Merge pull request #72 from PerimeterX/release/v2.3.2

etrpx · web-flow · commit 92f0f750b58f · 2022-08-17T10:58:03.000+03:00
Release/v2.3.2
diff --git a/.gitignore b/.gitignore
@@ -17,6 +17,8 @@ examples/app/views/home/index.html.erb
 *.gem
 rerun.txt
 pickle-email-*.html
+.idea/
+.vscode/
 
 # TODO Comment out these rules if you are OK with secrets being uploaded to the repo
 config/initializers/secret_token.rb
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,29 +1,19 @@
 PATH
   remote: .
   specs:
-    perimeter_x (2.0.0)
-      activesupport (>= 5.2.4.3)
+    perimeter_x (2.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.5)
       mustache (~> 1.0, >= 1.0.3)
       typhoeus (~> 1.1, >= 1.1.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.3.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
-    concurrent-ruby (1.1.6)
+    concurrent-ruby (1.1.10)
     diff-lcs (1.4.4)
-    ethon (0.12.0)
-      ffi (>= 1.3.0)
-    ffi (1.13.1)
-    i18n (1.8.3)
-      concurrent-ruby (~> 1.0)
-    minitest (5.14.1)
+    ethon (0.15.0)
+      ffi (>= 1.15.0)
+    ffi (1.15.5)
     mocha (1.11.2)
     mustache (1.1.1)
     rake (13.0.1)
@@ -40,12 +30,8 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.3)
-    thread_safe (0.3.6)
     typhoeus (1.4.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
-    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby
diff --git a/changelog.md b/changelog.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.3.2] - 2022-xx-xx
+
+### Changed
+
+- Removed dependency on Active Support
+- Replaced `eval()` calls with `JSON.parse()` for improved security
+- Small spec alignment changes (risk_api and block activities)
+
 ## [2.3.1] - 2022-04-11
 
 ### Fixed
diff --git a/lib/perimeterx/configuration.rb b/lib/perimeterx/configuration.rb
@@ -82,8 +82,10 @@ def initialize(params)
       # merge request configuration into the basic configuration
       @configuration = @@basic_config.merge(params)
       validate_hash_schema(@configuration, CONFIG_SCHEMA)
-      
-      @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
+
+      if (! @configuration.key?(:backend_url))
+        @configuration[:backend_url] = "https://sapi-#{@configuration[:app_id].downcase}.perimeterx.net"
+      end
       @configuration[:logger] = PxLogger.new(@configuration[:debug])
     end
   end
diff --git a/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb b/lib/perimeterx/internal/clients/perimeter_x_activity_client.rb
@@ -63,6 +63,7 @@ def send_block_activity(px_ctx)
         :client_uuid => px_ctx.context[:uuid],
         :block_score => px_ctx.context[:score],
         :block_reason => px_ctx.context[:blocking_reason],
+        :block_action => px_ctx.context[:block_action],
         :simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE
       }
 
diff --git a/lib/perimeterx/internal/payload/perimeter_x_cookie_v3.rb b/lib/perimeterx/internal/payload/perimeter_x_cookie_v3.rb
@@ -22,7 +22,7 @@ def cookie_hmac
     end
 
     def valid_format?(cookie)
-      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:u) && cookie.key?(:a)
+      return cookie.key?(:t) && cookie.key?(:s) && cookie.key?(:u) && cookie.key?(:a)
     end
 
     def cookie_block_action
diff --git a/lib/perimeterx/internal/payload/perimeter_x_payload.rb b/lib/perimeterx/internal/payload/perimeter_x_payload.rb
@@ -1,6 +1,6 @@
-require 'active_support/security_utils'
 require 'base64'
 require 'openssl'
+require 'json'
 require 'perimeterx/internal/exceptions/px_cookie_decryption_exception'
 
 module PxModule
@@ -123,26 +123,34 @@ def decrypt(px_cookie)
         cipher.iv = iv
         plaintext = cipher.update(cipher_text) + cipher.final
 
