From b23da1537e5ba548c3b6f0dd7e9c22f2d7d5887f Mon Sep 17 00:00:00 2001 From: Ori Date: Thu, 30 Dec 2021 01:13:42 +0200 Subject: [PATCH 1/8] added graphql fields model and graphql extraction functions --- src/GraphqlExtractor.php | 61 ++++++++++++++++++++++++++++++++++++++++ src/GraphqlFields.php | 31 ++++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 src/GraphqlExtractor.php create mode 100644 src/GraphqlFields.php diff --git a/src/GraphqlExtractor.php b/src/GraphqlExtractor.php new file mode 100644 index 0000000..00c88b4 --- /dev/null +++ b/src/GraphqlExtractor.php @@ -0,0 +1,61 @@ +operationType = $operationType; + $this->operationName = $operationName; + } + + /** + * @return string + */ + public function getOperationType() { + return $this->operationType; + } + + /** + * @return string + */ + public function getOperationName() { + return $this->operationName; + } +} \ No newline at end of file From 2fd428f3adffa42e9e8b4f7e228bb0048980f2d1 Mon Sep 17 00:00:00 2001 From: Ori Date: Thu, 30 Dec 2021 01:14:04 +0200 Subject: [PATCH 2/8] added graphql extraction to risk_api --- src/PerimeterxS2SValidator.php | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/PerimeterxS2SValidator.php b/src/PerimeterxS2SValidator.php index 3874e4f..e8dd5b0 100644 --- a/src/PerimeterxS2SValidator.php +++ b/src/PerimeterxS2SValidator.php @@ -70,6 +70,10 @@ private function prepareRiskRequestBody() { ] ]; + if (strpos($this->pxCtx->getUri(), "graphql") !== false) { + $this->handleGraphqlRequest($requestBody); + } + $pxvid = $this->pxCtx->getPxVidCookie(); $vid = $this->pxCtx->getVid(); $vid_source = "none"; @@ -139,6 +143,22 @@ private function prepareRiskRequestBody() { return $requestBody; } + private function handleGraphqlRequest(&$riskBody) { + try { + $this->pxConfig['logger']->debug("GraphQL endpoint identified"); + $graphqlFields = GraphqlExtractor::ExtractGraphqlFields(); + if (!is_null($graphqlFields)) { + $this->pxConfig['logger']->debug('Adding graphql fields to risk request'); + $riskBody['additional']['graphql_operation_type'] = $graphqlFields->getOperationType(); + $riskBody['additional']['graphql_operation_name'] = $graphqlFields->getOperationName(); + } else { + $this->pxConfig['logger']->debug("Unable to extract graphql fields"); + } + } catch (\Exception $e) { + $this->pxConfig['logger']->error('Exception while handling graphql body: ' . $e->getMessage()); + } + } + private function handle_valid_risk_response($response) { $this->pxConfig['logger']->debug("Risk API response returned successfully, risk score: {$response->score}, round_trip_time: {$this->pxCtx->getRiskRtt()}"); From d89e3a5a25b4d2cbe2188cb66d6992aff23ff08e Mon Sep 17 00:00:00 2001 From: Shaul Badusa Date: Fri, 7 Jan 2022 13:21:55 +0200 Subject: [PATCH 3/8] Change cookie origin only for no mobile --- src/PerimeterxCookieValidator.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PerimeterxCookieValidator.php b/src/PerimeterxCookieValidator.php index 6ae7288..a2a671d 100644 --- a/src/PerimeterxCookieValidator.php +++ b/src/PerimeterxCookieValidator.php @@ -55,10 +55,11 @@ public function verify() } return false; } + } else { + $this->pxCtx->setCookieOrigin("cookie"); } $cookie = PerimeterxPayload::pxPayloadFactory($this->pxCtx, $this->pxConfig); $this->pxConfig['logger']->debug("Cookie {$this->pxCtx->getCookieVersion()} found, Evaluating"); - $this->pxCtx->setCookieOrigin("cookie"); if (!