Underscore in action was detected as potential code injection

2026-01-01 04:25:58 -08:00 · 2018-10-26 15:25:01 -04:00
parent 1c5d1f9c24
commit d4c801d8c3
2 changed files with 160 additions and 159 deletions
--- a/api_auth_docker/auth.sh
+++ b/api_auth_docker/auth.sh
@@ -87,13 +87,14 @@ verify_group()
  trace "[verify_group] Verifying group..."

  local id=${1}
-	# REQUEST_URI should look like this: /watch/2blablabla
+  # REQUEST_URI should look like this: /watch/2blablabla
  local action=$(echo "${REQUEST_URI:1}" | cut -d '/' -f1)
  trace "[verify_group] action=${action}"

  # Check for code injection
-  # action can be alphanum... nothing else
-  case $action in (*[![:alnum:]]*|"")
+  # action can be alphanum... and _ and - but nothing else
+	local actiontoinspect=$(echo "$action" | tr -d '_-')
+  case $actiontoinspect in (*[![:alnum:]]*|"")
  trace "[verify_group] Potential code injection, exiting"
  return 1
  esac
--- a/api_auth_docker/tests.sh
+++ b/api_auth_docker/tests.sh
@@ -9,221 +9,221 @@

 test_expiration()
 {
-	# Let's test expiration: 1 second in payload, request 2 seconds later
+  # Let's test expiration: 1 second in payload, request 2 seconds later

-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id

-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+1))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+1))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"

-	echo "  Sleeping 2 seconds... "
-	sleep 2
+  echo "  Sleeping 2 seconds... "
+  sleep 2

-	local rc
-	echo -n "  Testing expired request... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -ne "403" ] && return 10
+  local rc
+  echo -n "  Testing expired request... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -ne "403" ] && return 10

-	return 0
+  return 0
 }

 test_authentication()
 {
-	# Let's test authentication/signature
+  # Let's test authentication/signature

-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id

-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"

-	local rc
+  local rc

-	echo -n "  Testing good signature... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -eq "403" ] && return 20
+  echo -n "  Testing good signature... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -eq "403" ] && return 20

-	token="$h64.$p64.a$s"
-	echo -n "  Testing bad signature... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -ne "403" ] && return 30
+  token="$h64.$p64.a$s"
+  echo -n "  Testing bad signature... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -ne "403" ] && return 30

-	return 0
+  return 0
 }

 test_authorization_watcher()
 {
-	# Let's test autorization
+  # Let's test autorization

-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id

-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+20))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"

-	local rc
+  local rc

-	# Watcher can:
-	# watch
-	echo -n "  Testing watch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/watch)
-	[ "${rc}" -eq "403" ] && return 40
+  # Watcher can:
+  # watch
+  echo -n "  Testing watch... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/watch)
+  [ "${rc}" -eq "403" ] && return 40

-	# unwatch
-	echo -n "  Testing unwatch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/unwatch)
-	[ "${rc}" -eq "403" ] && return 50
+  # unwatch
+  echo -n "  Testing unwatch... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/unwatch)
+  [ "${rc}" -eq "403" ] && return 50

-	# getactivewatches
-	echo -n "  Testing getactivewatches... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getactivewatches)
-	[ "${rc}" -eq "403" ] && return 60
+  # getactivewatches
+  echo -n "  Testing getactivewatches... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getactivewatches)
+  [ "${rc}" -eq "403" ] && return 60

-	# getbestblockhash
-	echo -n "  Testing getbestblockhash... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash)
-	[ "${rc}" -eq "403" ] && return 70
+  # getbestblockhash
+  echo -n "  Testing getbestblockhash... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash)
+  [ "${rc}" -eq "403" ] && return 70

-	# getbestblockinfo
-	echo -n "  Testing getbestblockinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockinfo)
-	[ "${rc}" -eq "403" ] && return 80
+  # getbestblockinfo
+  echo -n "  Testing getbestblockinfo... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockinfo)
+  [ "${rc}" -eq "403" ] && return 80

-	# getblockinfo
-	echo -n "  Testing getblockinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -eq "403" ] && return 90
+  # getblockinfo
+  echo -n "  Testing getblockinfo... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  [ "${rc}" -eq "403" ] && return 90

