Merge pull request #325 from PerimeterX/release/v7.3.0

Release/v7.3.0

Author: wizzard

CHANGELOG.md

@@ -6,6 +6,19 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 
+## [7.3.0] - 2023-06-13
+### Added
+- CORS support
+- Set X-PX-COOKIES as the default custom cookie name
+- _M.px_login_creds_settings configuration, to allow specify CI settings in Lua configuration file
+
+### Changed
+- rename "px_graphql_paths" to "px_graphql_routes"
+
+### Fixed
+- correctly add GraphQL routes (requests must contain specified GraphQL Type/Name) to sensitive routes
+
+
 ## [7.2.1] - 2023-04-20
 ### Added
 - `custom_sensitive_routes` a custom function to determine if url path is a sensitive route

README.md

@@ -2,7 +2,7 @@
 
 # [PerimeterX](http://www.perimeterx.com) NGINX Lua Plugin
 
-> Latest stable version: [v7.2.1](https://luarocks.org/modules/bendpx/perimeterx-nginx-plugin/7.2.1-1)
+> Latest stable version: [v7.3.0](https://luarocks.org/modules/bendpx/perimeterx-nginx-plugin/7.3.0-1)
 
 ## [Introduction](#introduction)
 

lib/px/block/pxblock.lua

@@ -54,6 +54,24 @@ function M.load(px_config)
         end
     end
 
+    local function append_cors_headers()
+        if not px_config.px_cors_support_enabled then
+            return
+        end
+
+        if px_config.px_cors_create_custom_block_response_headers ~= nil then
+            px_config.px_cors_create_custom_block_response_headers()
+        else
+            local origin_val = px_headers.get_header(px_constants.ORIGIN_HEADER_NAME)
+            if origin_val ~= nil then
+                ngx.header[px_constants.CORS_HEADER_KEY] = origin_val
+                ngx.header[px_constants.CORS_ALLOW_CREDENTIALS_HEADER_KEY] = 'true'
+            end
+        end
+
+
+    end
+
     function _M.block(reason, creds, graphql, custom_params, jwt)
         local details = {}
         local ref_str = ''
@@ -137,6 +155,7 @@ function M.load(px_config)
                 page = ngx.encode_base64(html),
                 collectorUrl = collectorUrl
             }
+            append_cors_headers()
             ngx.header["Content-Type"] = 'application/json'
             ngx.status = ngx_HTTP_FORBIDDEN
             ngx.say(cjson.encode(result))
@@ -160,13 +179,15 @@ function M.load(px_config)
                 customLogo = px_config.customLogo,
                 altBlockScript = props.altBlockScript
             }
+            append_cors_headers()
             ngx.header["Content-Type"] = 'application/json'
             ngx.status = ngx_HTTP_FORBIDDEN
             ngx.say(cjson.encode(result))
             ngx_exit(ngx.OK)
         end
 
         -- web scenarios
+        append_cors_headers()
         ngx.header["Content-Type"] = 'text/html'
 
         -- render advanced actions (js challange/rate limit)

lib/px/pxconfig.lua

@@ -32,7 +32,7 @@ _M.auth_token = 'PX_AUTH_TOKEN'
 -- _M.reverse_xhr_enabled = true
 -- _M.proxy_url = nil
 -- _M.proxy_authorization = nil
--- _M.custom_cookie_header = nil
+-- _M.custom_cookie_header = 'X-PX-COOKIES'
 -- _M.bypass_monitor_header = nil
 -- _M.pxhd_secure_enabled = false
 
@@ -83,6 +83,7 @@ _M.auth_token = 'PX_AUTH_TOKEN'
 -- ## Login Credentials extraction
 --_M.px_enable_login_creds_extraction = false
 --_M.px_login_creds_settings_filename = nil
+--_M.px_login_creds_settings = nil
 --_M.px_compromised_credentials_header_name = "px-compromised-credentials"
 --_M.px_login_successful_reporting_method = "none"
 --_M.px_login_successful_header_name = "x-px-login-successful"
@@ -100,7 +101,7 @@ _M.auth_token = 'PX_AUTH_TOKEN'
 -- ## GraphQL
 -- _M.px_sensitive_graphql_operation_types = {}
 -- _M.px_sensitive_graphql_operation_names = {}
--- _M.px_graphql_paths = {'/graphql'}
+-- _M.px_graphql_routes = {'/graphql'}
 
