Fixes (#23235)

* use stable empty object reference for swr metadata default * version bump * Refactor get_min_region_size for dimension normalization Refactor get_min_region_size to normalize dimensions for smaller models and ensure minimum region size is 320 for larger models. * reject restricted go2rtc stream sources when added via api * add env var check function * fix typing --------- Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
2026-06-21 03:41:55 +03:00 · 2026-05-18 10:32:39 -05:00 · 2026-05-18 10:32:39 -05:00 · 0013555528
commit 0013555528
parent 2cfb530dbf
8 changed files with 117 additions and 51 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 default_target: local

 COMMIT_HASH := $(shell git log -1 --pretty=format:"%h"|tail -1)
-VERSION = 0.17.1
+VERSION = 0.17.2
 IMAGE_REPO ?= ghcr.io/blakeblackshear/frigate
 GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
 BOARDS= #Initialized empty
--- a/docker/main/rootfs/usr/local/go2rtc/create_config.py
+++ b/docker/main/rootfs/usr/local/go2rtc/create_config.py
@ -17,36 +17,12 @@ from frigate.const import (
 )
 from frigate.ffmpeg_presets import parse_preset_hardware_acceleration_encode
 from frigate.util.config import find_config_file
+from frigate.util.services import is_restricted_go2rtc_source

 sys.path.remove("/opt/frigate")

 yaml = YAML()

-# Check if arbitrary exec sources are allowed (defaults to False for security)
-allow_arbitrary_exec = None
-if "GO2RTC_ALLOW_ARBITRARY_EXEC" in os.environ:
-    allow_arbitrary_exec = os.environ.get("GO2RTC_ALLOW_ARBITRARY_EXEC")
-elif (
-    os.path.isdir("/run/secrets")
-    and os.access("/run/secrets", os.R_OK)
-    and "GO2RTC_ALLOW_ARBITRARY_EXEC" in os.listdir("/run/secrets")
-):
-    allow_arbitrary_exec = (
-        Path(os.path.join("/run/secrets", "GO2RTC_ALLOW_ARBITRARY_EXEC"))
-        .read_text()
-        .strip()
-    )
-# check for the add-on options file
-elif os.path.isfile("/data/options.json"):
-    with open("/data/options.json") as f:
-        raw_options = f.read()
-    options = json.loads(raw_options)
-    allow_arbitrary_exec = options.get("go2rtc_allow_arbitrary_exec")
-
-ALLOW_ARBITRARY_EXEC = allow_arbitrary_exec is not None and str(
-    allow_arbitrary_exec
-).lower() in ("true", "1", "yes")
-
 FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
 # read docker secret files as env vars too
 if os.path.isdir("/run/secrets"):
@ -135,18 +111,13 @@ if LIBAVFORMAT_VERSION_MAJOR < 59:
        go2rtc_config["ffmpeg"]["rtsp"] = rtsp_args


-def is_restricted_source(stream_source: str) -> bool:
-    """Check if a stream source is restricted (echo, expr, or exec)."""
-    return stream_source.strip().startswith(("echo:", "expr:", "exec:"))
-
-
 for name in list(go2rtc_config.get("streams", {})):
    stream = go2rtc_config["streams"][name]

    if isinstance(stream, str):
        try:
            formatted_stream = stream.format(**FRIGATE_ENV_VARS)
-            if not ALLOW_ARBITRARY_EXEC and is_restricted_source(formatted_stream):
+            if is_restricted_go2rtc_source(formatted_stream):
                print(
                    f"[ERROR] Stream '{name}' uses a restricted source (echo/expr/exec) which is disabled by default for security. "
                    f"Set GO2RTC_ALLOW_ARBITRARY_EXEC=true to enable arbitrary exec sources."
@ -165,7 +136,7 @@ for name in list(go2rtc_config.get("streams", {})):
        for i, stream_item in enumerate(stream):
            try:
                formatted_stream = stream_item.format(**FRIGATE_ENV_VARS)
-                if not ALLOW_ARBITRARY_EXEC and is_restricted_source(formatted_stream):
+                if is_restricted_go2rtc_source(formatted_stream):
                    print(
                        f"[ERROR] Stream '{name}' item {i + 1} uses a restricted source (echo/expr/exec) which is disabled by default for security. "
                        f"Set GO2RTC_ALLOW_ARBITRARY_EXEC=true to enable arbitrary exec sources."
--- a/docs/docs/frigate/updating.md
+++ b/docs/docs/frigate/updating.md
@ -5,7 +5,7 @@ title: Updating

 # Updating Frigate

-The current stable version of Frigate is **0.17.0**. The release notes and any breaking changes for this version can be found on the [Frigate GitHub releases page](https://github.com/blakeblackshear/frigate/releases/tag/v0.17.0).
+The current stable version of Frigate is **0.17.2**. The release notes and any breaking changes for this version can be found on the [Frigate GitHub releases page](https://github.com/blakeblackshear/frigate/releases/tag/v0.17.2).

