Nerwyn/service-call-tile-feature

Evaluate concerns

Closed this issue · 4 comments

SGXander commented

In the latest update it is noted:

New Action - Evaluate JS #50

You can now execute JavaScript as an action using Evaluate JS. This action calls [the eval function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) on a code string you write, and can be used to execute blocks of JavaScript code.

⚠️ Warning ⚠️. Executing JavaScript from a string in browser is considered extremely insecure. While this shouldn't be an issue for Home Assistant, I'm trusting that users are not going to use this in a public facing context where someone can modify custom features to execute arbitrary code.

Can you please elaborate on where this action is called and how/if it can be used to execute arbitrary code? Is it possible to disable this function for added safety?

Nerwyn commented

It's an action, for feature interactions like tap actions. It's only called if you choose to use it, not by default.

Screenshot_20241010-105310.png

Executing strings as code on public facing websites is considered very unsafe. Since Home Assistant should never be public facing, or at the very least shouldn't allow public users to modify cards it should be fine for use in Home Assistant.

Nerwyn commented

Does that alleviate your concern @SGXander? It isn't called by default, and is only called if the user calls it in an interaction. Unless you allow untrusted individuals to modify your dashboard to use the action (in which case you have a larger problem as Home Assistant servers shouldn't be modifiable by public users, let alone public facing at all) you'll be fine. I don't think there's anything you can do with this action that a possibly malicious person couldn't already do by running JavaScript in the browser console.

SGXander commented

I think so, the security aspect does seem to rely upon the HA instance being secure too but as long as there's no chance it can be called unauthenticated then that's ok. A way to disable it would be great as a feature request though :)

Nerwyn commented

Even if I did add a config option to deactivate it, it wouldn't make a difference as the access level to setting that (modifying a card config) is the same level of access someone would need to configure the action.