 -- ## User Identifiers
 -- _M.px_jwt_cookie_name = nil
@@ -109,4 +110,10 @@ _M.auth_token = 'PX_AUTH_TOKEN'
 -- _M.px_jwt_header_name = nil
 -- _M.px_jwt_header_user_id_field_name = nil
 -- _M.px_jwt_header_additional_field_names = {}
+
+-- ## CORS support
+-- _M.px_cors_support_enabled = false
+-- _M.px_cors_custom_preflight_handler = nil
+-- _M.px_cors_preflight_request_filter_enabled = false
+-- _M.px_cors_create_custom_block_response_headers = nil
 return _M

lib/px/pxnginx.lua

@@ -227,6 +227,36 @@ function M.application(px_configuration_table)
         return px_data
     end
 
+    -- filter preflight requests
+    local method = ngx.req.get_method()
+    method = method:upper()
+    if px_config.px_cors_support_enabled and
+        method == px_constants.OPTIONS_METHOD and
+        (px_config.px_cors_custom_preflight_handler ~= nil or
+        px_config.px_cors_preflight_request_filter_enabled) then
+
+        local origin_val = px_headers.get_header(px_constants.ORIGIN_HEADER_NAME)
+        local req_method_val = px_headers.get_header(px_constants.CORS_ACCESS_CONTROL_REQUEST_METHOD_HEADER)
+
+        if origin_val ~= nil and req_method_val ~= nil then
+
+            if px_config.px_cors_custom_preflight_handler ~= nil then
+                px_logger.debug("custom_enabled_routes was triggered")
+                local ret = px_config.px_cors_custom_preflight_handler()
+                if ret then
+                    px_headers.set_score_header(0)
+                    return px_data
+                end
+            end
+
+            if px_config.px_cors_preflight_request_filter_enabled then
+                px_headers.set_score_header(0)
+                return px_data
+            end
+
+        end
+    end
+
     -- Clean any protected headers from the request.
     -- Prevents header spoofing to upstream application
     px_headers.clear_protected_headers()

lib/px/utils/config_builder.lua

@@ -62,15 +62,16 @@ PX_DEFAULT_CONFIGURATIONS["whitelist_uri_suffixes"] = { {'.css', '.bmp', '.tif',
 PX_DEFAULT_CONFIGURATIONS["whitelist_ip_addresses"] = { {}, "table"}
 PX_DEFAULT_CONFIGURATIONS["whitelist_ua_full"] = { {}, "table"}
 PX_DEFAULT_CONFIGURATIONS["whitelist_ua_sub"] = { {}, "table"}
-PX_DEFAULT_CONFIGURATIONS["custom_cookie_header"] = { nil, "string"}
+PX_DEFAULT_CONFIGURATIONS["custom_cookie_header"] = { 'X-PX-COOKIES', "string"}
 PX_DEFAULT_CONFIGURATIONS["bypass_monitor_header"] = { nil, "string"}
 PX_DEFAULT_CONFIGURATIONS["postpone_page_requested"] = { false, "boolean"}
 PX_DEFAULT_CONFIGURATIONS["hypesale_host"] = { "https://captcha.px-cdn.net", "string"}
 PX_DEFAULT_CONFIGURATIONS["px_sensitive_graphql_operation_types"] = { {}, "table"}
 PX_DEFAULT_CONFIGURATIONS["px_sensitive_graphql_operation_names"] = { {}, "table"}
-PX_DEFAULT_CONFIGURATIONS["px_graphql_paths"] = { {'/graphql'}, "table"}
+PX_DEFAULT_CONFIGURATIONS["px_graphql_routes"] = { {'/graphql'}, "table"}
 PX_DEFAULT_CONFIGURATIONS["px_enable_login_creds_extraction"] = { false, "boolean"}
 PX_DEFAULT_CONFIGURATIONS["px_login_creds_settings_filename"] = { nil, "string"}
+PX_DEFAULT_CONFIGURATIONS["px_login_creds_settings"] = { nil, "table"}
 PX_DEFAULT_CONFIGURATIONS["px_compromised_credentials_header_name"] = { "px-compromised-credentials", "string"}
 PX_DEFAULT_CONFIGURATIONS["px_login_successful_reporting_method"] = { "none", "string"}
 PX_DEFAULT_CONFIGURATIONS["px_login_successful_header_name"] = { "x-px-login-successful", "string"}
@@ -86,8 +87,13 @@ PX_DEFAULT_CONFIGURATIONS["px_jwt_cookie_additional_field_names"] = { {}, "table
 PX_DEFAULT_CONFIGURATIONS["px_jwt_header_name"] = { nil, "string"}
 PX_DEFAULT_CONFIGURATIONS["px_jwt_header_user_id_field_name"] = { nil, "string"}
 PX_DEFAULT_CONFIGURATIONS["px_jwt_header_additional_field_names"] = { {}, "table"}
+PX_DEFAULT_CONFIGURATIONS["px_cors_support_enabled"] = { false, "boolean"}
+PX_DEFAULT_CONFIGURATIONS["px_cors_preflight_request_filter_enabled"] = { false, "boolean"}
+PX_DEFAULT_CONFIGURATIONS["px_cors_custom_preflight_handler"] = { nil, "function"}
+PX_DEFAULT_CONFIGURATIONS["px_cors_create_custom_block_response_headers"] = { nil, "function"}
 
