+};

lib/models/GraphqlData.js

@@ -0,0 +1,10 @@
+class GraphqlData {
+    constructor(graphqlOperationType, graphqlOperationName) {
+        this.operationType = graphqlOperationType;
+        this.operationName = graphqlOperationName;
+    }
+}
+
+module.exports = {
+    GraphqlData
+};

lib/pxapi.js

@@ -60,6 +60,14 @@ function buildRequestData(ctx, config) {
         },
     };
 
+    if (ctx.graphqlData) {
+        data.additional['graphql_operation_type'] = ctx.graphqlData.operationType;
+        data.additional['graphql_operation_name'] = ctx.graphqlData.operationName;
+    }
+    if (ctx.serverInfoRegion) {
+        data.additional['server_info_region'] = ctx.serverInfoRegion;
+    }
+
     if (ctx.s2sCallReason === 'cookie_decryption_failed') {
         data.additional.px_orig_cookie = ctx.getCookie(); //No need strigify, already a string
     }

lib/pxconfig.js

@@ -77,6 +77,8 @@ class PxConfig {
             ['LOGIN_CREDS_EXTRACTION', 'px_login_credentials_extraction'],
             ['COMPROMISED_CREDENTIALS_HEADER', 'px_compromised_credentials_header'],
             ['ENABLE_ADDITIONAL_ACTIVITY_HEADER', 'px_additional_activity_header_enabled'],
+            ['SENSITIVE_GRAPHQL_OPERATION_TYPES', 'px_sensitive_graphql_operation_types'],
+            ['SENSITIVE_GRAPHQL_OPERATION_NAMES', 'px_sensitive_graphql_operation_names'],
         ];
 
         configKeyMapping.forEach(([targetKey, sourceKey]) => {
@@ -316,6 +318,8 @@ function pxDefaultConfig() {
         LOGIN_CREDS_EXTRACTION: [],
         COMPROMISED_CREDENTIALS_HEADER: DEFAULT_COMPROMISED_CREDENTIALS_HEADER_NAME,
         ENABLE_ADDITIONAL_ACTIVITY_HEADER: false,
+        SENSITIVE_GRAPHQL_OPERATION_TYPES: [],
+        SENSITIVE_GRAPHQL_OPERATION_NAMES: []
     };
 }
 
@@ -364,6 +368,8 @@ const allowedConfigKeys = [
     'px_login_credentials_extraction_enabled',
     'px_login_credentials_extraction',
     'px_compromised_credentials_header',
+    'px_sensitive_graphql_operation_types',
+    'px_sensitive_graphql_operation_names'
 ];
 
 module.exports = PxConfig;

lib/pxcontext.js

@@ -52,6 +52,14 @@ class PxContext {
                 }
             });
         }
+        if (this.uri.includes('graphql')) {
+            config.logger.debug('Graphql route detected');
+            this.graphqlData = pxUtil.getGraphqlData(req);
+            this.sensitiveGraphqlOperation = this.isSensitiveGraphqlOperation(config);
+        }
+        if (process.env.AWS_REGION) {
+            this.serverInfoRegion = process.env.AWS_REGION;
+        }
     }
 
     getCookie() {
@@ -69,6 +77,15 @@ class PxContext {
         return Array.isArray(routes) ? routes.some((route) => this.verifyRoute(route, uri)) : false;
     }
 
+    isSensitiveGraphqlOperation(config) {
+        if (!this.graphqlData) {
+            return false;
+        }
+        const { operationType, operationName } = this.graphqlData;
+        return config.SENSITIVE_GRAPHQL_OPERATION_TYPES.includes(operationType)
+            || config.SENSITIVE_GRAPHQL_OPERATION_NAMES.includes(operationName);
+    }
+
     verifyRoute(pattern, uri) {
         if (pattern instanceof RegExp && uri.match(pattern)) {
             return true;

lib/pxcookie.js

@@ -86,6 +86,12 @@ function evalCookie(ctx, config) {
             return ScoreEvaluateAction.SENSITIVE_ROUTE;
         }
 
+        if (ctx.sensitiveGraphqlOperation) {
+            config.logger.debug(`Sensitive graphql operation, sending Risk API. operation type: ${ctx.graphqlData.operationType}, operation name: ${ctx.graphqlData.operationName}`);
+            ctx.s2sCallReason = 'sensitive_route';
+            return ScoreEvaluateAction.SENSITIVE_ROUTE;
+        }
+
         ctx.passReason = PassReason.COOKIE;
         config.logger.debug(`Cookie evaluation ended successfully, risk score: ${cookie.getScore()}`);
         return ScoreEvaluateAction.GOOD_SCORE;

