Merge pull request #241 from PerimeterX/release/v3.4.0

chen-zimmer-px · web-flow · commit c2f74eb9537d · 2022-05-02T10:56:55.000+03:00
Release/v3.4.0 to master
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+
+## [3.4.0] - 2022-05-1
+
+### Added
+
+- Credentials intelligence v2 hashing protocol added and set as default
+
 ## [3.3.2] - 2022-04-11
 
 ### Fixed
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.3.2](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.4.0](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 
diff --git a/lib/enums/CIVersion.js b/lib/enums/CIVersion.js
@@ -1,5 +1,6 @@
 const CIVersion = {
     V1: 'v1',
+    V2: 'v2',
     MULTISTEP_SSO: 'multistep_sso'
 };
 
diff --git a/lib/extract_field/credentials_intelligence/CredentialsIntelligenceProtocolFactory.js b/lib/extract_field/credentials_intelligence/CredentialsIntelligenceProtocolFactory.js
@@ -1,12 +1,15 @@
 const { CIVersion } = require('../../enums/CIVersion');
 const { V1CredentialsIntelligenceProtocol } = require('./V1CredentialsIntelligenceProtocol');
 const { MultistepSSOCredentialsIntelligenceProtocol } = require('./MultistepSSOCredentialsIntelligenceProtocol');
+const { V2CredentialsIntelligenceProtocol } = require('./V2CredentialsIntelligenceProtocol');
 
 class CredentialsIntelligenceProtocolFactory {
     static Create(protocolVersion) {
         switch (protocolVersion) {
             case CIVersion.V1:
                 return new V1CredentialsIntelligenceProtocol();
+            case CIVersion.V2:
+                return new V2CredentialsIntelligenceProtocol();
             case CIVersion.MULTISTEP_SSO:
                 return new MultistepSSOCredentialsIntelligenceProtocol();
             default:
diff --git a/lib/extract_field/credentials_intelligence/V2CredentialsIntelligenceProtocol.js b/lib/extract_field/credentials_intelligence/V2CredentialsIntelligenceProtocol.js
@@ -0,0 +1,49 @@
+const { ICredentialsIntelligenceProtocol } = require('./ICredentialsIntelligenceProtocol');
+const { LoginCredentialsFields } = require('../../models/LoginCredentialsFields');
+const pxUtil = require('../../pxutil');
+const { CIVersion } = require('../../enums/CIVersion');
+
+class V2CredentialsIntelligenceProtocol extends ICredentialsIntelligenceProtocol {
+    ProcessCredentials(username, password) {
+        const normalizedUsername = pxUtil.isEmailAddress(username) ? this.normalizeEmailAddress(username) : username;
+        const hashedUsername = pxUtil.sha256(normalizedUsername);
+        const hashedPassword = this.hashPassword(hashedUsername, password);
+
+        return new LoginCredentialsFields(
+            hashedUsername,
+            hashedPassword,
+            username,
+            CIVersion.V2
+        );
+    }
+
+    normalizeEmailAddress(emailAddress) {
+        const lowercaseEmail = emailAddress.trim().toLowerCase();
+        const atIndex = lowercaseEmail.indexOf('@');
+        let normalizedUsername = lowercaseEmail.substring(0, atIndex);
+        const plusIndex = normalizedUsername.indexOf('+');
+
+        if (plusIndex > -1) {
+            normalizedUsername = normalizedUsername.substring(0, plusIndex);
+        }
+        
+        const domain = lowercaseEmail.substring(atIndex);
+        const GMAIL_DOMAIN = '@gmail.com';
+        
+        if (domain === GMAIL_DOMAIN) {
+            normalizedUsername = normalizedUsername.replace('.', '');
+        }
+
+        return `${normalizedUsername}${domain}`;
+    }
+
+    hashPassword(salt, password) {
+        const hashedPassword = pxUtil.sha256(password);
+        return pxUtil.sha256(salt + hashedPassword);
+    }
+}
+
+
+module.exports = {
+    V2CredentialsIntelligenceProtocol
+};
diff --git a/lib/pxconfig.js b/lib/pxconfig.js
@@ -317,7 +317,7 @@ function pxDefaultConfig() {
         CUSTOM_COOKIE_HEADER: '',
         ENABLE_LOGIN_CREDS_EXTRACTION: false,
         LOGIN_CREDS_EXTRACTION: [],
-        CREDENTIALS_INTELLIGENCE_VERSION: CIVersion.V1,
+        CREDENTIALS_INTELLIGENCE_VERSION: CIVersion.V2,
         COMPROMISED_CREDENTIALS_HEADER: DEFAULT_COMPROMISED_CREDENTIALS_HEADER_NAME,
         ENABLE_ADDITIONAL_S2S_ACTIVITY_HEADER: false,
         SENSITIVE_GRAPHQL_OPERATION_TYPES: [],
diff --git a/lib/pxutil.js b/lib/pxutil.js
@@ -7,6 +7,7 @@ const crypto = require('crypto');
 const { ModuleMode } = require('./enums/ModuleMode');
 const { GraphqlOperationType } = require('./enums/GraphqlOperationType');
 const { GraphqlData } = require('./models/GraphqlData');
+const {EMAIL_ADDRESS_REGEX, HASH_ALGORITHM} = require('./utils/constants')
 
