auth: `\n` embedded in Lua record accepted by API, causes issues on Secondary

[aerique]

• [x] This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.

• [x] I have read and understood the 'out in the open' support policy

• Program: Authoritative

• Issue type: Bug report

Short description

It is possible to submit or change a Lua record through the API that contains newlines (\n) and while this seems to work for the record on the Primary server the newlines get turned into \\010 on the Secondary after an AXFR. Querying that same domain on the Secondary causes a SERVFAIL.

Environment

• Operating system: Linux
• Software version: Authoritative v4.8.4
• Software source: Docker powerdns/pdns-auth-48

Steps to reproduce

1. Set up Primary and Secondary server, with the Primary's API available at 127.0.0.1 port 8081 with API key test
2. Create zone a.example.com
   • curl --silent -X POST -H "Content-Type: application/json" -H "X-API-Key: test" "http://127.0.0.1:8081/api/v1/servers/localhost/zones" --data '{"name":"a.example.com.", "kind": "Master", "nameservers": ["ns1.example.org.", "ns2.example.org."]}'
3. Add a Lua record with a newline:
   • file content contains: {"rrsets":[{"name":"a.example.com.","type":"LUA","ttl":3600,"records":[{"content":"A \"filterForward(createForward(), newNMG({'10.2.3.4/23',\" \"\n '10.1.2.5/24'}), '0.0.0.0')\"","disabled":false,"set-ptr":false}],"_scheduled_at":null,"changetype":"REPLACE","id":null,"server":null,"zone":null,"timestamp":null,"user":null,"comment":null,"from_server":false}]}
   • Use above-mentioned file here: curl -X PATCH -H "Content-Type: application/json" -H "X-API-Key: test" "http://127.0.0.1:8081/api/v1/servers/localhost/zones/a.example.com." --data @content

Querying the a.example.com will work for the Primary but not for the Secondary. (dig @localhost +norecurse a.example.com -t A)

pdnsutil list-zone a.example.com will show the Lua record with an actual newline in the terminal for the Primary and \010 for the Secondary.

(Akshually, this has been tested for SQLite, MySQL, PostgreSQL & LMDB and LMDB also inserts a \010 on the Primary causing a SERVFAIL.)

Expected behaviour

Having already discussed this with @Habbie, he is of the opinion Lua records with \n should be rejected by the API.

Actual behaviour

Lua record gets accepted by the Primary, gets AXFR'd to Secondary while \n is turned into \\010 somewhere which causes a SERVFAIL.

Other information

This has already been discussed in company chat and @Habbie has checked and reproduced this issue.