 Keeping Frigate up to date ensures you benefit from the latest features, performance improvements, and bug fixes. The update process varies slightly depending on your installation method (Docker, Home Assistant App, etc.). Below are instructions for the most common setups.

@ -31,21 +31,21 @@ If you’re running Frigate via Docker (recommended method), follow these steps:

 2. **Update and Pull the Latest Image**:
   - If using Docker Compose:
-     - Edit your `docker-compose.yml` file to specify the desired version tag (e.g., `0.17.0` instead of `0.16.4`). For example:
+     - Edit your `docker-compose.yml` file to specify the desired version tag (e.g., `0.17.2` instead of `0.16.4`). For example:
       ```yaml
       services:
         frigate:
-           image: ghcr.io/blakeblackshear/frigate:0.17.0
+           image: ghcr.io/blakeblackshear/frigate:0.17.2
       ```
     - Then pull the image:
       ```bash
-       docker pull ghcr.io/blakeblackshear/frigate:0.17.0
+       docker pull ghcr.io/blakeblackshear/frigate:0.17.2
       ```
     - **Note for `stable` Tag Users**: If your `docker-compose.yml` uses the `stable` tag (e.g., `ghcr.io/blakeblackshear/frigate:stable`), you don’t need to update the tag manually. The `stable` tag always points to the latest stable release after pulling.
   - If using `docker run`:
-     - Pull the image with the appropriate tag (e.g., `0.17.0`, `0.17.0-tensorrt`, or `stable`):
+     - Pull the image with the appropriate tag (e.g., `0.17.2`, `0.17.2-tensorrt`, or `stable`):
       ```bash
-       docker pull ghcr.io/blakeblackshear/frigate:0.17.0
+       docker pull ghcr.io/blakeblackshear/frigate:0.17.2
       ```

 3. **Start the Container**:
--- a/frigate/api/camera.py
+++ b/frigate/api/camera.py
@ -24,7 +24,7 @@ from frigate.api.defs.tags import Tags
 from frigate.config.config import FrigateConfig
 from frigate.util.builtin import clean_camera_user_pass
 from frigate.util.image import run_ffmpeg_snapshot
-from frigate.util.services import ffprobe_stream
+from frigate.util.services import ffprobe_stream, is_restricted_go2rtc_source

 logger = logging.getLogger(__name__)

@ -111,6 +111,19 @@ def go2rtc_camera_stream(request: Request, stream_name: str):
 )
 def go2rtc_add_stream(request: Request, stream_name: str, src: str = ""):
    """Add or update a go2rtc stream configuration."""
+    if src and is_restricted_go2rtc_source(src):
+        logger.warning(
+            "Rejected go2rtc stream '%s' with restricted source type (echo/expr/exec)",
+            stream_name,
+        )
+        return JSONResponse(
+            content={
+                "success": False,
+                "message": "Restricted stream source type",
+            },
+            status_code=400,
+        )
+
    try:
        params = {"name": stream_name}
        if src:
--- a/frigate/test/http_api/test_http_camera_access.py
+++ b/frigate/test/http_api/test_http_camera_access.py
@ -1,3 +1,4 @@
+import os
 from unittest.mock import patch

 from fastapi import HTTPException, Request
@ -357,6 +358,51 @@ class TestGo2rtcStreamAccess(BaseTestHttp):
            f"got {resp.status_code}"
        )

+    def test_add_stream_rejects_restricted_source(self):
+        """PUT /go2rtc/streams must reject exec:/echo:/expr: sources even for
+        admins"""
+        app = self._make_app(_MULTI_CAMERA_CONFIG)
+        with AuthTestClient(app) as client:
+            for src in (
+                "exec:/tmp/rev.sh",
+                "echo:foo",
+                "expr:bar",
+                "  exec:/tmp/rev.sh",
+            ):
+                resp = client.put(f"/go2rtc/streams/revshell?src={src}")
+                assert resp.status_code == 400, (
+                    f"Expected 400 for restricted src {src!r}; got {resp.status_code}"
+                )
+                assert resp.json().get("success") is False
+
+    def test_add_stream_allows_non_restricted_source(self):
+        """A normal stream URL should pass the restricted-source check and reach
+        the (unavailable in tests) go2rtc proxy — so we expect 500, not 400."""
+        app = self._make_app(_MULTI_CAMERA_CONFIG)
+        with AuthTestClient(app) as client:
+            resp = client.put("/go2rtc/streams/legit?src=rtsp://10.0.0.1:554/video")
+            assert resp.status_code != 400, (
+                f"Non-restricted source should not be rejected with 400; got {resp.status_code}"
+            )
+
+    def test_add_stream_allows_restricted_source_when_override_set(self):
+        """When GO2RTC_ALLOW_ARBITRARY_EXEC is set, the API must defer to operator
+        intent and forward the request to go2rtc instead of short-circuiting with 400."""
+        app = self._make_app(_MULTI_CAMERA_CONFIG)
+        mock_response = type("R", (), {"ok": True, "status_code": 200, "text": "ok"})()
+        with patch.dict(os.environ, {"GO2RTC_ALLOW_ARBITRARY_EXEC": "true"}):
+            with patch(
+                "frigate.api.camera.requests.put", return_value=mock_response
+            ) as mock_put:
+                with AuthTestClient(app) as client:
+                    resp = client.put("/go2rtc/streams/legit?src=exec:/tmp/something")
+                assert resp.status_code == 200, (
+                    f"Restricted src should be forwarded when override set; got {resp.status_code}"
+                )
+                mock_put.assert_called_once()
+                forwarded_src = mock_put.call_args.kwargs["params"]["src"]
+                assert forwarded_src == "exec:/tmp/something"
+
    def test_stream_alias_blocked_when_owning_camera_disallowed(self):
        """limited_user cannot access a stream alias that belongs to a camera they
        are not allowed to see."""
--- a/frigate/util/object.py
+++ b/frigate/util/object.py
@ -271,18 +271,17 @@ def get_min_region_size(model_config: ModelConfig) -> int:
    """Get the min region size."""
    largest_dimension = max(model_config.height, model_config.width)

