OpenVPN Authentication Script

Question

I wrote a shell script to authenticate users connecting to an OpenVPN server. When a user attempts to connect, OpenVPN executes the script with the username and password variables sends. The script then sends an HTTP request to a web server that either returns a status code of 202 upon success and 401 on failure.

I would like to know if the following script is secure when it comes to remote code execution and url-encoded arguments injection.

#!/bin/bash

# Change the domain to your SUPINBOT installation.
URL=http://localhost:8080/vpn/api/checkAccount
# Change to a secure random string.
API_KEY=PRIVATE_KEY

rawurlencode() {
    local string="${1}"
    local strlen=${#string}
    local encoded=""
    local pos c o

    for (( pos=0 ; pos<strlen ; pos++ )); do
        c=${string:$pos:1}
        case "$c" in
            [-_.~a-zA-Z0-9] ) o="${c}" ;;
            * )               printf -v o '%%%02x' "'$c"
        esac
        encoded+="${o}"
    done
    ENCODED=$encoded
}

rawurlencode $API_KEY;
encodedApiKey=$ENCODED;

rawurlencode $username;
encodedUsername=$ENCODED;

rawurlencode $password;
encodedPassword=$ENCODED;

responseCode=$(curl --write-out %{http_code} --silent --output /dev/null -d "apiKey=$encodedApiKey&username=$encodedUsername&password=$encodedPassword" $URL)

if [ "$responseCode" -eq "202" ]; then
    exit 0;
else
    exit 1;
fi;

Answer 1

The URL encoding looks correct. However, that doesn't mean that users cannot enter something malicious that will trigger some bug in the server. But that's up to the server implementation to be robust to malicious inputs. Also note that anybody with access to this script can read your API key and make arbitrary API calls.

Many lines end with ;. This is pointless, you should remove all those ;.

The exit code of a Bash script is the exit code of the last command. So you could replace the last if-else condition with this simple line, and get the exact same effect:

[ "$responseCode" -eq "202" ]