From 147dcfe7013c244961cd41bde2563c65e7f570d8 Mon Sep 17 00:00:00 2001
From: Steven Briscoe <me@stevenbriscoe.com>
Date: Thu, 20 Jan 2022 00:15:09 +0000
Subject: [PATCH 1/3] Fix env pollution with .exec. Don't reveal version number
 in /ping endpoint

---
 package.json          |  4 ++--
 routes/ping.js        |  2 +-
 services/bash.js      | 18 +++++++----------
 test/services/bash.js | 47 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 57 insertions(+), 14 deletions(-)
 create mode 100644 test/services/bash.js

diff --git a/package.json b/package.json
index 53397d8..9e4fc4e 100644
--- a/package.json
+++ b/package.json
@@ -6,8 +6,8 @@
   "scripts": {
     "lint": "eslint",
     "start": "node ./bin/www",
-    "test": "mocha --file test.setup 'test/**/*.js'",
-    "coverage": "nyc --all mocha --file test.setup 'test/**/*.js'",
+    "test": "mocha 'test/**/*.js'",
+    "coverage": "nyc --all mocha 'test/**/*.js'",
     "postcoverage": "codecov"
   },
   "dependencies": {
diff --git a/routes/ping.js b/routes/ping.js
index 1544707..da822aa 100644
--- a/routes/ping.js
+++ b/routes/ping.js
@@ -3,7 +3,7 @@ const pjson = require('../package.json');
 const router = express.Router();
 
 router.get('/', function (req, res) {
-  res.json({ version: 'umbrel-manager-' + pjson.version });
+  res.json({ version: pjson.name });
 });
 
 module.exports = router;
diff --git a/services/bash.js b/services/bash.js
index 5ee40d9..0e672ba 100644
--- a/services/bash.js
+++ b/services/bash.js
@@ -1,24 +1,20 @@
 const childProcess = require('child_process');
 
-// Sets environment variables on container.
-// Env should not contain sensitive data, because environment variables are not secure.
-function extendProcessEnv(env) {
-  Object.keys(env).map(function (objectKey) { // eslint-disable-line array-callback-return
-    process.env[objectKey] = env[objectKey];
-  });
-}
-
-// Executes docker-compose command with common options
 const exec = (command, args, opts) => new Promise((resolve, reject) => {
   const options = opts || {};
 
   const cwd = options.cwd || null;
 
+  let spawnOptions = {
+    cwd
+  }
+
+  // Env should not contain sensitive data, because environment variables are not secure.
   if (options.env) {
-    extendProcessEnv(options.env);
+    spawnOptions.env = options.env;
   }
 
-  const childProc = childProcess.spawn(command, args, { cwd });
+  const childProc = childProcess.spawn(command, args, spawnOptions);
 
   childProc.on('error', err => {
     reject(err);
diff --git a/test/services/bash.js b/test/services/bash.js
new file mode 100644
index 0000000..386220c
--- /dev/null
+++ b/test/services/bash.js
@@ -0,0 +1,47 @@
+/* globals requester */
+
+const assert = require('assert');
+const bash = require("../../services/bash");
+
+describe('bash', () => {
+  it('should execute a command', done => {
+    const echoString = "Umbrel";
+
+    bash.exec('echo', [echoString])
+    .then(response => {
+      assert.equal(response.err, "");
+      assert.equal(response.out, echoString + "\n")
+
+      done();
+    });    
+  });
+
+  it('should execute a command with ENV set', done => {
+    bash.exec('env', [], {
+      env: {
+        UMBREL_TEST_KEY: "UMBREL_TEST_VALUE"
+      }
+    })
+    .then(response => {
+      assert.equal(response.err, "");
+      expect(response.out).to.match(/(UMBREL_TEST_KEY=UMBREL_TEST_VALUE)/)
+
+      done();
+    });    
+  });
+
+  it('should execute a command with ENV and make sure it is not previously polluted', done => {
+    bash.exec('env', [], {
+      env: {
+        UMBREL_TEST_KEY_2: "UMBREL_TEST_VALUE_2"
+      }
+    })
+    .then(response => {
+      assert.equal(response.err, "");
+      expect(response.out).to.not.match(/(UMBREL_TEST_KEY=UMBREL_TEST_VALUE)/)
+      expect(response.out).to.match(/(UMBREL_TEST_KEY_2=UMBREL_TEST_VALUE_2)/)
+
+      done();
+    });    
+  });
+});

From 4f2a8e7d001592273c35504bdb011cecb2849f47 Mon Sep 17 00:00:00 2001
From: Steven Briscoe <me@stevenbriscoe.com>
Date: Thu, 20 Jan 2022 00:21:01 +0000
Subject: [PATCH 2/3] Change default port to 3006 (3005 is used by
 middleware...)

