Underscore in action was detected as potential code injection

2026-01-01 04:25:58 -08:00 · 2018-10-26 15:25:01 -04:00
parent 1c5d1f9c24
commit d4c801d8c3
2 changed files with 160 additions and 159 deletions
--- a/api_auth_docker/auth.sh
+++ b/api_auth_docker/auth.sh
@@ -87,13 +87,14 @@ verify_group()
  trace "[verify_group] Verifying group..."
  local id=${1}
-	# REQUEST_URI should look like this: /watch/2blablabla
+  # REQUEST_URI should look like this: /watch/2blablabla
  local action=$(echo "${REQUEST_URI:1}" | cut -d '/' -f1)
  trace "[verify_group] action=${action}"
  # Check for code injection
-  # action can be alphanum... nothing else
+  # action can be alphanum... and _ and - but nothing else
-  case $action in (*[![:alnum:]]*|"")
+	local actiontoinspect=$(echo "$action" | tr -d '_-')
  case $actiontoinspect in (*[![:alnum:]]*|"")
  trace "[verify_group] Potential code injection, exiting"
  return 1
  esac
--- a/api_auth_docker/tests.sh
+++ b/api_auth_docker/tests.sh
@@ -9,221 +9,221 @@
 test_expiration()
 {
-	# Let's test expiration: 1 second in payload, request 2 seconds later
+  # Let's test expiration: 1 second in payload, request 2 seconds later
-	local id=${1}
+  local id=${1}
-#	echo "id=${id}"
+#  echo "id=${id}"
-	local k
+  local k
-	eval k='$ukey_'$id
+  eval k='$ukey_'$id
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+1))}" | base64)
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+1))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local token="$h64.$p64.$s"
-	echo "  Sleeping 2 seconds... "
+  echo "  Sleeping 2 seconds... "
-	sleep 2
+  sleep 2
-	local rc
+  local rc
-	echo -n "  Testing expired request... "
+  echo -n "  Testing expired request... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -ne "403" ] && return 10
+  [ "${rc}" -ne "403" ] && return 10
-	return 0
+  return 0
 }
 test_authentication()
 {
-	# Let's test authentication/signature
+  # Let's test authentication/signature
-	local id=${1}
+  local id=${1}
-#	echo "id=${id}"
+#  echo "id=${id}"
-	local k
+  local k
-	eval k='$ukey_'$id
+  eval k='$ukey_'$id
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local token="$h64.$p64.$s"
-	local rc
+  local rc
-	echo -n "  Testing good signature... "
+  echo -n "  Testing good signature... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -eq "403" ] && return 20
+  [ "${rc}" -eq "403" ] && return 20
-	token="$h64.$p64.a$s"
+  token="$h64.$p64.a$s"
-	echo -n "  Testing bad signature... "
+  echo -n "  Testing bad signature... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -ne "403" ] && return 30
+  [ "${rc}" -ne "403" ] && return 30
-	return 0
+  return 0
 }
 test_authorization_watcher()
 {
-	# Let's test autorization
+  # Let's test autorization
-	local id=${1}
+  local id=${1}
-#	echo "id=${id}"
+#  echo "id=${id}"
-	local k
+  local k
-	eval k='$ukey_'$id
+  eval k='$ukey_'$id
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+20))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local token="$h64.$p64.$s"
-	local rc
+  local rc
-	# Watcher can:
+  # Watcher can:
-	# watch
+  # watch
-	echo -n "  Testing watch... "
+  echo -n "  Testing watch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/watch)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/watch)
-	[ "${rc}" -eq "403" ] && return 40
+  [ "${rc}" -eq "403" ] && return 40
-	# unwatch
+  # unwatch
-	echo -n "  Testing unwatch... "
+  echo -n "  Testing unwatch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/unwatch)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/unwatch)
-	[ "${rc}" -eq "403" ] && return 50
+  [ "${rc}" -eq "403" ] && return 50
-	# getactivewatches
+  # getactivewatches
-	echo -n "  Testing getactivewatches... "
+  echo -n "  Testing getactivewatches... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getactivewatches)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getactivewatches)
-	[ "${rc}" -eq "403" ] && return 60
+  [ "${rc}" -eq "403" ] && return 60
-	# getbestblockhash
+  # getbestblockhash
-	echo -n "  Testing getbestblockhash... "
+  echo -n "  Testing getbestblockhash... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockhash)
-	[ "${rc}" -eq "403" ] && return 70
+  [ "${rc}" -eq "403" ] && return 70
-	# getbestblockinfo
+  # getbestblockinfo
-	echo -n "  Testing getbestblockinfo... "
+  echo -n "  Testing getbestblockinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockinfo)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbestblockinfo)
-	[ "${rc}" -eq "403" ] && return 80
+  [ "${rc}" -eq "403" ] && return 80
-	# getblockinfo
+  # getblockinfo
-	echo -n "  Testing getblockinfo... "
+  echo -n "  Testing getblockinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getblockinfo)
-	[ "${rc}" -eq "403" ] && return 90
+  [ "${rc}" -eq "403" ] && return 90
-	# gettransaction
+  # gettransaction
-	echo -n "  Testing gettransaction... "
+  echo -n "  Testing gettransaction... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/gettransaction)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/gettransaction)
-	[ "${rc}" -eq "403" ] && return 100
+  [ "${rc}" -eq "403" ] && return 100
-	# ln_getinfo
+  # ln_getinfo
-	echo -n "  Testing ln_getinfo... "
+  echo -n "  Testing ln_getinfo... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_getinfo)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_getinfo)
-	[ "${rc}" -eq "403" ] && return 110
+  [ "${rc}" -eq "403" ] && return 110
-	# ln_create_invoice
+  # ln_create_invoice
-	echo -n "  Testing ln_create_invoice... "
+  echo -n "  Testing ln_create_invoice... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_create_invoice)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_create_invoice)
-	[ "${rc}" -eq "403" ] && return 120
+  [ "${rc}" -eq "403" ] && return 120
-	return 0
+  return 0
 }
 test_authorization_spender()
 {
-	# Let's test autorization
+  # Let's test autorization
-	local id=${1}
+  local id=${1}
-#	echo "id=${id}"
+#  echo "id=${id}"
-	local is_spender=${2}
+  local is_spender=${2}
-#	echo "is_spender=${is_spender}"
+#  echo "is_spender=${is_spender}"
