frigate/api/export.py

@@ -46,7 +46,6 @@ from frigate.record.export import (
     DEFAULT_TIME_LAPSE_FFMPEG_ARGS,
     PlaybackSourceEnum,
     RecordingExporter,
-    validate_ffmpeg_args,
 )
 from frigate.util.time import is_current_hour
 
@@ -548,24 +547,6 @@ def export_recording_custom(
 
     export_id = f"{camera_name}_{''.join(random.choices(string.ascii_lowercase + string.digits, k=6))}"
 
-    # Validate user-provided ffmpeg args to prevent injection
-    for args_label, args_value in [
-        ("input", ffmpeg_input_args),
-        ("output", ffmpeg_output_args),
-    ]:
-        if args_value is not None:
-            valid, message = validate_ffmpeg_args(args_value)
-            if not valid:
-                return JSONResponse(
-                    content=(
-                        {
-                            "success": False,
-                            "message": f"Invalid ffmpeg {args_label} arguments: {message}",
-                        }
-                    ),
-                    status_code=400,
-                )
-
     # Set default values if not provided (timelapse defaults)
     if ffmpeg_input_args is None:
         ffmpeg_input_args = ""

frigate/record/export.py

@@ -36,54 +36,6 @@ logger = logging.getLogger(__name__)
 DEFAULT_TIME_LAPSE_FFMPEG_ARGS = "-vf setpts=0.04*PTS -r 30"
 TIMELAPSE_DATA_INPUT_ARGS = "-an -skip_frame nokey"
 
-# ffmpeg flags that can read from or write to arbitrary files
-BLOCKED_FFMPEG_ARGS = frozenset(
-    {
-        "-i",
-        "-filter_script",
-        "-vstats_file",
-        "-passlogfile",
-        "-sdp_file",
-        "-dump_attachment",
-    }
-)
-
-
-def validate_ffmpeg_args(args: str) -> tuple[bool, str]:
-    """Validate that user-provided ffmpeg args don't allow input/output injection.
-
-    Blocks:
-    - The -i flag and other flags that read/write arbitrary files
-    - Absolute/relative file paths (potential extra outputs)
-    - URLs and ffmpeg protocol references (data exfiltration)
-    """
-    if not args or not args.strip():
-        return True, ""
-
-    tokens = args.split()
-    for token in tokens:
-        # Block flags that could inject inputs or write to arbitrary files
-        if token.lower() in BLOCKED_FFMPEG_ARGS:
-            return False, f"Forbidden ffmpeg argument: {token}"
-
-        # Block tokens that look like file paths (potential output injection)
-        if (
-            token.startswith("/")
-            or token.startswith("./")
-            or token.startswith("../")
-            or token.startswith("~")
-        ):
-            return False, "File paths are not allowed in custom ffmpeg arguments"
-
-        # Block URLs and ffmpeg protocol references (e.g. http://, tcp://, pipe:, file:)
-        if "://" in token or token.startswith("pipe:") or token.startswith("file:"):
-            return (
-                False,
-                "Protocol references are not allowed in custom ffmpeg arguments",
-            )
-
-    return True, ""
-
 
 def lower_priority():
     os.nice(PROCESS_PRIORITY_LOW)

frigate/test/test_proxy_auth.py

@@ -2,7 +2,6 @@ import unittest
 
 from frigate.api.auth import resolve_role
 from frigate.config import HeaderMappingConfig, ProxyConfig
-from frigate.config.env import FRIGATE_ENV_VARS
 