lib/pxenforcer.js

@@ -133,8 +133,6 @@ class PxEnforcer {
     }
 
     shouldFilterRequest(req) {
-        let shouldFilterRoute = false;
-
         if (pxUtil.checkForStatic(req, this._config.STATIC_FILES_EXT)) {
             this.logger.debug(`Found whitelist ext in path: ${req.originalUrl}`);
             return true;
@@ -153,39 +151,12 @@ class PxEnforcer {
                 }
             }
         }
-
-        if (this._config.ENFORCED_ROUTES && this._config.ENFORCED_ROUTES.length > 0) {
-            for (const enforceRoute of this._config.ENFORCED_ROUTES) {
-                if (enforceRoute instanceof RegExp && req.originalUrl.match(enforceRoute)) {
-                    return false;
-                }
-                if (typeof enforceRoute === 'string' && req.originalUrl.startsWith(enforceRoute)) {
-                    return false;
-                }
-            }
-            this.logger.debug(`Route ${req.originalUrl} is not listed in specific routes to enforce`);
-            shouldFilterRoute = true;
-        }
-
-        if (this._config.MONITORED_ROUTES && this._config.MONITORED_ROUTES.length > 0) {
-            for (const monitorRoute of this._config.MONITORED_ROUTES) {
-                if (monitorRoute instanceof RegExp && req.originalUrl.match(monitorRoute)) {
-                    return false;
-                }
-                if (typeof monitorRoute === 'string' && req.originalUrl.startsWith(monitorRoute)) {
-                    return false;
-                }
-            }
-            this.logger.debug(`Route ${req.path} is not listed in specific routes to monitor`);
-        }
-
-        return shouldFilterRoute;
+       
+        return false;
     }
 
     verifyUserScore(ctx, callback) {
-        const startRiskRtt = Date.now();
         ctx.riskRtt = 0;
-
         try {
             if (!ctx.ip || !ctx.uri) {
                 this.logger.error('perimeterx score evaluation failed. bad parameters.');
@@ -203,6 +174,7 @@ class PxEnforcer {
                 ctx.blockReason = 'cookie_high_score';
                 return callback(ScoreEvaluateAction.COOKIE_BLOCK_TRAFFIC);
             }
+            const startRiskRtt = Date.now();
 
             /* when no fallback to s2s call if cookie does not exist or failed on evaluation */
             pxApi.evalByServerCall(ctx, this._config, (action) => {
@@ -384,6 +356,9 @@ class PxEnforcer {
             pass_reason: ctx.passReason,
             ...ctx.additionalFields,
         };
+        if (ctx.serverInfoRegion) {
+            details['server_info_region'] = ctx.serverInfoRegion;
+        }
 
         if (ctx.passReason === PassReason.S2S_ERROR && ctx.s2sErrorInfo) {
             this.setS2SErrorInfo(details, ctx.s2sErrorInfo);
@@ -432,6 +407,9 @@ class PxEnforcer {
             simulated_block: pxUtil.isReqInMonitorMode(this._config, ctx),
             ...ctx.additionalFields,
         };
+        if (ctx.serverInfoRegion) {
+            details['server_info_region'] = ctx.serverInfoRegion;
+        }
 
         this.logger.debug(`Sending block activity`);
         this.pxClient.sendToPerimeterX(ActivityType.BLOCK, details, ctx, this._config);

lib/pxutil.js

@@ -5,6 +5,8 @@ const fs = require('fs');
 const crypto = require('crypto');
 
 const { ModuleMode } = require('./enums/ModuleMode');
+const { GraphqlOperationType } = require('./enums/GraphqlOperationType');
+const { GraphqlData } = require('./models/GraphqlData');
 
 /**
  * PerimeterX (http://www.perimeterx.com) NodeJS-Express SDK
@@ -247,7 +249,7 @@ function generateHMAC(cookieSecret, payload) {
 
 function isReqInMonitorMode(pxConfig, pxCtx) {
     return (
-        (pxConfig.MODULE_MODE === ModuleMode.MONITOR && !pxCtx.shouldBypassMonitor) || pxCtx.monitoredRoute
+        (pxConfig.MODULE_MODE === ModuleMode.MONITOR && !pxCtx.shouldBypassMonitor && !pxCtx.enforcedRoute) || pxCtx.monitoredRoute
     );
 }
 
@@ -264,6 +266,45 @@ function getTokenObject(cookie, delimiter = ':') {
     return { key: '_px3', value: cookie };
 }
 
+function getGraphqlData(req) {
+    const isGraphqlPath = req.path.includes('graphql') || req.originalUrl.includes('graphql');
+    if (!isGraphqlPath) {
+        return null;
+    }
+
+    const query = req.body ? req.body['query'] : null;
+    if (!query) {
+        return new GraphqlData(GraphqlOperationType.QUERY);
+    }
+
+    const operationType = extractGraphqlOperationType(query);
+    const operationName = extractGraphqlOperationName(query, req.body['operationName'])
+    return new GraphqlData(operationType, operationName);
+}
+
+function extractGraphqlOperationType(query) {
+    const isGraphqlQueryShorthand = query[0] === '{';
+    if (isGraphqlQueryShorthand) {
+        return GraphqlOperationType.QUERY;
+    }
+
+    const queryArray = query.split(/[^A-Za-z0-9_]/);
+    return isValidGraphqlOperationType(queryArray[0]) ? queryArray[0] : GraphqlOperationType.QUERY;
+}
+
+function extractGraphqlOperationName(query, operationName) {
+    if (operationName) {
+        return operationName;
+    }
+
+    const queryArray = query.split(/[^A-Za-z0-9_]/);
+    return isValidGraphqlOperationType(queryArray[0]) ? queryArray[1] : queryArray[0];
+}
+
+function isValidGraphqlOperationType(operationType) {
+    return Object.values(GraphqlOperationType).includes(operationType);
+}
+
 module.exports = {
     formatHeaders,
     filterSensitiveHeaders,
@@ -282,4 +323,5 @@ module.exports = {
     generateHMAC,
     isReqInMonitorMode,
     getTokenObject,
+    getGraphqlData
 };