 /**
  * PerimeterX (http://www.perimeterx.com) NodeJS-Express SDK
@@ -224,7 +225,7 @@ function _hashString(string, hashType) {
 }
 
 function sha256(string) {
-    return _hashString(string, 'sha256');
+    return _hashString(string, HASH_ALGORITHM.SHA256);
 }
 
 function isStringMatchWith(string, match) {
@@ -305,6 +306,10 @@ function isValidGraphqlOperationType(operationType) {
     return Object.values(GraphqlOperationType).includes(operationType);
 }
 
+function isEmailAddress(str) {
+    return EMAIL_ADDRESS_REGEX.test(str);
+}
+
 module.exports = {
     formatHeaders,
     filterSensitiveHeaders,
@@ -323,5 +328,6 @@ module.exports = {
     generateHMAC,
     isReqInMonitorMode,
     getTokenObject,
-    getGraphqlData
+    getGraphqlData,
+    isEmailAddress
 };
diff --git a/lib/utils/constants.js b/lib/utils/constants.js
@@ -25,6 +25,8 @@ const CI_CREDENTIALS_COMPROMISED_FIELD = 'credentials_compromised';
 
 const GQL_OPERATION_TYPE_FIELD = 'graphql_operation_type';
 const GQL_OPERATION_NAME_FIELD = 'graphql_operation_name';
+const EMAIL_ADDRESS_REGEX = /^([a-zA-Z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?)$/
+const HASH_ALGORITHM = { SHA256: 'sha256' };
 
 module.exports = {
     MILLISECONDS_IN_SECOND,
@@ -47,5 +49,7 @@ module.exports = {
     CI_SSO_STEP_FIELD,
     CI_CREDENTIALS_COMPROMISED_FIELD,
     GQL_OPERATION_TYPE_FIELD,
-    GQL_OPERATION_NAME_FIELD
+    GQL_OPERATION_NAME_FIELD,
+    EMAIL_ADDRESS_REGEX,
+    HASH_ALGORITHM
 };
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "perimeterx-node-core",
-    "version": "3.3.2",
+    "version": "3.4.0",
     "description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",
     "main": "index.js",
     "scripts": {
diff --git a/test/pxci.test.js b/test/pxci.test.js
@@ -0,0 +1,37 @@
+const should = require('should');
+const { V2CredentialsIntelligenceProtocol } = require('../lib/extract_field/credentials_intelligence/V2CredentialsIntelligenceProtocol');
+
+describe('Check credentials intelligence v2 hashing', function() {
+    it('Should hash username', function() {
+        const username = 'pxUser';
+        const password = '1234';
+
+        const protocol = new V2CredentialsIntelligenceProtocol();
+        const hashedCredentials = protocol.ProcessCredentials(username, password);
+
+        (hashedCredentials.username).should.equal('9620f4cab3b3a50b9cbcb9a8d01328874ec33eb6882ae31c022f6986fc516851');
+        (hashedCredentials.password).should.equal('c958c33151f273c620ec658ac4de9abd33ad7627df5d8c468224b0bae7173eb4');
+    });
+
+    it('Should normalize and hash gmail',  function() {
+        const username = 'Perimeter.X+001@gmail.com';
+        const password = '1234';
+
+        const protocol = new V2CredentialsIntelligenceProtocol();
+        const hashedCredentials = protocol.ProcessCredentials(username, password);
+
+        (hashedCredentials.username).should.equal('2bd9bd06f3440c682044a3f1b1fa7a97bd8b568a6e9e7d2cb0c6e858d9c78069');
+        (hashedCredentials.password).should.equal('5246d99e5d2506d70db44e8216aecb7be42bf5bf7bc1766a680cbdad2ce046ab');
+    });
+
+    it('Should normalize and hash mail',  function() {
+        const username = 'Perimeter.X+001@perimeterx.com';
+        const password = '1234';
+
+        const protocol = new V2CredentialsIntelligenceProtocol();
+        const hashedCredentials = protocol.ProcessCredentials(username, password);
+
+        (hashedCredentials.username).should.equal('53225d1fa939355031fa2208a44ada1bf9953f0d0daf894baa984a4310df6b48');
+        (hashedCredentials.password).should.equal('ddf40c1584801828bda92cc493373d045de593f73c4fb40aab5de7f19aa8df94');
+    });
+});
diff --git a/test/pxenforcer.test.js b/test/pxenforcer.test.js
@@ -243,7 +243,7 @@ describe('PX Enforcer - pxenforcer.js', () => {
         enforcer = new PxEnforcer(curParams, pxClient);
         enforcer.enforce(req, null, (error, response) => {
             (response === undefined).should.equal(false);
-            (response.body.indexOf('Please verify you are a human') > -1).should.equal(true);
+            (response.body.indexOf('Press & Hold to confirm') > -1).should.equal(true);
             reqStub.restore();
             done();
         });

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "perimeterx-node-core",`
`3`		`- "version": "3.3.2",`
	`3`	`+ "version": "3.4.0",`
`4`	`4`	`"description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"scripts": {`