 
 class TestProxyRoleResolution(unittest.TestCase):
@@ -92,39 +91,3 @@ class TestProxyRoleResolution(unittest.TestCase):
         headers = {"x-remote-role": "group_unknown"}
         role = resolve_role(headers, self.proxy_config, self.config_roles)
         self.assertEqual(role, self.proxy_config.default_role)
-
-
-class TestProxyAuthSecretEnvString(unittest.TestCase):
-    def setUp(self):
-        self._original_env_vars = dict(FRIGATE_ENV_VARS)
-
-    def tearDown(self):
-        FRIGATE_ENV_VARS.clear()
-        FRIGATE_ENV_VARS.update(self._original_env_vars)
-
-    def test_auth_secret_env_substitution(self):
-        """auth_secret resolves FRIGATE_ env vars via EnvString."""
-        FRIGATE_ENV_VARS["FRIGATE_PROXY_SECRET"] = "my_secret_value"
-        config = ProxyConfig(auth_secret="{FRIGATE_PROXY_SECRET}")
-        self.assertEqual(config.auth_secret, "my_secret_value")
-
-    def test_auth_secret_env_embedded_in_string(self):
-        """auth_secret resolves env vars embedded in a larger string."""
-        FRIGATE_ENV_VARS["FRIGATE_SECRET_PART"] = "abc123"
-        config = ProxyConfig(auth_secret="prefix-{FRIGATE_SECRET_PART}-suffix")
-        self.assertEqual(config.auth_secret, "prefix-abc123-suffix")
-
-    def test_auth_secret_plain_string(self):
-        """auth_secret accepts a plain string without substitution."""
-        config = ProxyConfig(auth_secret="literal_secret")
-        self.assertEqual(config.auth_secret, "literal_secret")
-
-    def test_auth_secret_none(self):
-        """auth_secret defaults to None."""
-        config = ProxyConfig()
-        self.assertIsNone(config.auth_secret)
-
-    def test_auth_secret_unknown_var_raises(self):
-        """auth_secret raises KeyError for unknown env var references."""
-        with self.assertRaises(Exception):
-            ProxyConfig(auth_secret="{FRIGATE_NONEXISTENT_VAR}")

frigate/util/object.py

@@ -271,17 +271,18 @@ def get_min_region_size(model_config: ModelConfig) -> int:
     """Get the min region size."""
     largest_dimension = max(model_config.height, model_config.width)
 
-    # return largest dimension for smaller models, but make sure the dimension is normalized
-    if largest_dimension < 320:
-        if largest_dimension % 4 == 0:
-            return largest_dimension
+    if largest_dimension > 320:
+        # We originally tested allowing any model to have a region down to half of the model size
+        # but this led to many false positives. In this case we specifically target larger models
+        # which can benefit from a smaller region in some cases to detect smaller objects.
+        half = int(largest_dimension / 2)
 
-        return int((largest_dimension + 3) / 4) * 4
+        if half % 4 == 0:
+            return half
 
-    # Any model that is 320 or larger should have a minimum region size of 320
-    # this allows larger models to use smaller regions to detect smaller objects
-    # in the case that the motion area is smaller so that it can be upscaled.
-    return 320
+        return int((half + 3) / 4) * 4
+
+    return largest_dimension
 
 
 def create_tensor_input(frame, model_config: ModelConfig, region):

web/index.html

@@ -3,7 +3,7 @@
   <head>
     <meta charset="UTF-8" />
     <link rel="icon" href="/images/branding/favicon.ico" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Frigate</title>
     <link
       rel="apple-touch-icon"

web/src/components/card/ClassificationCard.tsx

@@ -6,7 +6,7 @@ import {
   ClassificationThreshold,
   ClassifiedEvent,
 } from "@/types/classification";
-import { forwardRef, useEffect, useMemo, useRef, useState } from "react";
+import { forwardRef, useMemo, useRef, useState } from "react";
 import { isDesktop, isIOS, isMobile, isMobileOnly } from "react-device-detect";
 import { useTranslation } from "react-i18next";
 import TimeAgo from "../dynamic/TimeAgo";
@@ -216,25 +216,6 @@ export function GroupedClassificationCard({
   const { t } = useTranslation(["views/explore", i18nLibrary]);
   const [detailOpen, setDetailOpen] = useState(false);
 
