Fix potential security issue with scrape_supported_devices.py
#1619
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note: Tool is used internally by library developers to automatically generate documentation prior to a release and to warn when files are missing the required documentation. * Update Regex used to eliminate potential denial of service. - Deemed a Low severity & impact threat. - Does NOT require or necessitate a new version/release of the library. - The tool is only used after review of code/PR etc which would already be very suspicious. - The tool is not something a user would typically use or run. (i.e. Internal use only) - Very unlikely to be exploited as the tool is not typically automatically run. - Expected worse case scenario would be the Continuous Integration tests failing due to a timeout, or a Developer losing some CPU time if they didn't notice a malicious PR/commit. (It would be very very obvious) - Remediation tested using supplied Proof of Concept code. i.e. Guaranteed Sub mSecond CPU use instead of exponential CPU use. - Addressed all other regex as a precaution as well via sensible range limitations. * Documented the Regex used via `re.VERBOSE` and made easier to read/follow. * Simplified some of the Regex. Fixes #1616 Thanks to @srikanthprathi for reporting the issue & providing POC via the Huntr.Dev team. Thanks to Huntr.Dev team for bring the issue to our attention. (Kudos to @zidingz, @JamieSlome) Ref: https://huntr.dev/bounties/4da00a75-50dc-458b-acc6-cc216e1c854a/
NiKiZe
approved these changes
Sep 29, 2021
crankyoldgit
added a commit
that referenced
this pull request
Nov 19, 2021
_v2.8.0 (20211119)_ **[Bug Fixes]** - Fix compilation issue when using old 8266 Arduino Frameworks. (#1639 #1640) - Fix potential security issue with `scrape_supported_devices.py` (#1616 #1619) **[Features]** - SAMSUNG_AC - Change `clean` setting to a toggle. (#1676 #1677) - Highest fan speed is available without Powerful setting. (#1675 #1678) - Change `beep` setting to a toggle. (#1669 #1671) - Fix Beep for AR12TXEAAWKNEU (#1668 #1669) - Add support for Horizontal Swing & Econo (#1277 #1667) - Add support for On, Off, & Sleep Timers (#1277 #1662) - Fix power control. Clean-up code & bitmaps from Checksum changes. (#1277 #1648 #1650) - HAIER_AC176/HAIER_AC_YRW02 - Add support A/B unit setting (#1672) - Add support degree Fahrenheit (#1659) - Add support `Lock` function (#1652) - Implement horizontal swing feature (#1641) - Implement Quiet setting. (#1634 #1635) - Basic support for Airton Protocol (#1670 #1681) - HAIER_AC176: Add Turbo and Quiet settings (#1634) - Gree: Add `SwingH` & `Econo` control. (#1587 #1653) - MIRAGE - Add experimental detailed support. (#1573 #1615) - Experimental detailed support for KKG29A-C1 remote. (#1573 #1660) - ELECTRA_AC: Add support for "IFeel" & Sensor settings. (#1644 #1645) - Add Russian translation (#1649) - Add Swedish translation (#1627) - Reduce flash space used. (#1633) - Strings finally in Flash! (#1493 #1614 #1623) - Add support for Rhoss Idrowall MPCV 20-30-35-40 A/C protocol (#1630) - Make `IRAc::opmodeToString()` output nicer for humans. (#1613) - TCL112AC/TEKNOPOINT: Add support for `GZ055BE1` model (#1486 #1602) - Support for Arris protocol. (#1598) - SharpAc: Allow position control of SwingV (#1590 #1594) **[Misc]** - HAIER_AC176/HAIER_AC_YRW02 - Replace some magic numbers with constants (#1679) - Small fix `Quiet` and `Turbo` test (#1674) - Fix `IRHaierAC176::getTemp()` return value description (#1663) - Security Policy creation and changes. (#1616 #1617 #1618 #1621 #1680) - IRrecvDumpV2/3: Update PlatformIO envs for missing languages (#1661) - IRMQTTServer - Use the correct string for Fan mode in Home Assistant. (#1610 #1657) - Move a lot of the strings/text to flash. (#1638) - Minor code style improvements. (#1656) - Update Supported Devices - HAIER_AC176 (#1673) - LG A/C (#1651 #1655) - Symphony (#1603 #1605) - Epson (#1574 #1601) - GREE (#1587 #1588) - SharpAc (#1590 #1591) - Add extra tests for LG2 protocol (#1654) - Fix parameter expansion in several macros. - Move some strings to `IRtext.cpp` & `locale/default.h` (#1637) - RHOSS: Move include and defines to their correct places (#1636) - Make makefile only build required files when running `run-%` target (#1632) - Update Portuguese translation (#1628) - Add possibility to run specific test case (#1625) - Change `googletest` library ignore (#1626) - Re-work "Fan Only" strings & matching. (#1610) - Address `C0209` pylint warnings. (#1608)
Merged
crankyoldgit
added a commit
that referenced
this pull request
Nov 19, 2021
## _v2.8.0 (20211119)_ **[Bug Fixes]** - Fix compilation issue when using old 8266 Arduino Frameworks. (#1639 #1640) - Fix potential security issue with `scrape_supported_devices.py` (#1616 #1619) **[Features]** - SAMSUNG_AC - Change `clean` setting to a toggle. (#1676 #1677) - Highest fan speed is available without Powerful setting. (#1675 #1678) - Change `beep` setting to a toggle. (#1669 #1671) - Fix Beep for AR12TXEAAWKNEU (#1668 #1669) - Add support for Horizontal Swing & Econo (#1277 #1667) - Add support for On, Off, & Sleep Timers (#1277 #1662) - Fix power control. Clean-up code & bitmaps from Checksum changes. (#1277 #1648 #1650) - HAIER_AC176/HAIER_AC_YRW02 - Add support A/B unit setting (#1672) - Add support degree Fahrenheit (#1659) - Add support `Lock` function (#1652) - Implement horizontal swing feature (#1641) - Implement Quiet setting. (#1634 #1635) - Basic support for Airton Protocol (#1670 #1681) - HAIER_AC176: Add Turbo and Quiet settings (#1634) - Gree: Add `SwingH` & `Econo` control. (#1587 #1653) - MIRAGE - Add experimental detailed support. (#1573 #1615) - Experimental detailed support for KKG29A-C1 remote. (#1573 #1660) - ELECTRA_AC: Add support for "IFeel" & Sensor settings. (#1644 #1645) - Add Russian translation (#1649) - Add Swedish translation (#1627) - Reduce flash space used. (#1633) - Strings finally in Flash! (#1493 #1614 #1623) - Add support for Rhoss Idrowall MPCV 20-30-35-40 A/C protocol (#1630) - Make `IRAc::opmodeToString()` output nicer for humans. (#1613) - TCL112AC/TEKNOPOINT: Add support for `GZ055BE1` model (#1486 #1602) - Support for Arris protocol. (#1598) - SharpAc: Allow position control of SwingV (#1590 #1594) **[Misc]** - HAIER_AC176/HAIER_AC_YRW02 - Replace some magic numbers with constants (#1679) - Small fix `Quiet` and `Turbo` test (#1674) - Fix `IRHaierAC176::getTemp()` return value description (#1663) - Security Policy creation and changes. (#1616 #1617 #1618 #1621 #1680) - IRrecvDumpV2/3: Update PlatformIO envs for missing languages (#1661) - IRMQTTServer - Use the correct string for Fan mode in Home Assistant. (#1610 #1657) - Move a lot of the strings/text to flash. (#1638) - Minor code style improvements. (#1656) - Update Supported Devices - HAIER_AC176 (#1673) - LG A/C (#1651 #1655) - Symphony (#1603 #1605) - Epson (#1574 #1601) - GREE (#1587 #1588) - SharpAc (#1590 #1591) - Add extra tests for LG2 protocol (#1654) - Fix parameter expansion in several macros. - Move some strings to `IRtext.cpp` & `locale/default.h` (#1637) - RHOSS: Move include and defines to their correct places (#1636) - Make makefile only build required files when running `run-%` target (#1632) - Update Portuguese translation (#1628) - Add possibility to run specific test case (#1625) - Change `googletest` library ignore (#1626) - Re-work "Fan Only" strings & matching. (#1610) - Address `C0209` pylint warnings. (#1608)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: The tool in question is used internally by library developers to automatically generate documentation prior to a release and to warn when files are missing the required documentation.
re.VERBOSEand made easier to read/follow.Fixes #1616
Thanks to @srikanthprathi for reporting the issue & providing POC via the Huntr.Dev team.
Thanks to Huntr.Dev team for bring the issue to our attention. (Kudos to @zidingz, @JamieSlome)
Ref: https://huntr.dev/bounties/4da00a75-50dc-458b-acc6-cc216e1c854a/