Maybe they could integrate an overriding function so the users will be able to decide themselves if they would like to run a custom_component regardless it fails the check?
This confuses me.
Add a arbitrary iâm not a dev clause for myself here but there is not a problem with core and please update the core asap do not seem to align for a user such as me.
Why update asap, you just told me there is no problem with core?
That confusion aside, thanks for quick responses to security issues and i will update regardless.
The security issue wasnât an issue with core, but the update adds some additional safeguards to the core to protect systems with vulnerable custom components
You missed an important word in your quote⊠announce says that certain custom integrations have security issues and could potentially leak sensitive informationâŠ
Malicious embedded code in integrations or in any free code blindly installed is a very well known risk since forever on any system.
That security bulletin with its associated security update looks like more meant to block or dig onto leaks of certain corrupted integrations and non formally identified yetâŠ
Hello all,
I have a question, it may seem stupid but since itâs a security concern Iâll ask you to answer without judging me
What is a custom integration?
Is an add-on downloaded from the âHome Assistant Community Add-onsâ on the supervisor part of it?
Or is it something totally different?
(like ESPHome of Node-RED)
Thanks in advance!
add-ons and integrations are different things. This security bulletin focuses on custom integrations.
For more clarity on terminology, see our Glossary:
What is a custom integration?
Is an add-on downloaded from the âHome Assistant Community Add-onsâ on the supervisor part of it?
Or is it something totally different?
(like ESPHome of Node-RED)
Add-ons are something different from custom components. The examples you gave of ESPHome and Node-RED are examples of Add-ons.
Custom components are pieces of code installed in the /custom_components
directory of your system. There is also a custom component called Home Assistant Community Store (aka HACS) which makes the finding and installing of custom components easier.
Add-ons are seperate docker containers which can interact with HomeAssistant and other parts of your system, while Custom Components are pieces of code loaded into (and executed by) HomeAssistant to provide integrations not included in core.
This would be something installed through hacs, etc
Ok perfect.
I was 99% sure, but now I am
But at least⊠give us what you guys now for now⊠based on what assumption and which custom integration is this security bulletin based?!
The HA team may, in the near future, give answers to why this update was made and if there are any specific custom components that were found to be exploiting this
I totally agree. Custom components are own risk. And nice that the team has added an extra layer scanning for suspicious commands and blocking execution of that.
I assume the team responded to someone alerting about this possible breach. Would like to see what info they got that theyâve acted uppon. I also understand the custom compontents theyâve acted uppon are possibly not the only ones that could possibly leak personal info.
What Iâm saying is that I hope they can share a bit more detailed info on what alert they got and acted uppon.
While adding easy checks like these is definitely a good idea since theyâre basically free, Iâm a bit worried about this type of security bulletin, since it will set expectations which the core team cannot fulfill.
Even with the âitâs not our codeâ disclaimer, this huge reaction will lead to people believing that the Team will and especially has to save them from any possible vulnerabilities.
Even worse:
Said people will harrass the core team if their expectations arenât fulfilled.
No disclaimer in the world can save you from idiots that wonât read it and there are a lot of those in the home automation space.
No. You missed the important word. I even made it bold. Here:
POTENTIAL.
i.e. it could happen.
If there was an actual exploitation you would have heard about it.
Yawâll are running round screaming âthe sky is fallingâ just because the devs are being proactive and mitigating possible exploits now that it has been brought to their attention.
Calm the fork doon.
What should users of custom components be looking for to identify if a custom component is potentially unsafe?
Iâm aware that every component canât be vetted, but some examples of what to look for (or what triggered this specific security bulletin if that can be provided, even at a later date for security reasons) would be helpful.
I whole heartedly agree here! Everybody needs to calm down, the amount of entitlement and blame being put on the core team here is unbelievable. It literally says use custom components at your own risk⊠I think people forget this is free, opensource, try to find a big company like samsung, apple, google, etc. that discloses security issues this quickâŠyou wonât find any.
Thanks to the entire core team for keeping us updated and Iâm eagerly awaiting their next update.
I applaud the development teams efforts to secure the system. Fixing vulnerabilities is the responsible thing to do.
Nevertheless, it doesnât absolve the user from performing their own due diligence. You are ultimately responsible for what you add to your instance of Home Assistant.
You can take some comfort in knowing that the official integrations are vetted by the development team and unlikely to do something nefarious. However, a custom_component (custom integration) is not subjected to any inspection process.
While we are on the subject of what is checked and what isnât, blueprints arenât. Unless you inspect a blueprintâs code, you are assuming it does only what it purports to do and nothing else ⊠which is the same assumption you make when using a custom_component.
To be fair, a blueprint is far more limited in its ability to do anything undesirable. However, at the very least, it wouldnât hurt to glance at its code to ensure it doesnât do something dumb. If you donât even have time to do that then at least make sure you have a recent snapshot handy in case you have to recover from a mess.
tl;dr
Youâre responsible for whatever unofficial code you add to your system.
So am I reading correctly that this was an integration-based directory traversal vulnerability being corrected, or is there something more to it?
Thanks for the heads up guys!
Updated without a hitch from 2021.1.1
Great, thanks. Looking forward to a more in depth explanation in the following weeks so we can figure out witch components are safe., and how it relates to nabu casa. A lot of people are using HACS for example. Would be great to know what to look for, in a week or two. Have a nice weekend.
Another point of unclarity - it would be great to have something on the community home page or something that clearly shows the latest versions of stuff. Iâm relatively new to this, but it seems like I have to be checking the version of Home Assistant Core (now 2021.1.3), Home Assistant OS (now 5.10), and Supervisor (now 2020.12.7)? And itâs difficult to see the current numbered version available anywhere, even trying to dig through the git repos itâs hard to see what is considered the latest live version.