-        return eval(plaintext)
+        return JSON.parse(plaintext, symbolize_names: true)
       rescue Exception => e
         @logger.debug("PerimeterxCookie[decrypt]: Cookie decrypt fail #{e.message}")
         raise PxCookieDecryptionException.new("Cookie decrypt fail => #{e.message}");
       end
     end
 
     def decode(px_cookie)
-      return eval(Base64.decode64(px_cookie))
+      return JSON.parse(Base64.decode64(px_cookie), symbolize_names: true)
     end
 
 
     def hmac_valid?(hmac_str, cookie_hmac)
       hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @cookie_secret, hmac_str)
-      # ref: https://thisdata.com/blog/timing-attacks-against-string-comparison/
-      password_correct = ActiveSupport::SecurityUtils.secure_compare(
-          ::Digest::SHA256.hexdigest(cookie_hmac),
-          ::Digest::SHA256.hexdigest(hmac)
-      )
+      password_correct = secure_compare(hmac, cookie_hmac)
+    end
+
+    def secure_compare(a, b)
+      # https://github.com/rails/rails/blob/main/activesupport/lib/active_support/security_utils.rb
+      if (a.bytesize != b.bytesize)
+        return false
+      end
+
+      l = a.unpack "C#{a.bytesize}"
 
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
     end
   end
 end
diff --git a/lib/perimeterx/internal/perimeter_x_context.rb b/lib/perimeterx/internal/perimeter_x_context.rb
@@ -101,25 +101,25 @@ def initialize(px_config, req)
 	  @context[:sensitive_route] = check_sensitive_route(px_config[:sensitive_routes], @context[:uri]) 
     end #end init
 
-	def check_sensitive_route(sensitive_routes, uri)
-		sensitive_routes.each do |sensitive_route|
-			return true if uri.start_with? sensitive_route
-		end
-    false
-	end
+    def check_sensitive_route(sensitive_routes, uri)
+      sensitive_routes.each do |sensitive_route|
+        return true if uri.start_with? sensitive_route
+      end
+      false
+    end
 
     def set_block_action_type(action)
       @context[:block_action] = case action
         when 'c'
-          'captcha'
+          return 'captcha'
         when 'b'
           return 'block'
         when 'j'
           return 'challenge'
         when 'r'
           return 'rate_limit'
         else
-          return captcha
+          return 'captcha'
         end
     end
 
diff --git a/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb b/lib/perimeterx/internal/validators/perimeter_x_s2s_validator.rb
@@ -1,3 +1,4 @@
+require 'json'
 require 'perimeterx/internal/clients/perimeter_x_risk_client'
 
 module PxModule
@@ -20,7 +21,6 @@ def send_risk_request(px_ctx)
         :request => {
           :ip      => px_ctx.context[:ip],
           :headers => format_headers(px_ctx),
-          :uri     => px_ctx.context[:uri],
           :url     => px_ctx.context[:full_url]
         },
         :additional => {
@@ -103,7 +103,7 @@ def verify(px_ctx)
       px_ctx.context[:made_s2s_risk_api_call] = true
 
       # From here response should be valid, if success or error
-      response_body = eval(response.body);
+      response_body = JSON.parse(response.body, symbolize_names: true);
       # When success
       if (response.code == 200 && response_body.key?(:score) && response_body.key?(:action) && response_body.key?(:status) && response_body[:status] == 0 )
         @logger.debug("PerimeterxS2SValidator[verify]: response ok")
diff --git a/lib/perimeterx/version.rb b/lib/perimeterx/version.rb
@@ -1,3 +1,3 @@
 module PxModule
-  VERSION = '2.3.1'
+  VERSION = '2.3.2'
 end
diff --git a/perimeter_x.gemspec b/perimeter_x.gemspec
@@ -33,7 +33,6 @@ Gem::Specification.new do |gem|
   gem.add_dependency('concurrent-ruby', '~> 1.0', '>= 1.0.5')
   gem.add_dependency('typhoeus', '~> 1.1', '>= 1.1.2')
   gem.add_dependency('mustache', '~> 1.0', '>= 1.0.3')
-  gem.add_dependency('activesupport', '>= 5.2.4.3')
 
