core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon home-assistant

Zoneminder: Constant InsecureRequestWarning messages and password leakage in log file

Open WayneManion opened this issue 1 year ago • 3 comments

The problem

I use the Zoneminder integration. I have SSL enabled on my Zoneminder setup. The Zoneminder machine is not connected to the internet and does not have a "legit" SSL certificate. I have SSL: true and in my Zoneminder section of configuration.yaml.

The frequency of these messages makes it hard to read the Home Assistant log file. I have no idea how long this has been going on, probably for a long time.

What version of Home Assistant Core has the issue?

core-2024.2.1

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Zoneminder

Link to integration documentation on our website

No response

Diagnostics information

No response

Example YAML snippet

from configuration.yaml

zoneminder:
  - host: !secret zoneminder_host
    ssl: true
    verify_ssl: false
    username: !secret zoneminder_username
    password: !secret zoneminder_password

Anything in the logs that might be useful for us?

2024-02-15 04:29:39.276 WARNING (SyncWorker_40) [py.warnings] /usr/local/lib/python3.12/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'zoneminder'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(

2024-02-15 04:29:39.426 WARNING (SyncWorker_7) [py.warnings] /usr/local/lib/python3.12/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'zoneminder'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(

Additional information

No response

WayneManion avatar Feb 15 '24 22:02 WayneManion

Hey there @rohankapoorcom, @nabbi, mind taking a look at this issue as it has been labeled with an integration (zoneminder) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of zoneminder can trigger bot actions by commenting:

  • @home-assistant close Closes the issue.
  • @home-assistant rename Awesome new title Renames the issue.
  • @home-assistant reopen Reopen the issue.
  • @home-assistant unassign zoneminder Removes the current integration label and assignees on the issue, add the integration domain after the command.
  • @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue.
  • @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

zoneminder documentation zoneminder source (message by IssueLinks)

home-assistant[bot] avatar Feb 16 '24 07:02 home-assistant[bot]

My home-assistant.log currently has ~200k lines. ~140k of those lines are InsecureRequestWarning messages spit out by the Zoneminder integration or the blank lines that come after each of these InsecureRequestWarning messages.

Some extra fun related to this integration: My Zoneminder setup uses a password. I store this password in the secrets.yaml file. Whenever there is any kind of connection problem related to a Zoneminder camera, it logs the complete URL into the log file. Like so: 2024-02-16 12:21:29.662 ERROR (stream_worker) [homeassistant.components.stream.stream.camera.steve] Error from stream worker: Error demuxing stream: [Errno 5] I/O error: 'https://192.168.2.1/zm/cgi-bin/nph-zms?mode=jpeg&buffer=0&monitor=18&user=USER_IN_PLAIN_TEXT&pass=PASSWORD_IN_PLAIN_TEXT'

This seems bad.

WayneManion avatar Feb 16 '24 19:02 WayneManion

My home-assistant.log currently has ~200k lines. ~140k of those lines are InsecureRequestWarning messages spit out by the Zoneminder integration or the blank lines that come after each of these InsecureRequestWarning messages.

HA still lacks support for private certificates, and those warnings are generated from within the urllib3 python dependency. hass-additional-ca is an external component which has resolved these warning messages for my deployment using an internal CA. Self-signed certs are reported to work with this tooling too.

I have not yet looked into other methods of suppressing these faults, there may be other options to consider.

Whenever there is any kind of connection problem related to a Zoneminder camera, it logs the complete URL into the log file.

Interesting. This too appears to be logging from another HA component that provides the camera stream. Sanitation would likely need to be done within the other component, yet it would be oblivious to which parameters are sensitive.

nabbi avatar Feb 16 '24 23:02 nabbi

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

issue-triage-workflows[bot] avatar May 17 '24 01:05 issue-triage-workflows[bot]