administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2026-02-14 15:15:22 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Security theatre: Use yaml.load() in one place.

Browse Source 
CodeQL complains when you use yaml.load() with custom loaders.
This will at least get it to stfu whenever our custom loader is used.
This commit is contained in:
George Tsiamasiotis 2024-09-18 09:09:53 +03:00
parent 532bbc8f61
commit c62c0809d2
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
frigate/config.py
View File

@ -9,7 +9,6 @@ from pathlib import Path
from typing import Any, Dict, List, Optional, Tuple, Union from typing import Any, Dict, List, Optional, Tuple, Union
import numpy as np import numpy as np
import yaml
from pydantic import ( from pydantic import (
BaseModel, BaseModel,
ConfigDict, ConfigDict,
@ -42,11 +41,11 @@ from frigate.ffmpeg_presets import (
) )
from frigate.plus import PlusApi from frigate.plus import PlusApi
from frigate.util.builtin import ( from frigate.util.builtin import (
NoDuplicateKeysLoader,
deep_merge, deep_merge,
escape_special_characters, escape_special_characters,
generate_color_palette, generate_color_palette,
get_ffmpeg_arg_list, get_ffmpeg_arg_list,
load_yaml,
) )
from frigate.util.config import StreamInfoRetriever, get_relative_coordinates from frigate.util.config import StreamInfoRetriever, get_relative_coordinates
from frigate.util.image import create_mask from frigate.util.image import create_mask
@ -1765,7 +1764,7 @@ class FrigateConfig(FrigateBaseModel):
raw_config = f.read() raw_config = f.read()
if config_file.endswith(YAML_EXT): if config_file.endswith(YAML_EXT):
config = yaml.load(raw_config, NoDuplicateKeysLoader) config = load_yaml(raw_config)
elif config_file.endswith(".json"): elif config_file.endswith(".json"):
config = json.loads(raw_config) config = json.loads(raw_config)
@ -1773,5 +1772,5 @@ class FrigateConfig(FrigateBaseModel):
@classmethod @classmethod
def parse_raw(cls, raw_config): def parse_raw(cls, raw_config):
config = yaml.load(raw_config, NoDuplicateKeysLoader) config = load_yaml(raw_config)
return cls.model_validate(config) return cls.model_validate(config)

7
frigate/test/test_config.py
View File

@ -4,14 +4,13 @@ import unittest
from unittest.mock import patch from unittest.mock import patch
import numpy as np import numpy as np
import yaml
from pydantic import ValidationError from pydantic import ValidationError
from frigate.config import BirdseyeModeEnum, FrigateConfig from frigate.config import BirdseyeModeEnum, FrigateConfig
from frigate.const import MODEL_CACHE_DIR from frigate.const import MODEL_CACHE_DIR
from frigate.detectors import DetectorTypeEnum from frigate.detectors import DetectorTypeEnum
from frigate.plus import PlusApi from frigate.plus import PlusApi
from frigate.util.builtin import NoDuplicateKeysLoader, deep_merge from frigate.util.builtin import deep_merge, load_yaml
class TestConfig(unittest.TestCase): class TestConfig(unittest.TestCase):
@ -1537,9 +1536,7 @@ class TestConfig(unittest.TestCase):
- four - four
""" """
self.assertRaises( self.assertRaises(ValueError, lambda: load_yaml(raw_config))
ValueError, lambda: yaml.load(raw_config, NoDuplicateKeysLoader)
)
def test_object_filter_ratios_work(self): def test_object_filter_ratios_work(self):
config = { config = {

4
frigate/util/builtin.py
View File

@ -116,6 +116,10 @@ class NoDuplicateKeysLoader(yaml.loader.SafeLoader):
return mapping return mapping
def load_yaml(raw_config: str) -> dict:
return yaml.load(raw_config, NoDuplicateKeysLoader)
def clean_camera_user_pass(line: str) -> str: def clean_camera_user_pass(line: str) -> str:
"""Removes user and password from line.""" """Removes user and password from line."""
rtsp_cleaned = re.sub(REGEX_RTSP_CAMERA_USER_PASS, "://*:*@", line) rtsp_cleaned = re.sub(REGEX_RTSP_CAMERA_USER_PASS, "://*:*@", line)