Show Passwords in diagnostics

tuxflo · September 17, 2024, 6:37pm

Hi HA community.
I somehow forgot my password of my local router (Fritzbox) and I want to avoid factory reset it to keep my current configuration.
Since I have the “AVM Tools” integration configured in Home assistant I was wondering if there is a way to get the password from HA.
When I hit the “download diagnostics” button of the integration I can see that a JSON file is created which contains:

      "data": {
        "host": "my-fritzbox-ip",
        "password": "**REDACTED**",
        "port": 49000,
        "username": "**REDACTED**",
        "ssl": false

Now I wonder: is there a way to get the REDACTED values?
Maybe by setting a debug flag or something like that?
Or is there a way to look up the credentials in a HA specific database?
Or by accessing the keyring from the terminal addon?

Thanks for helping,
Flo

fleskefjes · September 17, 2024, 6:43pm

Hopefully not, that would mean that someone with access to your HA could look up all the passwords for all your integrations in plain text. Assuming it’s not defined in a secret.yaml file.

tuxflo · September 17, 2024, 6:56pm

The password is asked in the configuration wizzard of the AVM Tools integration, I don´t know how it’s stored.
If this is the source code that is responsible for creating the diagnostics, than maybe it could be done by just commenting out that line:

github.com

home-assistant/core/blob/adcb541b4b14d64596c57865660034a953a25b2a/homeassistant/components/diagnostics/util.py#L37


      
          if isinstance(data, list):
              return cast(_T, [async_redact_data(val, to_redact) for val in data])
          
          redacted = {**data}
          
          for key, value in redacted.items():
              if value is None:
                  continue
              if isinstance(value, str) and not value:
                  continue
              if key in to_redact:
                  redacted[key] = REDACTED
              elif isinstance(value, Mapping):
                  redacted[key] = async_redact_data(value, to_redact)
              elif isinstance(value, list):
                  redacted[key] = [async_redact_data(item, to_redact) for item in value]
          
          return cast(_T, redacted)

but I’m not sure if this is the right code location or if it would be enough to edit the file “on the fly” in a running installation.

tuxflo · September 17, 2024, 8:12pm

To answer my own question here, in case someone else wants to deal with the same issue.
Modifying the python code works. However, it is not the main diagnostics.py that I linked above, but the special diagnostics.py for the component. Since I was looking for the AVM Integration the component is just called “fritz”. The file is this one:

github.com

home-assistant/core/blob/adcb541b4b14d64596c57865660034a953a25b2a/homeassistant/components/fritz/diagnostics.py

"""Diagnostics support for AVM FRITZ!Box."""

from __future__ import annotations

from typing import Any

from homeassistant.components.diagnostics import async_redact_data
from homeassistant.config_entries import ConfigEntry
from homeassistant.const import CONF_PASSWORD, CONF_USERNAME
from homeassistant.core import HomeAssistant

from .const import DOMAIN
from .coordinator import AvmWrapper

TO_REDACT = {CONF_USERNAME, CONF_PASSWORD}


async def async_get_config_entry_diagnostics(
    hass: HomeAssistant, entry: ConfigEntry
) -> dict[str, Any]:

This file has been truncated. show original

Note that the file is located in the homeassistant docker container. So you need to exec into the running container by using docker exec CONTAINER_ID bash.

Inside the container, our file is located at /usr/src/homeassistant/homeassistant/components/fritz/diagnostics.py. Fields that should be redacted are stored in the TO_REDACT dict. I just cleared it by setting it to TO_REDACT = {}.
After changing the file, a HA restart was necessary to apply the changes. Then I could just download the diagnostics file with the clear text password (as expected).

@fleskefjes so yes. If someone has access to your HA instance and the skills to do the steps mentioned above they are able to look up all the integration credentials in plain text.