-	# gettransaction
-	echo -n "  Testing gettransaction... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/gettransaction)
-	[ "${rc}" -eq "403" ] && return 100
+  # gettransaction
+  echo -n "  Testing gettransaction... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/gettransaction)
+  [ "${rc}" -eq "403" ] && return 100

-	# ln_getinfo
-	echo -n "  Testing ln_getinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_getinfo)
-	[ "${rc}" -eq "403" ] && return 110
+  # ln_getinfo
+  echo -n "  Testing ln_getinfo... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_getinfo)
+  [ "${rc}" -eq "403" ] && return 110

-	# ln_create_invoice
-	echo -n "  Testing ln_create_invoice... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_create_invoice)
-	[ "${rc}" -eq "403" ] && return 120
+  # ln_create_invoice
+  echo -n "  Testing ln_create_invoice... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_create_invoice)
+  [ "${rc}" -eq "403" ] && return 120

-	return 0
+  return 0
 }

 test_authorization_spender()
 {
-	# Let's test autorization
+  # Let's test autorization

-	local id=${1}
-#	echo "id=${id}"
-	local is_spender=${2}
-#	echo "is_spender=${is_spender}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local is_spender=${2}
+#  echo "is_spender=${is_spender}"
+  local k
+  eval k='$ukey_'$id

-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+20))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"

-	local rc
+  local rc

-	# Spender can do what the watcher can do, plus:
-	# getbalance
-	echo -n "  Testing getbalance... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbalance)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 130
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 135
+  # Spender can do what the watcher can do, plus:
+  # getbalance
+  echo -n "  Testing getbalance... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbalance)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 130
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 135

-	# getnewaddress
-	echo -n "  Testing getnewaddress... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getnewaddress)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 140
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 145
+  # getnewaddress
+  echo -n "  Testing getnewaddress... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getnewaddress)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 140
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 145

-	# spend
-	echo -n "  Testing spend... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/spend)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 150
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 155
+  # spend
+  echo -n "  Testing spend... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/spend)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 150
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 155

-	# addtobatch
-	echo -n "  Testing addtobatch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/addtobatch)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 160
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 165
+  # addtobatch
+  echo -n "  Testing addtobatch... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/addtobatch)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 160
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 165

-	# batchspend
-	echo -n "  Testing batchspend... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/batchspend)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 170
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 175
+  # batchspend
+  echo -n "  Testing batchspend... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/batchspend)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 170
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 175

-	# deriveindex
-	echo -n "  Testing deriveindex... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/deriveindex)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 180
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 185
+  # deriveindex
+  echo -n "  Testing deriveindex... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/deriveindex)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 180
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 185

-	# derivepubpath
-	echo -n "  Testing derivepubpath... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/derivepubpath)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 190
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 195
+  # derivepubpath
+  echo -n "  Testing derivepubpath... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/derivepubpath)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 190
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 195

-	# ln_pay
-	echo -n "  Testing ln_pay... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_pay)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 200
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 205
+  # ln_pay
+  echo -n "  Testing ln_pay... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_pay)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 200
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 205

-	# ln_newaddr
-	echo -n "  Testing ln_newaddr... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_newaddr)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 210
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 215
+  # ln_newaddr
+  echo -n "  Testing ln_newaddr... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_newaddr)
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 210
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 215

-	return 0
+  return 0
 }

 test_authorization_internal()
 {
-	# Let's test autorization
+  # Let's test autorization

-	local id=${1}
-#	echo "id=${id}"
-	local k
-	eval k='$ukey_'$id
+  local id=${1}
+#  echo "id=${id}"
+  local k
+  eval k='$ukey_'$id

-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local token="$h64.$p64.$s"

-	local rc
+  local rc

-	# Should be called from inside the Swarm:
-	# conf
-	echo -n "  Testing conf... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/conf)
-	[ "${rc}" -ne "403" ] && return 220
+  # Should be called from inside the Swarm:
+  # conf
+  echo -n "  Testing conf... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/conf)
+  [ "${rc}" -ne "403" ] && return 220

-	# executecallbacks
-	echo -n "  Testing executecallbacks... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/executecallbacks)
-	[ "${rc}" -ne "403" ] && return 230
+  # executecallbacks
+  echo -n "  Testing executecallbacks... "
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/executecallbacks)
+  [ "${rc}" -ne "403" ] && return 230

-	return 0
+  return 0
 }

 kapi_id="001";kapi_key="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";kapi_groups="watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}