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'mocha', '~> 1.2', '>= 1.2.1'
diff --git a/px_metadata.json b/px_metadata.json
@@ -1,5 +1,5 @@
 {
-    "version": "2.3.1",
+    "version": "2.3.2",
     "supported_features": [
         "additional_activity_handler",
         "advanced_blocking_response",
diff --git a/readme.md b/readme.md
@@ -5,7 +5,7 @@
 [PerimeterX](http://www.perimeterx.com) Ruby SDK
 =============================================================
 
-> Latest stable version: [v2.3.1](https://rubygems.org/gems/perimeter_x)
+> Latest stable version: [v2.3.2](https://rubygems.org/gems/perimeter_x)
 
 Table of Contents
 -----------------
@@ -161,14 +161,15 @@ params = {
 
 > Note: IP extraction, according to your network setup, is very important. It is common to have a load balancer/proxy on top of your applications, in which case the PerimeterX module will send the system's internal IP as the user's. In order to properly perform processing and detection on server-to-server calls, PerimeterX module needs the real user's IP.
 
-By default the clients IP is taken from the ``REMOTE_ADDR`` header, in case the user decides to use different header or custom function that extract the header the following key should be added to the configuration
+By default the clients IP is taken from the `REMOTE_ADDR` header, in case the user decides to use different header or custom function that extract the header the following key should be added to the configuration.
 
 ***Custom header***
+> Note: If there are multiple headers configured, the module will evaluate the headers in order and use the first value it finds.
 ```ruby
 configuration = {
   "app_id" => <APP_ID>,
   "auth_token" => <AUTH_TOKEN>,
-  "custom_user_ip" => <HTTP_HEADER_NAME>,
+  "ip_headers" => [<HTTP_HEADER_NAME>, <BACKUP_HTTP_HEADER_NAME>],
 ```
 
 ***Custom Function***
@@ -178,7 +179,7 @@ configuration = {
 configuration = {
   "app_id" => <APP_ID>,
   "auth_token" => <AUTH_TOKEN>,
-  "custom_user_ip_method" => -> (req) {
+  "ip_header_function" => -> (req) {
     # Method body
     return "1.2.3.4"
   }
@@ -214,14 +215,14 @@ params = [
 > Note: Custom logo/js/css can be added together
 
 <a name="logging"></a>**No Blocking, Monitor Only**
-Default mode: PxModule::ACTIVE_MODE
+Default mode: PxModule::MONITOR_MODE
 
 - PxModule::ACTIVE_MODE - Module blocks users crossing the predefined block threshold. Server-to-server requests are sent synchronously.
 
-- PxModule::$MONITOR_MODE - Module does not block users crossing the predefined block threshold. The `custom_block_handler` function will be eval'd in case one is supplied, upon crossing the defined block threshold.
+- PxModule::MONITOR_MODE - Module does not block users crossing the predefined block threshold. The `custom_block_handler` function will be eval'd in case one is supplied, upon crossing the defined block threshold.
 
 ```ruby
-params[:module_mode] = PxModule::MONITOR_MODE
+params[:module_mode] = PxModule::ACTIVE_MODE
 ```
 
 <a name="custom-uri"></a>**Custom URI**
diff --git a/spec/token_generator.rb b/spec/token_generator.rb
@@ -1,4 +1,3 @@
-require 'active_support/security_utils'
 require 'base64'
 require 'openssl'
 require 'json'

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ def send_block_activity(px_ctx)`
`63`	`63`	`:client_uuid => px_ctx.context[:uuid],`
`64`	`64`	`:block_score => px_ctx.context[:score],`
`65`	`65`	`:block_reason => px_ctx.context[:blocking_reason],`
	`66`	`+ :block_action => px_ctx.context[:block_action],`
`66`	`67`	`:simulated_block => @px_config[:module_mode] == PxModule::MONITOR_MODE`
`67`	`68`	`}`
`68`	`69`