From 43df6533b085acbc8849c2b65c9bb821fa8a19c1 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Mon, 1 May 2017 17:01:46 -0400
Subject: [PATCH] Ensure reserved environment names aren't changed, fix
 undefined variable, ref #412

---
 app/Models/ServiceVariable.php          | 24 ++++++++++++++++++++++++
 app/Repositories/VariableRepository.php | 21 +++++++++++++--------
 2 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/app/Models/ServiceVariable.php b/app/Models/ServiceVariable.php
index ac3d47c69..93e93e7e9 100644
--- a/app/Models/ServiceVariable.php
+++ b/app/Models/ServiceVariable.php
@@ -53,6 +53,30 @@ class ServiceVariable extends Model
         'user_editable' => 'integer',
     ];
 
+    /**
+     * Reserved environment variable names.
+     *
+     * @var array
+     */
+    protected static $reservedNames = [
+        'SERVER_MEMORY',
+        'SERVER_IP',
+        'SERVER_PORT',
+        'ENV',
+        'HOME',
+        'USER',
+    ];
+
+    /**
+     * Returns an array of environment variable names that cannot be used.
+     *
+     * @return array
+     */
+    public static function reservedNames()
+    {
+        return self::$reservedNames;
+    }
+
     /**
      * Returns the display executable for the option and will use the parent
      * service one if the option does not have one defined.
diff --git a/app/Repositories/VariableRepository.php b/app/Repositories/VariableRepository.php
index 4584d2bba..576494617 100644
--- a/app/Repositories/VariableRepository.php
+++ b/app/Repositories/VariableRepository.php
@@ -53,12 +53,11 @@ class VariableRepository
             'env_variable' => 'required|regex:/^[\w]{1,255}$/',
             'default_value' => 'string',
             'options' => 'sometimes|required|array',
-            'rules' => 'bail|required|string|min:1',
+            'rules' => 'bail|required|string',
         ]);
 
         // Ensure the default value is allowed by the rules provided.
-        $rules = (isset($data['rules'])) ? $data['rules'] : $variable->rules;
-        $validator->sometimes('default_value', $rules, function ($input) {
+        $validator->sometimes('default_value', $data['rules'] ?? null, function ($input) {
             return $input->default_value;
         });
 
@@ -66,11 +65,13 @@ class VariableRepository
             throw new DisplayValidationException(json_encode($validator->errors()));
         }
 
-        if (isset($data['env_variable'])) {
-            $search = ServiceVariable::where('env_variable', $data['env_variable'])->where('option_id', $option->id);
-            if ($search->first()) {
-                throw new DisplayException('The envionment variable name assigned to this variable must be unique for this service option.');
-            }
+        if (in_array($data['env_variable'], ServiceVariable::reservedNames())) {
+            throw new DisplayException('The environment variable name provided is a reserved keyword for the daemon.');
+        }
+
+        $search = ServiceVariable::where('env_variable', $data['env_variable'])->where('option_id', $option->id);
+        if ($search->first()) {
+            throw new DisplayException('The envionment variable name assigned to this variable must be unique for this service option.');
         }
 
         if (! isset($data['options']) || ! is_array($data['options'])) {
@@ -141,6 +142,10 @@ class VariableRepository
         }
 
         if (isset($data['env_variable'])) {
+            if (in_array($data['env_variable'], ServiceVariable::reservedNames())) {
+                throw new DisplayException('The environment variable name provided is a reserved keyword for the daemon.');
+            }
+
             $search = ServiceVariable::where('env_variable', $data['env_variable'])
                 ->where('option_id', $variable->option_id)
                 ->where('id', '!=', $variable->id);