---
 bin/www | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/www b/bin/www
index d115ab4..9f39b9e 100644
--- a/bin/www
+++ b/bin/www
@@ -12,7 +12,7 @@ var http = require('http');
  * Get port from environment and store in Express.
  */
 
-var port = normalizePort(process.env.PORT || '3005');
+var port = normalizePort(process.env.PORT || '3006');
 app.set('port', port);
 
 /**

From 6a8c6442d5e9794e08ed169e9a513f0389c66290 Mon Sep 17 00:00:00 2001
From: Steven Briscoe <me@stevenbriscoe.com>
Date: Thu, 20 Jan 2022 00:29:35 +0000
Subject: [PATCH 3/3] Fix JWT paths to match docker-compose within umbrel repo

---
 README.md      | 4 ++--
 utils/const.js | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index ed389d9..6806dec 100644
--- a/README.md
+++ b/README.md
@@ -41,8 +41,8 @@ Set the following environment variables directly or by placing them in `.env` fi
 | `REBOOT_SIGNAL_FILE` | Path to write a file to signal a system reboot | `/signals/reboot` |
 | `MIDDLEWARE_API_URL` | IP or domain where [`umbrel-middleware`](https://github.com/getumbrel/umbrel-middleware) is listening | `http://localhost` |
 | `MIDDLEWARE_API_PORT` | Port where [`umbrel-middleware`](https://github.com/getumbrel/umbrel-middleware) is listening | `3005` |
-| `JWT_PUBLIC_KEY_FILE` | Path to the JWT public key (automatically created) | `/db/jwt-public-key/jwt.pem` |
-| `JWT_PRIVATE_KEY_FILE` | Path to the JWT private key (automatically created) | `/db/jwt-public-key/jwt.key` |
+| `JWT_PUBLIC_KEY_FILE` | Path to the JWT public key (automatically created) | `/jwt-public-key/jwt.pem` |
+| `JWT_PRIVATE_KEY_FILE` | Path to the JWT private key (automatically created) | `/jwt-private-key/jwt.key` |
 | `JWT_EXPIRATION` | JWT expiration in miliseconds | `3600` |
 | `UMBREL_SEED_FILE` | Path to the seed used to deterministically generate entropy | `'/db/umbrel-seed/seed'` |
 | `UMBREL_DASHBOARD_HIDDEN_SERVICE_FILE` | Path to Tor hostname of [`umbrel-dashboard`](https://github.com/getumbrel/umbrel-dashboard) | `/var/lib/tor/dashboard/hostname` |
diff --git a/utils/const.js b/utils/const.js
index d3f2e06..011b678 100644
--- a/utils/const.js
+++ b/utils/const.js
@@ -10,8 +10,8 @@ module.exports = {
   TOR_HIDDEN_SERVICE_DIR: process.env.TOR_HIDDEN_SERVICE_DIR || '/var/lib/tor',
   SHUTDOWN_SIGNAL_FILE: process.env.SHUTDOWN_SIGNAL_FILE || '/signals/shutdown',
   REBOOT_SIGNAL_FILE: process.env.REBOOT_SIGNAL_FILE || '/signals/reboot',
-  JWT_PUBLIC_KEY_FILE: process.env.JWT_PUBLIC_KEY_FILE || '/db/jwt-public-key/jwt.pem',
-  JWT_PRIVATE_KEY_FILE: process.env.JWT_PRIVATE_KEY_FILE || '/db/jwt-private-key/jwt.key',
+  JWT_PUBLIC_KEY_FILE: process.env.JWT_PUBLIC_KEY_FILE || '/jwt-public-key/jwt.pem',
+  JWT_PRIVATE_KEY_FILE: process.env.JWT_PRIVATE_KEY_FILE || '/jwt-private-key/jwt.key',
   UMBREL_SEED_FILE: process.env.UMBREL_SEED_FILE || '/db/umbrel-seed/seed',
   UMBREL_DASHBOARD_HIDDEN_SERVICE_FILE: process.env.UMBREL_DASHBOARD_HIDDEN_SERVICE_FILE || '/var/lib/tor/web/hostname',
   ELECTRUM_HIDDEN_SERVICE_FILE: process.env.ELECTRUM_HIDDEN_SERVICE_FILE || '/var/lib/tor/electrum/hostname',