XHR.Poll passing parameters to dispatcher

satmarin · February 27, 2023, 5:35pm

Hi,
I want to perform an XHR.Poll to send out API calls to an external device (with curl) I am however having difficulties in passing the variable parameters

XHR.poll(2, "/cgi-bin/luci/admin/network/modems/callrest", {"host":"0.0.0.1","query":"state"}, function (x, mArray) { ... <do some processing> });

In my controller lua file I have

entry({"admin", "network", "modems", "callrest"}, call("callmodemrest")).leaf = true
...

function callmodemrest(args)
	local ut = require "luci.util"
        local target= "https://" .. args[1].. "/" .. args[2]
	local mArray = luci.json.decode(ut.trim(ut.trim(sys.exec("curl -k -u adm:pass " .. target))))
	luci.http.prepare_content("application/json")
	luci.http.write_json(mArray)
end

The problem I am having is to pass the query parameters between the XHR.poll and the lua entry. I can set them manually like

...
entry({"admin", "network", "modems", "callrest"}, call("callmodemrest", {"10.0.0.1","system/resource"})).leaf = true
...

which works fine, but hw to pass the parameters from XHR Poll

Thank you fro any pointers
Cheers
Michael

jow · February 27, 2023, 8:29pm

The args you receive in Lua controller functions are additional URL path segments after the target URL, so in order to pass arguments this way, you will need to poll /cgi-bin/luci/admin/network/modems/callrest/xxx/yyy where xxx would correspond to args[1] and yyy to args[2]. In order to access query string or HTTP POST data values, you will need to use luci.http.formvalue("paramname"), in your case luci.http.formvalue('host') and luci.http.formvalue('query')

As a side note, I hope you are aware that this:

local target= "https://" .. args[1].. "/" .. args[2]
local mArray = luci.json.decode(ut.trim(ut.trim(sys.exec("curl -k -u adm:pass " .. target))))

... is a text book code/shell command injection vulnerability.

You could run arbitrary commands in root context by passing something like ?host=;rm -rf / #

satmarin · February 28, 2023, 10:27am

Hi Jow,
Thank you for the help. I will try it today.
Are xxx and yyy in the poll supposed to be values or value pairs ?

Thanks and yes I am aware that there is injection vulnerability, just trying to get my head around the principles

Best regards
Michaël