Merge pull request #102 from PerimeterX/fix/first_party_xhr_parsing

added verification for first party xhr url
PerimeterX · Jan 24, 2024 · 6b1075f · 6b1075f
2 parents 3b41c4c + 3a4d642
commit 6b1075f
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/PerimeterXModule/Internals/ReverseProxy.cs b/PerimeterXModule/Internals/ReverseProxy.cs
@@ -5,6 +5,7 @@
 using System.Net;
 using System.Text;
 using System.Web;
+using System.Text.RegularExpressions;
 
 namespace PerimeterX
 {
@@ -175,7 +176,16 @@ public void ReversePxXhr(HttpContext context)
 				RenderPredefinedResponse(context, contentType, defaultResponse);
 				return;
 			}
-			string uri = context.Request.RawUrl.Replace(XhrReversePrefix, "");
+
+			string pathName = context.Request.Path.Replace(XhrReversePrefix, "");
+			string url = CollectorUrl + pathName + context.Request.QueryString;
+			string host = Regex.Replace(CollectorUrl, "https?:\\/\\/", "");
+			if (!isValidThirdPartyUrl(url, host, pathName))
+			{
+				PxLoggingUtils.LogDebug(string.Format("First party XHR URL is inaccurate: {0}, rendreing default response", url));
+				RenderPredefinedResponse(context, contentType, defaultResponse);
+				return;
+			}
 
 			string vid = null;
 			HttpCookie pxvid = context.Request.Cookies.Get("pxvid");
@@ -212,7 +222,7 @@ public void ReversePxXhr(HttpContext context)
 				context.Request.Headers.Add("Cookie", string.Format("pxvid={0}", vid));
 			}
 
-			bool success = ProcessRequest(context, CollectorUrl, uri);
+			bool success = ProcessRequest(context, CollectorUrl, pathName);
 			if (!success)
 			{
 				PxLoggingUtils.LogDebug("Redirect XHR returned bad status, rendering default response");
@@ -296,6 +306,17 @@ private void RenderPredefinedResponse(HttpContext context, string contentType, s
 			context.Response.End();
 		}
 
-
+		public bool isValidThirdPartyUrl(string url, string expectedHost, string expectedPath)
+		{
+			try
+			{
+				Uri uri = new Uri(url);
+				return uri.Host.ToLower() == expectedHost.ToLower() && uri.PathAndQuery.StartsWith(expectedPath);
+			}
+			catch (Exception e)
+			{
+				return false;
+			}
+		}
 	}
 }