CamStream contain escape caracters in the StmKey
Closed this issue · 4 comments
Hi,
The MMM-SynologySurveillance in my installation has two issue:
- npm audit --fix has issues and turn around the installation of the syno ver 1.0.0, 1.0.2 and 2.2.0
Here's the example before downgrading the syno.api to ver 1.0
pi@raspberrypi:~/MagicMirror/modules/MMM-SynologySurveillance $ npm audit report
npm audit report
async <2.6.4
Severity: high
Prototype Pollution in async - GHSA-fwr7-v2mv-hh25
fix available via npm audit fix --force
Will install syno@1.0.0, which is a breaking change
node_modules/async
nconf <=0.11.4
Depends on vulnerable versions of async
node_modules/nconf
syno >=1.0.2
Depends on vulnerable versions of nconf
node_modules/syno
- The StmKey contains escape caracters. I've put the address without the excape car and it works on chrome.
Here's the output of the console log
"dsIdx": 0,
"camStreams": {
"Cam 1": "http://storage:5000/webapi/entry.cgi?api=SYNO.SurveillanceStation.Stream.VideoStreaming&version=1&method=Stream&format=mjpeg&cameraId=4&StmKey=\"8b69b4f890419bb2bc622b96a6c5a7a8\""
}
Is there something wrong in my configuration or is this issue related to the async package wich is not updated?
Or can I modify something somewhere to not have the escape cars in the StmKey?
Thank you very much for your help.
Alex.
Hi,
great that you want to use my module.
To your problems...
1.
The "syno" package had not been updated in the last two years and i do not see a chance to replace the code parts which result in the vulnerabilities by my self. If you do not provide access to your mirror directly from the internet there is only a little chance that this vulnerabilities can be used. Even with using "npm audit fix --force" nothing changed in my setup. The module still could fetch the urls and displays the camera feeds. But it looks like all versions of "syno" use libs that do have vulnerabilities now.
The url will be encoded by electron (the browser engine used by MagicMirror) right before it gets included into the webpage and the escape characters only get added when printed to console. So no need to worry about it. To avoid this misleading output i released a new version of the module a few minutes ago which encodes the url by it self and prints the encoded version to the log.
I also updated the Readme of the module and included a section which reconfigures the "address" option in the configuration of the mirror.
Recent versions of Electron (which are used in MagicMirror >= 2.16) do have strict checks of the CORS policies. This causes a lot problems to modules that want to display external content at the moment.
In the case of this module only a small fix is need to fix this issue. The address needs to be set to the used ip address of the mirror instead of something like "localhost", "127.0.0.1" or "0.0.0.0". If you do not want your mirror to reachable in two different networks (i.e. by cable in 192.168.0.1 and via wifi in 192.168.178.1) then there should be no problem.
The current version of MagicMirror (2.19) contains an CORS-Proxy which has been introduced for weather modules to fetch external content. I am not sure if i will be able to use this proxy in my module and there is a lot of re-programming needed to try it. Maybe there will be a better solution in the next moths but for the moment the easiest way will be to set the ip.
Hi,
has the fix solved your problem so I can close the issue?
Hi, as there is no reaction I assume that the fix solved the problem.
If the problem still exists feel free to re-open this issue or create a new one.