bug fixes

Author: orangecoding

.prettierignore

@@ -0,0 +1,12 @@
+# Generated frontend bundles (built by esbuild) - reformatting these would
+# corrupt the minified output that `npm run build` produces.
+public/app.js
+public/login.js
+
+# Generated CSS (compiled from LESS).
+public/styles.css
+
+# Dependencies and build output.
+node_modules
+dist
+build

lib/config.js

@@ -27,7 +27,10 @@ function envInt(name, fallback) {
   if (raw === undefined || raw === '') {
     return fallback;
   }
-  return Number.parseInt(raw, 10);
+  const parsed = Number.parseInt(raw, 10);
+  // A non-numeric value (e.g. PORT=abc) would otherwise yield NaN and silently
+  // misconfigure the app; fall back to the documented default instead.
+  return Number.isNaN(parsed) ? fallback : parsed;
 }
 
 /** Read an env var as a string with a fallback default. */

lib/service/logBus.js

@@ -90,8 +90,8 @@ export async function startLogBus() {
       }
     }
 
-    bus.on('log:out', (packet) => handlePacket(packet, false));
-    bus.on('log:err', (packet) => handlePacket(packet, true));
+    bus.on('log:out', handlePacket);
+    bus.on('log:err', handlePacket);
 
     bus.on('error', (err) => {
       logger.warn(`[LOG_BUS] Bus error: ${err?.message ?? err}`);

lib/transport/router.js

@@ -347,21 +347,27 @@ router.delete('/api/processes/:id', requireAuth, validateProcessId, async (req,
       );
       return res.status(403).json({ error: 'CSRF token mismatch' });
     }
+    // Resolve the PM2 name *before* deleting: req.params.id may be a numeric
+    // pm_id, but the monitoring and deployment records are keyed by name. Once
+    // the process is gone from PM2 it can no longer be resolved, so cleanup keyed
+    // off the numeric id would silently miss (the process would reappear as an
+    // orphan and the deploy directory would never be removed).
+    const pm2Name = (await resolvePm2Name(req.params.id).catch(() => null)) ?? req.params.id;
+
     logger.info(
       `[ACTION] User: ${req.session.username} is deleting process: ${req.params.id} from identity: ${getClientIdentity(req)}`,
     );
     await pm2.deleteProcess(req.params.id);
     // Remove the monitoring record if one exists so the process no longer
     // appears as an orphan after deletion.
     try {
-      removeMonitored(req.params.id);
+      removeMonitored(pm2Name);
     } catch {
       // No monitoring record - nothing to clean up.
     }
 
     // Optionally purge the deployment record and its directory on disk.
     if (req.query.deleteDeploy === 'true') {
-      const pm2Name = req.params.id;
       const deployment = getDeploymentByName(pm2Name);
       if (deployment) {
         if (deployment.deploy_path) {
@@ -703,6 +709,17 @@ router.post('/api/settings/general', requireAuth, (req, res) => {
     return res.status(400).json({ error: '"settings" must be a plain object.' });
   }
 
+  // Values are written verbatim as KEY=VALUE lines. A line break in a value
+  // would inject arbitrary additional env entries (e.g. overwriting
+  // AUTH_PASSWORD_HASH), so reject any value containing CR or LF.
+  const lineBreakKeys = Object.entries(settings)
+    .filter(([key]) => key !== 'authPassword')
+    .filter(([, value]) => value != null && /[\r\n]/.test(String(value)))
+    .map(([key]) => key);
+  if (lineBreakKeys.length > 0) {
+    return res.status(400).json({ error: `Values must not contain line breaks: ${lineBreakKeys.join(', ')}` });
+  }
+
   try {
     const envPath = path.resolve(__dirname, '..', '..', '.env');
 

lib/transport/ws.js

@@ -135,6 +135,14 @@ function handleUnifiedStream(ws) {
   let detailInterval = null;
   let logUnsubscribe = null;
 
+  // Liveness flag for the server-level ping/pong loop (see attachWebSocketServer).
+  // A half-open connection that vanished without a close frame never resets this,
+  // so the loop can terminate it and free its intervals and log subscription.
+  ws.isAlive = true;
+  ws.on('pong', () => {
+    ws.isAlive = true;
+  });
+
   send(ws, 'connected', {});
 
   // Process list — always running.
@@ -282,6 +290,9 @@ export function broadcastDeployProgress(deploymentId, stage, line, status) {
 
 const STREAM_PATH = '/ws/stream';
 
+/** Interval between protocol-level ping frames used for dead-connection detection. */
+const HEARTBEAT_INTERVAL_MS = 30000;
+
 /**
  * Attach the unified WebSocket server to an existing HTTP server.
  *
@@ -290,6 +301,25 @@ const STREAM_PATH = '/ws/stream';
 export function attachWebSocketServer(server) {
   _wss = new WebSocketServer({ noServer: true });
 
+  // Protocol-level ping/pong sweep: terminate connections that did not answer
+  // the previous ping (half-open sockets from laptop sleep, NAT timeouts, or
+  // dropped networks never fire 'close' on their own), then ping the rest.
+  // Terminating fires 'close', which tears down the per-connection intervals
+  // and log subscription in handleUnifiedStream.
+  const heartbeat = setInterval(() => {
+    for (const ws of _wss.clients) {
+      if (ws.isAlive === false) {
+        ws.terminate();
+        continue;
+      }
+      ws.isAlive = false;
+      ws.ping();
+    }
+  }, HEARTBEAT_INTERVAL_MS);
+  heartbeat.unref?.();
+
+  _wss.on('close', () => clearInterval(heartbeat));
+
   server.on('upgrade', (req, socket, head) => {
     const session = authenticate(req);
     if (!session) {

test/api.settings.test.js

@@ -234,6 +234,44 @@ describe('POST /api/settings/general', () => {
       }
     }
   });
+
+  it('rejects values containing line breaks to prevent .env injection', async () => {
+    const { cookie, csrfToken } = await getAuthSession();
+
+    const realEnvPath = path.resolve(__dirname, '..', '.env');
+    let originalEnv = null;
+    try {
+      originalEnv = fs.readFileSync(realEnvPath, 'utf8');
+    } catch {
+      // .env may not exist in CI.
+    }
+    fs.writeFileSync(realEnvPath, 'HOST=0.0.0.0\nPORT=3030\n', 'utf8');
+
+    try {
+      const res = await request(app)
+        .post('/api/settings/general')
+        .set('Cookie', cookie)
+        .set('X-CSRF-Token', csrfToken)
+        .send({ settings: { HOST: '0.0.0.0\nAUTH_PASSWORD_HASH=deadbeef' } });
+
+      expect(res.status).to.equal(400);
+      expect(res.body.error).to.include('line breaks');
+
+      // The injected line must not have been written to disk.
+      const written = fs.readFileSync(realEnvPath, 'utf8');
+      expect(written).to.not.include('AUTH_PASSWORD_HASH=deadbeef');
+    } finally {
+      if (originalEnv !== null) {
+        fs.writeFileSync(realEnvPath, originalEnv, 'utf8');
+      } else {
+        try {
+          fs.unlinkSync(realEnvPath);
+        } catch {
+          /* ignore */
+        }
+      }
+    }
+  });
 });
 
 // ── Notification prefs ────────────────────────────────────────────────────────