search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
72.09k stars 30.18k forks source link

Home Assistant logs not sanitizing zwave JS security keys - shown in plaintext #121237

Open bharvey88 opened 3 months ago

bharvey88 commented 3 months ago

The problem

The logs shared by a user in discord here had all of his zwave security keys in plaintext. I had the user rename each of those to "redacted" which is what is seen here: Logger: homeassistant.components.zwave_js Source: components/hassio/addon_manager.py:383 integration: Z-Wave (documentation, issues) First occurred: 7:31:46 PM (25 occurrences) Last logged: 7:55:20 PM Failed to set the Z-Wave JS add-on options: not a valid value for dictionary value @ data['options']. Got {'device': '/dev/serial/by-id/usb-0658_0200-if00', 's0_legacy_key': 'redacted', 's2_access_control_key': 'redacted', 's2_authenticated_key': 'redacted', 's2_unauthenticated_key': 'redacted'}

What version of Home Assistant Core has the issue?

core-2024.7.0

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Zwave

Link to integration documentation on our website

https://www.home-assistant.io/integrations/zwave_js/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

`Logger: homeassistant.components.zwave_js
Source: components/hassio/addon_manager.py:383
integration: Z-Wave (documentation, issues)
First occurred: 7:31:46 PM (25 occurrences)
Last logged: 7:55:20 PM
Failed to set the Z-Wave JS add-on options: not a valid value for dictionary value @ data['options']. Got {'device': '/dev/serial/by-id/usb-0658_0200-if00', 's0_legacy_key': 'redacted', 's2_access_control_key': 'redacted', 's2_authenticated_key': 'redacted', 's2_unauthenticated_key': 'redacted'}`

Additional information

No response

home-assistant[bot] commented 3 months ago

Hey there @home-assistant/z-wave, mind taking a look at this issue as it has been labeled with an integration (zwave_js) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `zwave_js` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign zwave_js` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

zwave_js documentation zwave_js source (message by IssueLinks)

home-assistant[bot] commented 3 months ago

Hey there @home-assistant/supervisor, mind taking a look at this issue as it has been labeled with an integration (hassio) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `hassio` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign hassio` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

hassio documentation hassio source (message by IssueLinks)

issue-triage-workflows[bot] commented 2 days ago

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

raman325 commented 1 day ago

It would be nice to be able to redact things in the logs, but I am pretty sure this is coming from the supervisor/addon framework and we can't actually control this. There would likely need to be a new feature to support this.

bharvey88 commented 1 day ago

I opened another issue for frigate with the streams component https://github.com/home-assistant/core/issues/117892 and it was closed as a duplicate of https://github.com/home-assistant/core/issues/110891 which they said was fixed but I believe is still an issue with frigate rtsps streams in logs. It's definitely something I hope gets fixed eventually.

MartinHjelmare commented 1 day ago

It's the add-on manager that logs the error using the Z-Wave integration logger.

The easiest solution is probably to remove the option to log the error in the add-on manager and instead just raise the exception and have each integration catch the exception and then log the error. Then each integration can redact what they need from the log.