search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
71.64k stars 29.94k forks source link

Telegram webhook trusted networks and access control #27095

Closed MFlasskamp closed 4 years ago

MFlasskamp commented 4 years ago

Home Assistant release with the issue:

0.99.3

Operating environment (Hass.io/Docker/Windows/etc.):

Docker (17.09.1-ce, build e398b97) on QNAP NAS (TS-253b, Firmware 4.3.6.0993)

Component/platform:

https://www.home-assistant.io/components/telegram_bot https://www.home-assistant.io/components/webhooks

Description of problem:

Logfile is spammed with Access denied from ::ffff:5b6c:657 messages but is able to send messages anyway (notify service). The address ::ffff:5b6c:657 is the IPv4 address 91.108.6.87 mapped into IPv6. Therefore access is coming from a trusted network: 91.108.4.0/22 range: 91.108.4.0 - 91.108.7.255 (cf. https://core.telegram.org/bots/webhooks#the-short-version).

Please support IPv6 notation in the webhook's access control.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

telegram_bot:
  - platform: webhooks
    api_key: !secret tg_api
    trusted_networks:
     - 149.154.160.0/20
     - 91.108.4.0/22
    allowed_chat_ids:
      - !secret tg_chat_martin
      - !secret tg_chat_group

notify:
  - name: tg
    platform: telegram
    chat_id: !secret tg_chat_group

Traceback (if applicable):

...
2019-10-01 11:17:51 WARNING (MainThread) [homeassistant.components.telegram_bot.webhooks] Access denied from ::ffff:5b6c:657
2019-10-01 11:17:52 WARNING (MainThread) [homeassistant.components.telegram_bot.webhooks] Access denied from ::ffff:5b6c:657
2019-10-01 11:18:52 WARNING (MainThread) [homeassistant.components.telegram_bot.webhooks] Access denied from ::ffff:5b6c:657
...
stale[bot] commented 4 years ago

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue now has been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

freekode commented 4 years ago

Looks like telegram integration can't check trusted network if address is ipv6. Is it true?

giovanniferretti commented 2 years ago

Same issue here - @freekode @MFlasskamp have you ever managed to figure out how to get around this?

freekode commented 2 years ago

I think I just stopped use trusted_networks