From d4c801d8c332254a21278ce4c7d5814b02883fde Mon Sep 17 00:00:00 2001
From: kexkey <github@kexkey.com>
Date: Fri, 26 Oct 2018 15:25:01 -0400
Subject: [PATCH] Underscore in action was detected as potential code injection

---
 api_auth_docker/auth.sh  |   7 +-
 api_auth_docker/tests.sh | 312 +++++++++++++++++++--------------------
 2 files changed, 160 insertions(+), 159 deletions(-)

diff --git a/api_auth_docker/auth.sh b/api_auth_docker/auth.sh
index 81f4bfb..ca9f65b 100644
--- a/api_auth_docker/auth.sh
+++ b/api_auth_docker/auth.sh
@@ -87,13 +87,14 @@ verify_group()
   trace "[verify_group] Verifying group..."
 
   local id=${1}
-	# REQUEST_URI should look like this: /watch/2blablabla
+  # REQUEST_URI should look like this: /watch/2blablabla
   local action=$(echo "${REQUEST_URI:1}" | cut -d '/' -f1)
   trace "[verify_group] action=${action}"
 
   # Check for code injection
-  # action can be alphanum... nothing else
-  case $action in (*[![:alnum:]]*|"")
+  # action can be alphanum... and _ and - but nothing else
+	local actiontoinspect=$(echo "$action" | tr -d '_-')
+  case $actiontoinspect in (*[![:alnum:]]*|"")
   trace "[verify_group] Potential code injection, exiting"
   return 1
   esac
diff --git a/api_auth_docker/tests.sh b/api_auth_docker/tests.sh
index c4d023c..deaf273 100644
--- a/api_auth_docker/tests.sh
+++ b/api_auth_docker/tests.sh
@@ -9,221 +9,221 @@
 
 test_expiration()
 {
-	# Let's test expiration: 1 second in payload, request 2 seconds later
+  # Let's test expiration: 1 second in payload, request 2 seconds later
 
-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id
 
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+1))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+1))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"
 
-	echo "  Sleeping 2 seconds... "
-	sleep 2
+  echo "  Sleeping 2 seconds... "
+  sleep 2
 
-	local rc
-	echo -n "  Testing expired request... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -ne "403" ] && return 10
+  local rc
+  echo -n "  Testing expired request... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -ne "403" ] && return 10
 
-	return 0
+  return 0
 }
 
 test_authentication()
 {
-	# Let's test authentication/signature
+  # Let's test authentication/signature
 
-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id
 
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"
 
-	local rc
+  local rc
 
-	echo -n "  Testing good signature... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -eq "403" ] && return 20
+  echo -n "  Testing good signature... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -eq "403" ] && return 20
 
-	token="$h64.$p64.a$s"
-	echo -n "  Testing bad signature... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -ne "403" ] && return 30
+  token="$h64.$p64.a$s"
+  echo -n "  Testing bad signature... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -ne "403" ] && return 30
 
-	return 0
+  return 0
 }
 
 test_authorization_watcher()
 {
-	# Let's test autorization
+  # Let's test autorization
 
-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id
 
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+20))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"
 
-	local rc
+  local rc
 
-	# Watcher can:
-	# watch
-	echo -n "  Testing watch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/watch)
-	[ "${rc}" -eq "403" ] && return 40
+  # Watcher can:
+  # watch
+  echo -n "  Testing watch... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/watch)
+  [ "${rc}" -eq "403" ] && return 40
 
-	# unwatch
-	echo -n "  Testing unwatch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/unwatch)
-	[ "${rc}" -eq "403" ] && return 50
+  # unwatch
+  echo -n "  Testing unwatch... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/unwatch)
+  [ "${rc}" -eq "403" ] && return 50
 
-	# getactivewatches
-	echo -n "  Testing getactivewatches... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getactivewatches)
-	[ "${rc}" -eq "403" ] && return 60
+  # getactivewatches
+  echo -n "  Testing getactivewatches... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getactivewatches)
+  [ "${rc}" -eq "403" ] && return 60
 
-	# getbestblockhash
-	echo -n "  Testing getbestblockhash... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash)
-	[ "${rc}" -eq "403" ] && return 70
+  # getbestblockhash
+  echo -n "  Testing getbestblockhash... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash)
+  [ "${rc}" -eq "403" ] && return 70
 
-	# getbestblockinfo
-	echo -n "  Testing getbestblockinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockinfo)
-	[ "${rc}" -eq "403" ] && return 80
+  # getbestblockinfo
+  echo -n "  Testing getbestblockinfo... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockinfo)
+  [ "${rc}" -eq "403" ] && return 80
 
