Tom-Hirschberger
commented
2 years ago Hi, great that you want to use my module. To your problems... 1. The "syno" package had not been updated in the last two years and i do not see a chance to replace the code parts which result in the vulnerabilities by my self. If you do not provide access to your mirror directly from the internet there is only a little chance that this vulnerabilities can be used. Even with using "npm audit fix --force" nothing changed in my setup. The module still could fetch the urls and displays the camera feeds. But it looks like all versions of "syno" use libs that do have vulnerabilities now.
2. The url will be encoded by electron (the browser engine used by MagicMirror) right before it gets included into the webpage and the escape characters only get added when printed to console. So no need to worry about it. To avoid this misleading output i released a new version of the module a few minutes ago which encodes the url by it self and prints the encoded version to the log.
I also updated the Readme of the module and included a section which reconfigures the "address" option in the configuration of the mirror. Recent versions of Electron (which are used in MagicMirror >= 2.16) do have strict checks of the CORS policies. This causes a lot problems to modules that want to display external content at the moment. In the case of this module only a small fix is need to fix this issue. The address needs to be set to the used ip address of the mirror instead of something like "localhost", "127.0.0.1" or "0.0.0.0". If you do not want your mirror to reachable in two different networks (i.e. by cable in 192.168.0.1 and via wifi in 192.168.178.1) then there should be no problem. The current version of MagicMirror (2.19) contains an CORS-Proxy which has been introduced for weather modules to fetch external content. I am not sure if i will be able to use this proxy in my module and there is a lot of re-programming needed to try it. Maybe there will be a better solution in the next moths but for the moment the easiest way will be to set the ip.
yoba-ch
Hi, The MMM-SynologySurveillance in my installation has two issue:
npm audit --fix has issues and turn around the installation of the syno ver 1.0.0, 1.0.2 and 2.2.0 Here's the example before downgrading the syno.api to ver 1.0
pi@raspberrypi:~/MagicMirror/modules/MMM-SynologySurveillance $ npm audit report
npm audit report
async <2.6.4 Severity: high Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25 fix available via
npm audit fix --forceWill install syno@1.0.0, which is a breaking change node_modules/async nconf <=0.11.4 Depends on vulnerable versions of async node_modules/nconf syno >=1.0.2 Depends on vulnerable versions of nconf node_modules/synoThe StmKey contains escape caracters. I've put the address without the excape car and it works on chrome. Here's the output of the console log
"dsIdx": 0, "camStreams": { "Cam 1": "http://storage:5000/webapi/entry.cgi?api=SYNO.SurveillanceStation.Stream.VideoStreaming&version=1&method=Stream&format=mjpeg&cameraId=4&StmKey=\"8b69b4f890419bb2bc622b96a6c5a7a8\"" }
Is there something wrong in my configuration or is this issue related to the async package wich is not updated? Or can I modify something somewhere to not have the escape cars in the StmKey? Thank you very much for your help. Alex.