Ensure reserved environment names aren't changed, fix undefined variable, ref pterodactyl#412

DaneEveritt · DaneEveritt · commit 43df6533b085 · 2017-05-01T17:01:46.000-04:00
diff --git a/app/Models/ServiceVariable.php b/app/Models/ServiceVariable.php
@@ -53,6 +53,30 @@ class ServiceVariable extends Model
         'user_editable' => 'integer',
     ];
 
+    /**
+     * Reserved environment variable names.
+     *
+     * @var array
+     */
+    protected static $reservedNames = [
+        'SERVER_MEMORY',
+        'SERVER_IP',
+        'SERVER_PORT',
+        'ENV',
+        'HOME',
+        'USER',
+    ];
+
+    /**
+     * Returns an array of environment variable names that cannot be used.
+     *
+     * @return array
+     */
+    public static function reservedNames()
+    {
+        return self::$reservedNames;
+    }
+
     /**
      * Returns the display executable for the option and will use the parent
      * service one if the option does not have one defined.
diff --git a/app/Repositories/VariableRepository.php b/app/Repositories/VariableRepository.php
@@ -53,24 +53,25 @@ public function create($option, array $data)
             'env_variable' => 'required|regex:/^[\w]{1,255}$/',
             'default_value' => 'string',
             'options' => 'sometimes|required|array',
-            'rules' => 'bail|required|string|min:1',
+            'rules' => 'bail|required|string',
         ]);
 
         // Ensure the default value is allowed by the rules provided.
-        $rules = (isset($data['rules'])) ? $data['rules'] : $variable->rules;
-        $validator->sometimes('default_value', $rules, function ($input) {
+        $validator->sometimes('default_value', $data['rules'] ?? null, function ($input) {
             return $input->default_value;
         });
 
         if ($validator->fails()) {
             throw new DisplayValidationException(json_encode($validator->errors()));
         }
 
-        if (isset($data['env_variable'])) {
-            $search = ServiceVariable::where('env_variable', $data['env_variable'])->where('option_id', $option->id);
-            if ($search->first()) {
-                throw new DisplayException('The envionment variable name assigned to this variable must be unique for this service option.');
-            }
+        if (in_array($data['env_variable'], ServiceVariable::reservedNames())) {
+            throw new DisplayException('The environment variable name provided is a reserved keyword for the daemon.');
+        }
+
+        $search = ServiceVariable::where('env_variable', $data['env_variable'])->where('option_id', $option->id);
+        if ($search->first()) {
+            throw new DisplayException('The envionment variable name assigned to this variable must be unique for this service option.');
         }
 
         if (! isset($data['options']) || ! is_array($data['options'])) {
@@ -141,6 +142,10 @@ public function update($id, array $data)
         }
 
         if (isset($data['env_variable'])) {
+            if (in_array($data['env_variable'], ServiceVariable::reservedNames())) {
+                throw new DisplayException('The environment variable name provided is a reserved keyword for the daemon.');
+            }
+
             $search = ServiceVariable::where('env_variable', $data['env_variable'])
                 ->where('option_id', $variable->option_id)
                 ->where('id', '!=', $variable->id);
