Skip to content

Regex SR and Orig cookie vid support#222

Merged
DanBezalelpx merged 5 commits into
devfrom
feature/orig-cookie-vid
Jul 5, 2026
Merged

Regex SR and Orig cookie vid support#222
DanBezalelpx merged 5 commits into
devfrom
feature/orig-cookie-vid

Conversation

@DanBezalelpx

Copy link
Copy Markdown
Contributor

No description provided.

DorAshkenaziHuman and others added 3 commits January 29, 2026 15:25
Align sensitive route matching with the cross-enforcer spec by supporting
regex-format string patterns alongside existing plain-string prefix matching.
Patterns like "/^\/api\/.*\/payment$/i" are now detected and matched using
preg_match, while plain strings continue to use prefix matching for backward
compatibility.

- Add PerimeterxRouteUtils with normalizePath, convertStringToRegex, and
  isPathInPatterns
- Update PerimeterxContext to use PerimeterxRouteUtils::isPathInPatterns
- Add comprehensive unit tests for all matching modes
- Fix PHP 8.5 compatibility (PerimeterxLogger signature, PerimeterxPayload
  dynamic properties)
- Add sample site for manual testing of sensitive route patterns
- Update README with regex pattern documentation and trailing-slash caveat
When the _pxvid cookie contains a value that fails UUID validation,
store the raw value in orig_cookie_vid on the context and include it
in all activity details (page_requested, block, additional_s2s) and
the risk API request. Also adds enforcer_vid_source to all activities
and fixes the unanchored UUID validation regex in the S2S validator.
@DanBezalelpx DanBezalelpx changed the title Feature/orig cookie vid Regex SR and Orig cookie vid support Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new route-pattern matching utility (supporting both legacy prefix matching and regex-form strings) and extends VID handling to record the original _pxvid cookie when invalid, while propagating vid_source/orig_cookie_vid into S2S Risk API requests and activities.

Changes:

  • Introduces PerimeterxRouteUtils for path normalization + mixed prefix/regex sensitive-route matching, and wires it into PerimeterxContext.
  • Adds tracking of invalid _pxvid as orig_cookie_vid plus vid_source, and includes both in S2S request “additional” fields and activity details.
  • Adds PHPUnit coverage and a runnable sample site demonstrating sensitive route matching and normalization.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/PerimeterxRouteUtilsTest.php Adds unit tests for path normalization and regex/prefix matching behavior.
tests/PerimeterxOrigCookieVidTest.php Adds unit tests for VID validation and orig-cookie VID propagation into activities.
src/PerimeterxS2SValidator.php Uses context-provided vid_source and includes orig_cookie_vid in Risk API request body.
src/PerimeterxRouteUtils.php New utility implementing path normalization and prefix/regex pattern matching.
src/PerimeterxPayload.php Declares cookie-related properties on the base payload class.
src/PerimeterxOriginalTokenValidator.php Sets vid_source when VID is extracted from the original token payload.
src/PerimeterxLogger.php Updates PSR-3 log() signature.
src/PerimeterxCookieValidator.php Sets vid_source when VID is extracted from a validated risk cookie.
src/PerimeterxContext.php Parses _pxvid into vid/orig_cookie_vid, adds getters/setters, and switches sensitive-route matching to the new utility.
src/PerimeterxActivitiesClient.php Adds enforcer_vid_source and orig_cookie_vid into activity details.
README.md Documents sensitive route patterns including regex-form strings and the trailing-slash caveat.
examples/sample-site/router.php Adds router script for PHP built-in server use.
examples/sample-site/README.md Adds instructions and examples for testing sensitive route matching.
examples/sample-site/index.php Adds a demo site UI exercising pattern matching + normalization.
examples/sample-site/Dockerfile Adds a Docker image for running the sample site under Apache.
examples/sample-site/docker-compose.yml Adds compose configuration for the sample site.
examples/sample-site/.htaccess Adds rewrite rules for Apache routing to index.php.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/PerimeterxLogger.php Outdated
Comment thread src/PerimeterxRouteUtils.php
DanBpx added 2 commits July 2, 2026 12:37
Paths with '..' segments that traverse above the root (e.g. '/../login')
would lose the leading '/' and normalize to 'login' instead of '/login',
allowing traversal-style URIs to bypass sensitive route detection.

Prevent array_pop from removing the root segment by only popping when
the resolved array has more than one element.
…ility

The \Stringable|string union type and :void return type require PHP 8.0+,
but the SDK supports PHP >=7.2.5. Revert to the original untyped signature.
@DanBezalelpx DanBezalelpx merged commit a226775 into dev Jul 5, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants