Despite for not seeing anything except “Filter” in PR - maybe it’s time to stop and think about getting HA a little bit of pentest?
Some opensource projects do such thing, this could also be crowdfounded if costs are too high.
I’m sure there would be plenty of us to have more comfort about having whole house and credentials in one place - properly tested by proffesionals? (I’m not one).
2 Likes
This post is not about an issue with Home Assistant. This is about an issue with custom components that users choose to add to their own installation. Code which is not reviewed by the Home Assistant Core team.
12 Likes
Yeah, but anyway it has made me stop and think - I think it’s worth considering by HA Core team too (or just have it through broader discussion?)
Just an idea. There are some OS projects that have security in mind and got tested for it too (like Signal). I’d love to put some euros on it too.
4 Likes
I’ve tar archived my custom_components folder and upgraded. Standing by for more information…
Is this update going to inhibit any custom_components from working at all? I don’t want to cook my system as I rely on my custom_components working…
1 Like
Looking at the commit, I would say that all (ok, most) legit custom components will be fine. It seems to be protecting against a custom component do a few select (suspicious) things. This is the tests for the new security logic, anything matching would be flagged:
("/", {"test": "/test/../../api"}),
("/", {"test": "test/../../api"}),
("/", {"sql": ";UNION SELECT (a, b"}),
("/", {"sql": "concat(..."}),
("/", {"xss": "<script >"}),
And even then, it throws a warning, and kills only the bad request it seems:
if FILTERS.search(request.raw_path):
_LOGGER.warning(
"Filtered a potential harmful request to: %s", request.raw_path
)
raise HTTPBadRequest
2 Likes
No, it’s just an advice.
Anything making a request with that (basic) security vuln tests.
Custom components already have a lot more permissions and don’t need to attack HA via http requests…
I’m not a developer, just a spectating user, but here’s the relevant part of the .2 commit: https://github.com/home-assistant/core/compare/2021.1.1...2021.1.2#diff-fcd766ca652cf2b9cb54a1c6edf81083c1a3857870a87d33d84f37e2aa2f616e
There’s some new logic to log (and prevent?) “request[s] and block commonly known exploit attempts”
I imagine someone found a custom_component out there acting in bad faith. We should wait for their official update; so far the HA team has handled these well imo and I appreciate this warning going up while they investigate further.
5 Likes
Make a snapshot. Update. If it does, you can simply revert. This should be standard update procedure anyways.
1 Like
It may not be deliberate by the custom component. Just that input isn’t being sanitised and therefore exploitable.
Good point, thanks. Due to my line of work I typically jump to malicious actors, because I’ve seen it all!
That is my standard procedure but I’m currently away from home so reluctant to risk the update. On top of everything else HA waters my garden and it’s hot in Perth this week!
4 Likes
i get that it’s not about HA. but you didn’t say how/what about 2021.1.2 addresses the issue.
3 Likes
To update Home Assistant, click on the Supervisor menu item
Do you mean Hass.io? I’m so confused. There’s a big issue with the naming of different parts of this project that needs to be resolved. The name “Home Assistant” is ambiguous. It can refer to the core project or to the entire distribution. The main web site is not perfectly clear about that too. A first-time visitor may think that they need a Raspberry Pi to use Home Assistant. In reality there are many different distributions that include different components and operate slightly differently. For example, I use a Home Assistant docker container on my NAS that doesn’t have a supervisor.
3 Likes
“Hass.io” is not a term we use anymore. It was ambiguous by itself as well.
This is a new release of the Home Assistant Core application, which runs on all, no matter which installation method you use.
3 Likes
My Supervisor menu isn’t showing any available updates. Is there a way to force the check? I already followed directions to click the Reload on the System tab to no avail.
can use ssh addon.
ha core update --version 2021.1.2
It should be available though… I got a notification a few hours ago
1 Like
I don’t know what it is about my setup, but at times I don’t get notifications for a week or two. The only way I can reliably force the notification to appear is to reboot the host, which is a rather heavy-handed for my liking.