-	# getblockinfo
-	echo -n "  Testing getblockinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -eq "403" ] && return 90
+  # getblockinfo
+  echo -n "  Testing getblockinfo... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -eq "403" ] && return 90
 
-	# gettransaction
-	echo -n "  Testing gettransaction... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/gettransaction)
-	[ "${rc}" -eq "403" ] && return 100
+  # gettransaction
+  echo -n "  Testing gettransaction... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/gettransaction)
+  [ "${rc}" -eq "403" ] && return 100
 
-	# ln_getinfo
-	echo -n "  Testing ln_getinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_getinfo)
-	[ "${rc}" -eq "403" ] && return 110
+  # ln_getinfo
+  echo -n "  Testing ln_getinfo... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_getinfo)
+  [ "${rc}" -eq "403" ] && return 110
 
-	# ln_create_invoice
-	echo -n "  Testing ln_create_invoice... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_create_invoice)
-	[ "${rc}" -eq "403" ] && return 120
+  # ln_create_invoice
+  echo -n "  Testing ln_create_invoice... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_create_invoice)
+  [ "${rc}" -eq "403" ] && return 120
 
-	return 0
+  return 0
 }
 
 test_authorization_spender()
 {
-	# Let's test autorization
+  # Let's test autorization
 
-	local id=${1}
-#	echo "id=${id}"
-	local is_spender=${2}
-#	echo "is_spender=${is_spender}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local is_spender=${2}
+#  echo "is_spender=${is_spender}"
+  local k
+  eval k='$ukey_'$id
 
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+20))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"
 
-	local rc
+  local rc
 
-	# Spender can do what the watcher can do, plus:
-	# getbalance
-	echo -n "  Testing getbalance... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbalance)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 130
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 135
+  # Spender can do what the watcher can do, plus:
+  # getbalance
+  echo -n "  Testing getbalance... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbalance)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 130
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 135
 
-	# getnewaddress
-	echo -n "  Testing getnewaddress... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getnewaddress)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 140
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 145
+  # getnewaddress
+  echo -n "  Testing getnewaddress... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getnewaddress)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 140
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 145
 
-	# spend
-	echo -n "  Testing spend... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/spend)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 150
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 155
+  # spend
+  echo -n "  Testing spend... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/spend)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 150
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 155
 
-	# addtobatch
-	echo -n "  Testing addtobatch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/addtobatch)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 160
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 165
+  # addtobatch
+  echo -n "  Testing addtobatch... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/addtobatch)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 160
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 165
 
-	# batchspend
-	echo -n "  Testing batchspend... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/batchspend)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 170
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 175
+  # batchspend
+  echo -n "  Testing batchspend... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/batchspend)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 170
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 175
 
-	# deriveindex
-	echo -n "  Testing deriveindex... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/deriveindex)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 180
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 185
+  # deriveindex
+  echo -n "  Testing deriveindex... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/deriveindex)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 180
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 185
 
-	# derivepubpath
-	echo -n "  Testing derivepubpath... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/derivepubpath)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 190
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 195
+  # derivepubpath
+  echo -n "  Testing derivepubpath... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/derivepubpath)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 190
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 195
 
-	# ln_pay
-	echo -n "  Testing ln_pay... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_pay)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 200
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 205
+  # ln_pay
+  echo -n "  Testing ln_pay... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_pay)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 200
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 205
 
-	# ln_newaddr
-	echo -n "  Testing ln_newaddr... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_newaddr)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 210
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 215
+  # ln_newaddr
+  echo -n "  Testing ln_newaddr... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_newaddr)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 210
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 215
 
-	return 0
+  return 0
 }
 
 test_authorization_internal()
 {
-	# Let's test autorization
+  # Let's test autorization
 
-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id
 
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"
 
-	local rc
+  local rc
 
-	# Should be called from inside the Swarm:
-	# conf
-	echo -n "  Testing conf... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/conf)
-	[ "${rc}" -ne "403" ] && return 220
+  # Should be called from inside the Swarm:
+  # conf
+  echo -n "  Testing conf... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/conf)
+  [ "${rc}" -ne "403" ] && return 220
 
-	# executecallbacks
-	echo -n "  Testing executecallbacks... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/executecallbacks)
-	[ "${rc}" -ne "403" ] && return 230
+  # executecallbacks
+  echo -n "  Testing executecallbacks... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/executecallbacks)
+  [ "${rc}" -ne "403" ] && return 230
 
-	return 0
+  return 0
 }
 
 kapi_id="001";kapi_key="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";kapi_groups="watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}