Bug Report: Multiple Issues in host.sh
Overview
After reading through host.sh carefully, I found four bugs ranging from a
broken URL extraction that affects every ngrok user, to silent failure modes
that leave users with no feedback. Documenting them all here so they can be
tracked and fixed.
Bug 1 — ngrok URL extraction is broken (line ~310)
The code:
ngrk=$(curl -s -N http://127.0.0.1:4040/api/tunnels | grep -Eo '(https)://[^/"]+(.ngrok.io)')
The problem:
ngrok changed their free-tier domain format. Tunnels no longer use .ngrok.io
— they now use .ngrok-free.app. The grep pattern matches nothing, so ngrk
is always empty and the user sees a blank URL with no indication of what went
wrong.
Suggested fix:
ngrk=$(curl -s http://127.0.0.1:4040/api/tunnels | grep -Eo 'https://[^"]+')
This matches any HTTPS tunnel URL regardless of domain, making it
future-proof against ngrok domain changes.
Bug 2 — No post-install validation for php before starting the server
The code (package() function):
The script installs php if missing, but never verifies the installation
succeeded. If apt / pkg fails silently (e.g. no internet, repo error),
the script continues and calls php -S which exits immediately with no
user-facing error message.
Suggested fix:
Add a check after the install loop:
if ! command -v php &>/dev/null; then
printf "\n${CR}[!]${CY} PHP installation failed. Cannot start server.${RS}\n"
exit 1
fi
Bug 3 — Hard-coded port 8080 with no conflict detection
The code:
def_port='8080' is used across all tunnel functions with no check whether
the port is already occupied. If something else is already listening on 8080,
php -S silently exits and the tunnel connects to nothing — the user gets a
public URL that returns errors.
Suggested fix:
Check before binding:
if lsof -i :"$def_port" &>/dev/null; then
printf "\n${CR}[!]${CY} Port ${def_port} is already in use. Please free it and retry.${RS}\n"
exit 1
fi
Bug 4 — Fragile file extension detection in download() (line ~160)
The code:
if [[ ${file#*.} == "zip" ]]; thenThe problem:
${file#*.} strips only up to the first dot, not the last. For a
filename like loclx-linux-amd64.zip, this evaluates to
linux-amd64.zip — not zip — so the condition fails and the zip is
never extracted. It happens to work today because of how the URLs are
structured, but it is fragile and will silently break if any download URL
changes.
Suggested fix:
Use ##*. to strip up to the last dot:
if [[ ${file##*.} == "zip" ]]; thenSame fix applies to the .tgz check on the next line.
Summary
| # |
Location |
Severity |
Impact |
| 1 |
ngrok() ~line 310 |
High |
Blank URL for all ngrok users |
| 2 |
package() |
Medium |
Silent server failure on bad install |
| 3 |
def_port / all tunnel functions |
Medium |
Silent failure if port in use |
| 4 |
download() ~line 160 |
Low |
Fragile, breaks on URL changes |
I am happy to open a PR with fixes for any or all of these if the maintainer
is interested.
Bug Report: Multiple Issues in host.sh
Overview
After reading through
host.shcarefully, I found four bugs ranging from abroken URL extraction that affects every ngrok user, to silent failure modes
that leave users with no feedback. Documenting them all here so they can be
tracked and fixed.
Bug 1 — ngrok URL extraction is broken (line ~310)
The code:
ngrk=$(curl -s -N http://127.0.0.1:4040/api/tunnels | grep -Eo '(https)://[^/"]+(.ngrok.io)')The problem:
ngrok changed their free-tier domain format. Tunnels no longer use
.ngrok.io— they now use
.ngrok-free.app. The grep pattern matches nothing, songrkis always empty and the user sees a blank URL with no indication of what went
wrong.
Suggested fix:
ngrk=$(curl -s http://127.0.0.1:4040/api/tunnels | grep -Eo 'https://[^"]+')This matches any HTTPS tunnel URL regardless of domain, making it
future-proof against ngrok domain changes.
Bug 2 — No post-install validation for
phpbefore starting the serverThe code (
package()function):The script installs
phpif missing, but never verifies the installationsucceeded. If
apt/pkgfails silently (e.g. no internet, repo error),the script continues and calls
php -Swhich exits immediately with nouser-facing error message.
Suggested fix:
Add a check after the install loop:
Bug 3 — Hard-coded port 8080 with no conflict detection
The code:
def_port='8080'is used across all tunnel functions with no check whetherthe port is already occupied. If something else is already listening on 8080,
php -Ssilently exits and the tunnel connects to nothing — the user gets apublic URL that returns errors.
Suggested fix:
Check before binding:
Bug 4 — Fragile file extension detection in
download()(line ~160)The code:
The problem:
${file#*.}strips only up to the first dot, not the last. For afilename like
loclx-linux-amd64.zip, this evaluates tolinux-amd64.zip— notzip— so the condition fails and the zip isnever extracted. It happens to work today because of how the URLs are
structured, but it is fragile and will silently break if any download URL
changes.
Suggested fix:
Use
##*.to strip up to the last dot:Same fix applies to the
.tgzcheck on the next line.Summary
ngrok()~line 310package()def_port/ all tunnel functionsdownload()~line 160I am happy to open a PR with fixes for any or all of these if the maintainer
is interested.