-	local k
+  local k
-	eval k='$ukey_'$id
+  eval k='$ukey_'$id
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+20))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local token="$h64.$p64.$s"
-	local rc
+  local rc
-	# Spender can do what the watcher can do, plus:
+  # Spender can do what the watcher can do, plus:
-	# getbalance
+  # getbalance
-	echo -n "  Testing getbalance... "
+  echo -n "  Testing getbalance... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbalance)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getbalance)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 130
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 130
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 135
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 135
-	# getnewaddress
+  # getnewaddress
-	echo -n "  Testing getnewaddress... "
+  echo -n "  Testing getnewaddress... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getnewaddress)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/getnewaddress)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 140
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 140
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 145
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 145
-	# spend
+  # spend
-	echo -n "  Testing spend... "
+  echo -n "  Testing spend... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/spend)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/spend)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 150
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 150
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 155
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 155
-	# addtobatch
+  # addtobatch
-	echo -n "  Testing addtobatch... "
+  echo -n "  Testing addtobatch... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/addtobatch)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/addtobatch)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 160
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 160
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 165
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 165
-	# batchspend
+  # batchspend
-	echo -n "  Testing batchspend... "
+  echo -n "  Testing batchspend... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/batchspend)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/batchspend)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 170
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 170
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 175
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 175
-	# deriveindex
+  # deriveindex
-	echo -n "  Testing deriveindex... "
+  echo -n "  Testing deriveindex... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/deriveindex)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/deriveindex)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 180
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 180
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 185
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 185
-	# derivepubpath
+  # derivepubpath
-	echo -n "  Testing derivepubpath... "
+  echo -n "  Testing derivepubpath... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/derivepubpath)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/derivepubpath)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 190
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 190
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 195
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 195
-	# ln_pay
+  # ln_pay
-	echo -n "  Testing ln_pay... "
+  echo -n "  Testing ln_pay... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_pay)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_pay)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 200
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 200
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 205
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 205
-	# ln_newaddr
+  # ln_newaddr
-	echo -n "  Testing ln_newaddr... "
+  echo -n "  Testing ln_newaddr... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_newaddr)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/ln_newaddr)
-	[ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 210
+  [ ${is_spender} = true ] && [ "${rc}" -eq "403" ] && return 210
-	[ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 215
+  [ ${is_spender} = false ] && [ "${rc}" -ne "403" ] && return 215
-	return 0
+  return 0
 }
 test_authorization_internal()
 {
-	# Let's test autorization
+  # Let's test autorization
-	local id=${1}
+  local id=${1}
-#	echo "id=${id}"
+#  echo "id=${id}"
-	local k
+  local k
-	eval k='$ukey_'$id
+  eval k='$ukey_'$id
-	local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
+  local p64=$(echo "{\"id\":\"$id\",\"exp\":$((`date +"%s"`+10))}" | base64)
-	local s=$(echo "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
+  local s=$(echo -n "$h64.$p64" | openssl dgst -hmac "$k" -sha256 -r | cut -sd ' ' -f1)
-	local token="$h64.$p64.$s"
+  local token="$h64.$p64.$s"
-	local rc
+  local rc
-	# Should be called from inside the Swarm:
+  # Should be called from inside the Swarm:
-	# conf
+  # conf
-	echo -n "  Testing conf... "
+  echo -n "  Testing conf... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/conf)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/conf)
-	[ "${rc}" -ne "403" ] && return 220
+  [ "${rc}" -ne "403" ] && return 220
-	# executecallbacks
+  # executecallbacks
-	echo -n "  Testing executecallbacks... "
+  echo -n "  Testing executecallbacks... "
-	rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/executecallbacks)
+  rc=$(time -f "%E" curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $token" -k https://localhost/executecallbacks)
-	[ "${rc}" -ne "403" ] && return 230
+  [ "${rc}" -ne "403" ] && return 230
-	return 0
+  return 0
 }
 kapi_id="001";kapi_key="2df1eeea370eacdc5cf7e96c2d82140d1568079a5d4d87006ec8718a98883b36";kapi_groups="watcher";eval ugroups_${kapi_id}=${kapi_groups};eval ukey_${kapi_id}=${kapi_key}