-  // If the component unmounts while the detail overlay is open, we need to
-  // pop the history state that was pushed by useHistoryBack, otherwise it
-  // leaves a stale entry that breaks back navigation.
-  const detailOpenRef = useRef(detailOpen);
-  useEffect(() => {
-    detailOpenRef.current = detailOpen;
-  }, [detailOpen]);
-
-  useEffect(() => {
-    return () => {
-      // Only pop the state if we are still sitting on the overlayOpen history entry.
-      // This prevents the unmount from undoing cross-page routing if the unmount
-      // was caused by navigating away to a different view.
-      if (detailOpenRef.current && window.history.state?.overlayOpen) {
-        window.history.back();
-      }
-    };
-  }, []);
-
   // data
 
   const bestItem = useMemo<ClassificationItemData | undefined>(() => {

web/src/components/ui/collapsible.tsx

@@ -1,28 +1,9 @@
-import * as CollapsiblePrimitive from "@radix-ui/react-collapsible";
-import * as React from "react";
+import * as CollapsiblePrimitive from "@radix-ui/react-collapsible"
 
-import { cn } from "@/lib/utils";
+const Collapsible = CollapsiblePrimitive.Root
 
-const Collapsible = CollapsiblePrimitive.Root;
+const CollapsibleTrigger = CollapsiblePrimitive.CollapsibleTrigger
 
-const CollapsibleTrigger = CollapsiblePrimitive.CollapsibleTrigger;
+const CollapsibleContent = CollapsiblePrimitive.CollapsibleContent
 
-const CollapsibleContent = React.forwardRef<
-  React.ComponentRef<typeof CollapsiblePrimitive.CollapsibleContent>,
-  React.ComponentPropsWithoutRef<typeof CollapsiblePrimitive.CollapsibleContent>
->(({ className, children, ...props }, ref) => (
-  <CollapsiblePrimitive.CollapsibleContent
-    ref={ref}
-    className={cn(
-      "overflow-hidden data-[state=closed]:animate-collapsible-up data-[state=open]:animate-collapsible-down",
-      className,
-    )}
-    {...props}
-  >
-    {children}
-  </CollapsiblePrimitive.CollapsibleContent>
-));
-CollapsibleContent.displayName =
-  CollapsiblePrimitive.CollapsibleContent.displayName;
-
-export { Collapsible, CollapsibleTrigger, CollapsibleContent };
+export { Collapsible, CollapsibleTrigger, CollapsibleContent }

web/src/hooks/use-overlay-state.tsx

@@ -1,11 +1,4 @@
-import {
-  useCallback,
-  useContext,
-  useEffect,
-  useMemo,
-  useRef,
-  useState,
-} from "react";
+import { useCallback, useContext, useEffect, useMemo, useRef } from "react";
 import { useLocation, useNavigate, useSearchParams } from "react-router-dom";
 import { usePersistence } from "./use-persistence";
 import { useUserPersistence } from "./use-user-persistence";
@@ -207,51 +200,36 @@ export function useSearchEffect(
   const location = useLocation();
   const navigate = useNavigate();
   const [searchParams] = useSearchParams();
-  const [pendingRemoval, setPendingRemoval] = useState(false);
-  const processedRef = useRef<string | null>(null);
 
-  const currentParam = searchParams.get(key);
+  const param = useMemo(() => {
+    const param = searchParams.get(key);
+
+    if (!param) {
+      return undefined;
+    }
+
+    return [key, decodeURIComponent(param)];
+  }, [searchParams, key]);
 
-  // Process the param via callback (once per unique param value)
   useEffect(() => {
-    if (currentParam == null || currentParam === processedRef.current) {
+    if (!param) {
       return;
     }
 
-    const decoded = decodeURIComponent(currentParam);
-    const shouldRemove = callback(decoded);
+    const remove = callback(param[1]);
 
-    if (shouldRemove) {
-      processedRef.current = currentParam;
-      setPendingRemoval(true);
+    if (remove) {
+      navigate(location.pathname + location.hash, {
+        state: location.state,
+        replace: true,
+      });
     }
-  }, [currentParam, callback, key]);
-
-  // Remove the search param in a separate render cycle so that any state
-  // changes from the callback (e.g., overlay state navigations) are already
-  // reflected in location.state before we navigate to strip the param.
-  useEffect(() => {
-    if (!pendingRemoval) {
-      return;
-    }
-
-    setPendingRemoval(false);
-    navigate(location.pathname + location.hash, {
-      state: location.state,
-      replace: true,
-    });
   }, [
-    pendingRemoval,
-    navigate,
+    param,
+    location.state,
     location.pathname,
     location.hash,
-    location.state,
+    callback,
+    navigate,
   ]);
-
-  // Reset tracking when param is removed from the URL
-  useEffect(() => {
-    if (currentParam == null) {
-      processedRef.current = null;
-    }
-  }, [currentParam]);
 }