 function _M.load(px_config)
+    local px_constants = require("px.utils.pxconstants")
     local ngx_log = ngx.log
     local ngx_ERR = ngx.ERR
 
@@ -124,6 +130,11 @@ function _M.load(px_config)
         end
     end
 
+    -- set default GraphQL route
+    if not px_config.px_graphql_routes then
+        table.insert(px_config.px_graphql_routes, px_constants.GRAPHQL_PATH)
+    end
+
     return px_config
 end
 

lib/px/utils/pxconstants.lua

@@ -3,7 +3,7 @@
 ----------------------------------------------
 
 local _M = {
-    MODULE_VERSION = "NGINX Module v7.2.1",
+    MODULE_VERSION = "NGINX Module v7.3.0",
     RISK_PATH = "/api/v3/risk",
     CAPTCHA_PATH = "/api/v2/risk/captcha",
     ACTIVITIES_PATH = "/api/v1/collector/s2s",
@@ -20,7 +20,7 @@ local _M = {
     HSC_BLOCK_ACTION = 'hsc',
     HSC_DRC_PROPERTY = 7190,
     HSC_BLOCK_TYPE = 'pxHypeSaleChallenge',
-    GRAPHQL_PATH = "graphql",
+    GRAPHQL_PATH = "/graphql",
     GRAPHQL_QUERY = "query",
     GRAPHQL_MUTATION = "mutation",
     JSON_CONTENT_TYPE = "application/json",
@@ -34,7 +34,17 @@ local _M = {
     EMAIL_ADDRESS_REGEX = "[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?",
     GMAIL_DOMAIN = "gmail.com",
     BACKUP_CAPTCHA_HOST = "https://captcha.px-cloud.net",
-    CTS_COOKIE = "pxcts"
+    CTS_COOKIE = "pxcts",
+    CORS_HEADER_KEY = "Access-Control-Allow-Origin",
+    CORS_ALLOW_CREDENTIALS_HEADER_KEY = "Access-Control-Allow-Credentials",
+    CORS_ACCESS_CONTROL_ALLOW_METHODS_KEY = "Access-Control-Allow-Methods",
+    CORS_ACCESS_CONTROL_REQUEST_METHOD_HEADER = "Access-Control-Request-Method",
+    CORS_ACCESS_CONTROL_ALLOW_METHODS_VALUE = "GET,POST,OPTIONS",
+    CORS_ACCESS_CONTROL_ALLOW_HEADERS_KEY = "Access-Control-Allow-Headers",
+    CORS_ACCESS_CONTROL_ALLOW_HEADERS_VALUE = "Content-Type,Authorization",
+    ORIGIN_HEADER_NAME = "origin",
+    OPTIONS_METHOD = "OPTIONS"
+
 }
 
 return _M

lib/px/utils/pxgraphql_extractor.lua

@@ -96,15 +96,15 @@ function M.load(px_config)
         local operationType = graphql["operationType"]
         local operationName = graphql["operationName"]
 
-        if next(px_config.px_sensitive_graphql_operation_names) ~= nil and operationType then
+        if next(px_config.px_sensitive_graphql_operation_types) ~= nil and operationType then
             for i = 1, #px_config.px_sensitive_graphql_operation_types do
                 if px_config.px_sensitive_graphql_operation_types[i] == operationType then
                     return true
                 end
             end
         end
 