$cookie->deserialize()) { $this->pxConfig['logger']->debug("Cookie decryption failed, value: {$this->pxCtx->getPxCookie()}"); From f7b6fd4722c221ddb5a957413272991c914ccd28 Mon Sep 17 00:00:00 2001 From: Ori Date: Fri, 7 Jan 2022 16:03:20 +0200 Subject: [PATCH 4/8] release v3.7.6 --- CHANGELOG.md | 6 ++++++ README.md | 2 +- composer.json | 2 +- px_metadata.json | 2 +- src/Perimeterx.php | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 192e962..b119fc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [3.7.6] - 2022-01-07 + +## Fixed + +- Bug with sensitive routes on mobile + ## [3.7.5] - 2021-12-22 ## Fixed diff --git a/README.md b/README.md index af42b64..215da10 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ # [PerimeterX](http://www.perimeterx.com) PHP SDK -> Latest stable version: [v3.7.4](https://packagist.org/packages/perimeterx/php-sdk#3.7.4) +> Latest stable version: [v3.7.6](https://packagist.org/packages/perimeterx/php-sdk#3.7.6) ## Table of Contents diff --git a/composer.json b/composer.json index e3dc1ad..4cd250d 100644 --- a/composer.json +++ b/composer.json @@ -1,7 +1,7 @@ { "name": "perimeterx/php-sdk", "description": "PerimeterX SDK for PHP", - "version" : "3.7.5", + "version" : "3.7.6", "keywords": [ "perimeterx", "websecurity", diff --git a/px_metadata.json b/px_metadata.json index 242827a..1656333 100644 --- a/px_metadata.json +++ b/px_metadata.json @@ -1,5 +1,5 @@ { - "version": "3.7.5", + "version": "3.7.6", "supported_features": [ "additional_activity_handler", "advanced_blocking_response", diff --git a/src/Perimeterx.php b/src/Perimeterx.php index 785fea5..6510679 100644 --- a/src/Perimeterx.php +++ b/src/Perimeterx.php @@ -94,7 +94,7 @@ private function __construct(array $pxConfig = []) 'max_buffer_len' => 1, 'send_page_activities' => true, 'send_block_activities' => true, - 'sdk_name' => 'PHP SDK v3.7.5', + 'sdk_name' => 'PHP SDK v3.7.6', 'debug_mode' => false, 'perimeterx_server_host' => 'https://sapi-' . strtolower($pxConfig['app_id']) . '.perimeterx.net', 'captcha_script_host' => 'https://captcha.px-cdn.net', From c5e5f2cfe336bc29366ba88fffde3218424e1e54 Mon Sep 17 00:00:00 2001 From: Ori Date: Fri, 7 Jan 2022 18:37:13 +0200 Subject: [PATCH 5/8] modified changelog slightly to add in graphql feature --- CHANGELOG.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b119fc9..ee4144b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,15 +11,19 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Bug with sensitive routes on mobile +### Added + +- Sending graphql operation type and name on risk_api activity + ## [3.7.5] - 2021-12-22 -## Fixed +### Fixed - Allows extraction of login credentials via a custom static class method ## [3.7.4] - 2021-12-20 -## Added +### Added - Option to extract login credentials via custom callback function From 03cdb6b779d8f296da2a3b704d18580426dc0f6b Mon Sep 17 00:00:00 2001 From: Ori Date: Fri, 7 Jan 2022 18:39:20 +0200 Subject: [PATCH 6/8] small changelog fix --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee4144b..89f5b7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [3.7.6] - 2022-01-07 -## Fixed +### Fixed - Bug with sensitive routes on mobile From 3e4761d0701f011c1e6914a0e456c7b281398079 Mon Sep 17 00:00:00 2001 From: Ori Date: Fri, 7 Jan 2022 19:35:11 +0200 Subject: [PATCH 7/8] adding graphql fields to all activities, not just risk --- src/Perimeterx.php | 50 ++++++++++++++++++++++++++++++---- src/PerimeterxS2SValidator.php | 20 -------------- 2 files changed, 44 insertions(+), 26 deletions(-) diff --git a/src/Perimeterx.php b/src/Perimeterx.php index 6510679..b02c0a1 100644 --- a/src/Perimeterx.php +++ b/src/Perimeterx.php @@ -139,11 +139,9 @@ public function pxVerify() return 1; } - if (!is_null($this->pxFieldExtractorManager)) { - $extractedCredentials = $this->pxFieldExtractorManager->extractFields(); - } + $additionalFields = $this->createAdditionalFields(); - $pxCtx = new PerimeterxContext($this->pxConfig, $extractedCredentials); + $pxCtx = new PerimeterxContext($this->pxConfig, $additionalFields); $this->pxConfig['logger']->debug('Request context created successfully'); $validator = new PerimeterxCookieValidator($pxCtx, $this->pxConfig); @@ -399,11 +397,51 @@ public function getPxConfig() * @return PerimeterxFieldExtractorManager */ - private function createFieldExtractorManager() { + private function createFieldExtractorManager() { if (empty($this->pxConfig['px_enable_login_creds_extraction']) || empty($this->pxConfig['px_login_creds_extraction'])) { return null; } $extractorMap = PerimeterxFieldExtractorManager::createExtractorMap($this->pxConfig['px_login_creds_extraction']); return new PerimeterxFieldExtractorManager($extractorMap, $this->pxConfig['logger']); - } + } + + private function createAdditionalFields() { + $additionalFields = array(); + + if (!is_null($this->pxFieldExtractorManager)) { + $extractedCredentials = $this->pxFieldExtractorManager->extractFields(); + if (isset($extractedCredentials)) { + $additionalFields = array_merge($additionalFields, $extractedCredentials); + } + } + + if (strpos($_SERVER['REQUEST_URI'], "graphql") !== false) { + $graphqlFields = $this->extractGraphqlFields(); + if (isset($graphqlFields)) { + $additionalFields = array_merge($additionalFields, [ + 'graphql_operation_type' => $graphqlFields->getOperationType(), + 'graphql_operation_name' => $graphqlFields->getOperationName() + ]); + } + } + + return $additionalFields; + } + + private function extractGraphqlFields() { + try { + $this->pxConfig['logger']->debug("GraphQL endpoint identified"); + $graphqlFields = GraphqlExtractor::ExtractGraphqlFields(); + if (!is_null($graphqlFields)) { + $this->pxConfig['logger']->debug('Successfully extracted graphql fields'); + return $graphqlFields; + } else { + $this->pxConfig['logger']->debug("Unable to extract graphql fields"); + return null; + } + } catch (\Exception $e) { + $this->pxConfig['logger']->error('Exception while handling graphql body: ' . $e->getMessage()); + return null; + } + } } diff --git a/src/PerimeterxS2SValidator.php b/src/PerimeterxS2SValidator.php index e8dd5b0..3874e4f 100644 --- a/src/PerimeterxS2SValidator.php +++ b/src/PerimeterxS2SValidator.php @@ -70,10 +70,6 @@ private function prepareRiskRequestBody() { ] ]; - if (strpos($this->pxCtx->getUri(), "graphql") !== false) { - $this->handleGraphqlRequest($requestBody); - } - $pxvid = $this->pxCtx->getPxVidCookie(); $vid = $this->pxCtx->getVid(); $vid_source = "none"; @@ -143,22 +139,6 @@ private function prepareRiskRequestBody() { return $requestBody; } - private function handleGraphqlRequest(&$riskBody) { - try { - $this->pxConfig['logger']->debug("GraphQL endpoint identified"); - $graphqlFields = GraphqlExtractor::ExtractGraphqlFields(); - if (!is_null($graphqlFields)) { - $this->pxConfig['logger']->debug('Adding graphql fields to risk request'); - $riskBody['additional']['graphql_operation_type'] = $graphqlFields->getOperationType(); - $riskBody['additional']['graphql_operation_name'] = $graphqlFields->getOperationName(); - } else { - $this->pxConfig['logger']->debug("Unable to extract graphql fields"); - } - } catch (\Exception $e) { - $this->pxConfig['logger']->error('Exception while handling graphql body: ' . $e->getMessage()); - } - } - private function handle_valid_risk_response($response) { $this->pxConfig['logger']->debug("Risk API response returned successfully, risk score: {$response->score}, round_trip_time: {$this->pxCtx->getRiskRtt()}"); From 084186ec0ab01ec3e79ba86ab795be6a973b7bb6 Mon Sep 17 00:00:00 2001 From: Ori Date: Fri, 7 Jan 2022 19:51:16 +0200 Subject: [PATCH 8/8] changelog modifications --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89f5b7d..b13efd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ### Added -- Sending graphql operation type and name on risk_api activity +- Sending graphql operation type and name on activities ## [3.7.5] - 2021-12-22