-    if largest_dimension > 320:
-        # We originally tested allowing any model to have a region down to half of the model size
-        # but this led to many false positives. In this case we specifically target larger models
-        # which can benefit from a smaller region in some cases to detect smaller objects.
-        half = int(largest_dimension / 2)
+    # return largest dimension for smaller models, but make sure the dimension is normalized
+    if largest_dimension < 320:
+        if largest_dimension % 4 == 0:
+            return largest_dimension

-        if half % 4 == 0:
-            return half
+        return int((largest_dimension + 3) / 4) * 4

-        return int((half + 3) / 4) * 4
-
-    return largest_dimension
+    # Any model that is 320 or larger should have a minimum region size of 320
+    # this allows larger models to use smaller regions to detect smaller objects
+    # in the case that the motion area is smaller so that it can be upscaled.
+    return 320


 def create_tensor_input(frame, model_config: ModelConfig, region):
--- a/frigate/util/services.py
+++ b/frigate/util/services.py
@ -556,6 +556,41 @@ def get_jetson_stats() -> Optional[dict[int, dict]]:
    return results


+def _go2rtc_arbitrary_exec_allowed() -> bool:
+    """Read the GO2RTC_ALLOW_ARBITRARY_EXEC override from env, docker
+    secrets, or the Home Assistant add-on options file."""
+    raw: Optional[str] = None
+    if "GO2RTC_ALLOW_ARBITRARY_EXEC" in os.environ:
+        raw = os.environ.get("GO2RTC_ALLOW_ARBITRARY_EXEC")
+    elif (
+        os.path.isdir("/run/secrets")
+        and os.access("/run/secrets", os.R_OK)
+        and "GO2RTC_ALLOW_ARBITRARY_EXEC" in os.listdir("/run/secrets")
+    ):
+        try:
+            with open("/run/secrets/GO2RTC_ALLOW_ARBITRARY_EXEC") as f:
+                raw = f.read().strip()
+        except OSError:
+            raw = None
+    elif os.path.isfile("/data/options.json"):
+        try:
+            with open("/data/options.json") as f:
+                options = json.loads(f.read())
+            raw = options.get("go2rtc_allow_arbitrary_exec")
+        except (OSError, json.JSONDecodeError):
+            raw = None
+
+    return raw is not None and str(raw).lower() in ("true", "1", "yes")
+
+
+def is_restricted_go2rtc_source(stream_source: str) -> bool:
+    """Check if a stream source is a restricted type (echo, expr, or exec)
+    and the GO2RTC_ALLOW_ARBITRARY_EXEC override is not set."""
+    if not stream_source.strip().startswith(("echo:", "expr:", "exec:")):
+        return False
+    return not _go2rtc_arbitrary_exec_allowed()
+
+
 def ffprobe_stream(ffmpeg, path: str, detailed: bool = False) -> sp.CompletedProcess:
    """Run ffprobe on stream."""
    clean_path = escape_special_characters(path)
--- a/web/src/hooks/use-deferred-stream-metadata.ts
+++ b/web/src/hooks/use-deferred-stream-metadata.ts
@ -5,6 +5,8 @@ import { LiveStreamMetadata } from "@/types/live";

 const FETCH_TIMEOUT_MS = 10000;
 const DEFER_DELAY_MS = 2000;
+const emptyObject: Readonly<{ [key: string]: LiveStreamMetadata }> =
+  Object.freeze({});

 /**
 * Hook that fetches go2rtc stream metadata with deferred loading.
@ -77,7 +79,7 @@ export default function useDeferredStreamMetadata(streamNames: string[]) {
    return metadata;
  }, []);

-  const { data: metadata = {} } = useSWR<{
+  const { data: metadata = emptyObject } = useSWR<{
    [key: string]: LiveStreamMetadata;
  }>(swrKey, fetcher, {
    revalidateOnFocus: false,