-        if next(px_config.px_sensitive_graphql_operation_types) ~= nil and operationName then
+        if next(px_config.px_sensitive_graphql_operation_names) ~= nil and operationName then
             for i = 1, #px_config.px_sensitive_graphql_operation_names do
                 if px_config.px_sensitive_graphql_operation_names[i] == operationName then
                     return true
@@ -116,9 +116,14 @@ function M.load(px_config)
     end
 
     function _M.extract(lower_request_url)
+        if not ((px_config.px_sensitive_graphql_operation_types and next(px_config.px_sensitive_graphql_operation_types) ~= nil) or
+            (px_config.px_sensitive_graphql_operation_names and next(px_config.px_sensitive_graphql_operation_names) ~= nil)) then
+            return nil
+        end
+
         local method = ngx.req.get_method()
-        for i = 1, #px_config.px_graphql_paths do
-            if string.find(lower_request_url, px_config.px_graphql_paths[i]) and method:lower() == "post" then
+        for i = 1, #px_config.px_graphql_routes do
+            if string.find(lower_request_url, px_config.px_graphql_routes[i]) and method:lower() == "post" then
                 -- force Nginx to read body data
                 ngx.req.read_body()
                 local body = ngx.req.get_body_data()
@@ -138,8 +143,7 @@ function M.load(px_config)
             end
         end
 
-        return nul;
-
+        return nil
     end
 
     return _M

lib/px/utils/pxlogin_credentials.lua

@@ -358,6 +358,29 @@ function M.load(px_config)
         return pxdata
     end
 
+    -- try to load CI from a JSON file. Return True / False
+    function _M.px_credentials_load_from_file()
+        -- try to load JSON with creds information
+        local f, err = io.open(px_config.px_login_creds_settings_filename, "r")
+        if not f then
+            px_logger.error("Failed to load login credentials JSON file: " .. err)
+            return false
+        end
+
+        local content = f:read("*a")
+        f:close()
+
+        local success, creds_json  = pcall(cjson.decode, content)
+        if not success then
+            px_logger.error("Could not decode login credentials JSON file")
+            return false
+        else
+            if creds_json.features.credentials.items then
+                px_config.creds = creds_json.features.credentials.items
+            end
+        end
+        return true
+    end
 
     -- extract login information from client request
     -- return table or nil
@@ -395,7 +418,7 @@ function M.load(px_config)
     end
 
     -- check if login credentials feature is enabled
-    if not px_config.px_enable_login_creds_extraction or px_config.px_login_creds_settings_filename == nil then
+    if not px_config.px_enable_login_creds_extraction then
         return _M
     end
 
@@ -404,26 +427,23 @@ function M.load(px_config)
         return _M
     end
 
-    -- try to load JSON with creds information
-    local f, err = io.open(px_config.px_login_creds_settings_filename, "r")
-    if not f then
-        px_logger.error("Failed to load login credentials JSON file: " .. err)
-        return _M
+    if px_config.px_login_creds_settings_filename ~= nil then
+        local res = _M.px_credentials_load_from_file()
+        if not res then
+            return _M
+        end
     end
 
-    local content = f:read("*a")
-    f:close()
-
-    local success, creds_json  = pcall(cjson.decode, content)
-    if not success then
-        px_logger.error("Could not decode login credentials JSON file")
-    else
-        if creds_json.features.credentials.items then
-            px_config.creds = creds_json.features.credentials.items
-            for _, p in pairs(px_config.creds) do
-                if p["path"] then
-                    table.insert(px_config.sensitive_routes, p["path"])
-                end
+    -- Use settings from Enforcer configuration
+    if px_config.px_login_creds_settings and next(px_config.px_login_creds_settings) ~= nil then
+        px_config.creds = px_config.px_login_creds_settings
+    end
+
+    -- update sensitive routes
+    if px_config.creds and next(px_config.creds) ~= nil then
+        for _, p in pairs(px_config.creds) do
+            if p["path"] then
+                table.insert(px_config.sensitive_routes, p["path"])
             end
         end
     end

perimeterx-nginx-plugin-7.2.1-1.rockspec renamed to perimeterx-nginx-plugin-7.3.0-1.rockspec

@@ -1,8 +1,8 @@
  package = "perimeterx-nginx-plugin"
- version = "7.2.1-1"
+ version = "7.3.0-1"
  source = {
     url = "git+https://github.com/PerimeterX/perimeterx-nginx-plugin.git",
-    tag = "v7.2.1",
+    tag = "v7.3.0",
  }
  description = {
     summary = "PerimeterX NGINX Lua Middleware.",