neolink icon indicating copy to clipboard operation
neolink copied to clipboard

Published 20 hours ago verified publisher icon QuantumEntangledAndy

Full Config with *unobscured* passwords is stored in MQTT broker

Open morrisb74 opened this issue 1 year ago • 8 comments

Describe the bug A full config is dropped in the MQTT broker under /neolink/config which shows unobscured passwords!

To Reproduce Steps to reproduce the behavior. Example:

  1. Create this configuration file: Any config with MQTT enabled
  2. Launch Neolink:
  3. Open a MQTT Explorer/Client and lookup /neolink/config

Expected behavior Not to find a config file in the MQTT broker, or at least with the passwords obscured.

Versions NVR software: N/A Neolink software: 0.6.3.rc.2 Reolink camera model and firmware: N/A

morrisb74 avatar Apr 16 '24 10:04 morrisb74

Yeah I know I keep meaning to fix this but other things keep comming up. You can make a PR if you have the time

QuantumEntangledAndy avatar Apr 16 '24 11:04 QuantumEntangledAndy

Currently that config is watched so any changes in it are used to update the live camera. So you can add and remove cameras using it. It is run though the same de-serialization as the on disk config code and would need some sort of middle man to strip and add the passwords inbetween the deserialisation and serialisation

QuantumEntangledAndy avatar Apr 16 '24 12:04 QuantumEntangledAndy

Wouldn't it not be simpler to just not send the config over MQTT?

skorokithakis avatar Jul 29 '24 00:07 skorokithakis

Wouldn't it not be simpler to just not send the config over MQTT?

We do send the config over mqtt. That is the issue since the config is sent unaltered including the passwords

QuantumEntangledAndy avatar Jul 30 '24 02:07 QuantumEntangledAndy

Yes, and my question is wouldn't it be simpler to not send it?

skorokithakis avatar Jul 30 '24 07:07 skorokithakis

Ah yes I see. That would limit what could be changed over mqtt. Currently you can use mqtt to change all camera options and settings by updating the config there. I supposed it could be made optional. I am a bit busy with work to do this change at the moment though.

QuantumEntangledAndy avatar Jul 30 '24 07:07 QuantumEntangledAndy

Why would it limit what can be changed? It can still allow for changing everything, just don't send the config in the beginning.

skorokithakis avatar Jul 30 '24 07:07 skorokithakis

The code is setup using a watch channel. Any change in config will be posted. So on first change of a setting (via another mqtt command) it will post the updated live config. It would have to be completely disable printing of config.

If you want the change I recommend you open a PR with the change.

Id still prefer a full change that replaces them with *** or something since it can be used to check configuration over mqtt and that requested mqtt command have taken effect. It also makes it possible to copy the current config make small changes then post the updates

P.s. I don't you mqtt much myself but when I do it's my own server hosted on my docker compose. Is it common to use an untrusted server?

QuantumEntangledAndy avatar Jul 30 '24 12:07 QuantumEntangledAndy