I am thinking to make a custom component that will generate blueprints with a (graphical/blockly-like editor). Want to check if there is any reference/guideline on what kind of python access to the system is allowed? Such as if I can add/remove files & folders in the blueprints folder? And modifying the automation.yaml?
My current understanding is modifying HA source code and configuration.yaml would be malicious, but where is the boundary line?
frigate integration vulnerable.
while not logged in, anyone can brute force the following urls:
https://HAinstance.com/api/frigate/notifications/{{eventIDbruteForce}}/{CommonCameraNames}/clip.mp4https://HAinstance.com/api/frigate/notifications/{{eventIDbruteForce}}/thumbnail.jpgFrigate is not an integration. There is an addon for it, thatâs not the same thing as an integration. Itâs also entirely separate software.
If you think you found a security vulnerability with it you should go here and follow whatever guidance they provide for responsible disclosure of a security vulnerability. Or if they donât have a security disclosure policy then create a GitHub issue here. Thatâs much more likely to get it fixed then mentioning it on an entirely unrelated topic in the forum for an entirely different piece of software.
EDIT: I guess there is a frigate integration in HACS. If what youâre reporting an issue with is actually that integration and not frigate the standalone piece of software then go report it on the repo for that integration. Either way itâs not related to the issue in this topic.
EDIT 2: if you are still convinced this is an HA issue (or if you find an HA issue in the future) then you can find HAs security disclosure policy here:
Youâll notice it does not say âshare it on the forumâ. Since then everyone can see it, people that want to fix it and people that want to exploit it before it is fixed.
HA supposed to protect its addon/integration /API/ endpoints. Instance.com is HAinstance.comâŚ
with the right link, anyone can view frigate events without login⌠sound familiar? Yea the whole eufy fiasco.
No, HA is supposed to protect itâs API. And can provide some universal protections within reason to APIs added by custom integrations. Although ultimately APIs added by custom integration are the responsibility of the custom integration dev, hence why the note at the top of those post mentions that you install custom integrations and components at your own risk.
HA cannot provide any protections for addons. Addons are simply separate software. They are maintained separately and are deployed in their own docker container. HA has no say in how any API provided by an addon works.
Regardless if you still believe this is an HA security issue then follow the security disclosure policy I linked above.