web/src/pages/Events.tsx

@@ -409,11 +409,8 @@ export default function Events() {
 
   // review status
 
-  const markItemsAsReviewed = useCallback(
-    async (
-      currentItems: ReviewSegment[],
-      itemsToMarkReviewed: ReviewSegment[] | undefined = undefined,
-    ) => {
+  const markAllItemsAsReviewed = useCallback(
+    async (currentItems: ReviewSegment[]) => {
       if (currentItems.length == 0) {
         return;
       }
@@ -438,14 +435,13 @@ export default function Events() {
         { revalidate: false, populateCache: true },
       );
 
-      const reviewList =
-        itemsToMarkReviewed?.map((seg) => seg.id) ||
-        currentItems?.filter((seg) => seg.end_time)?.map((seg) => seg.id) ||
-        [];
+      const itemsToMarkReviewed = currentItems
+        ?.filter((seg) => seg.end_time)
+        ?.map((seg) => seg.id);
 
-      if (reviewList.length > 0) {
+      if (itemsToMarkReviewed.length > 0) {
         await axios.post(`reviews/viewed`, {
-          ids: reviewList,
+          ids: itemsToMarkReviewed,
           reviewed: true,
         });
         reloadData();
@@ -615,7 +611,7 @@ export default function Events() {
         setShowReviewed={setShowReviewed}
         setSeverity={setSeverity}
         markItemAsReviewed={markItemAsReviewed}
-        markItemsAsReviewed={markItemsAsReviewed}
+        markAllItemsAsReviewed={markAllItemsAsReviewed}
         onOpenRecording={setRecording}
         motionPreviewsCamera={motionPreviewsCamera ?? null}
         setMotionPreviewsCamera={(camera) =>

web/src/views/events/EventView.tsx

@@ -110,10 +110,7 @@ type EventViewProps = {
   setShowReviewed: (show: boolean) => void;
   setSeverity: (severity: ReviewSeverity) => void;
   markItemAsReviewed: (review: ReviewSegment) => void;
-  markItemsAsReviewed: (
-    currentItems: ReviewSegment[],
-    itemsToMarkReviewed?: ReviewSegment[] | undefined,
-  ) => void;
+  markAllItemsAsReviewed: (currentItems: ReviewSegment[]) => void;
   onOpenRecording: (recordingInfo: RecordingStartingPoint) => void;
   motionPreviewsCamera: string | null;
   setMotionPreviewsCamera: (camera: string | null) => void;
@@ -135,7 +132,7 @@ export default function EventView({
   setShowReviewed,
   setSeverity,
   markItemAsReviewed,
-  markItemsAsReviewed,
+  markAllItemsAsReviewed,
   onOpenRecording,
   motionPreviewsCamera,
   setMotionPreviewsCamera,
@@ -501,7 +498,7 @@ export default function EventView({
             loading={severity != severityToggle}
             emptyCardData={emptyCardData}
             markItemAsReviewed={markItemAsReviewed}
-            markItemsAsReviewed={markItemsAsReviewed}
+            markAllItemsAsReviewed={markAllItemsAsReviewed}
             onSelectReview={onSelectReview}
             onSelectAllReviews={onSelectAllReviews}
             setSelectedReviews={setSelectedReviews}
@@ -552,10 +549,7 @@ type DetectionReviewProps = {
   loading: boolean;
   emptyCardData: EmptyCardData;
   markItemAsReviewed: (review: ReviewSegment) => void;
-  markItemsAsReviewed: (
-    currentItems: ReviewSegment[],
-    itemsToMarkReviewed?: ReviewSegment[] | undefined,
-  ) => void;
+  markAllItemsAsReviewed: (currentItems: ReviewSegment[]) => void;
   onSelectReview: (
     review: ReviewSegment,
     ctrl: boolean,
@@ -579,7 +573,7 @@ function DetectionReview({
   loading,
   emptyCardData,
   markItemAsReviewed,
-  markItemsAsReviewed,
+  markAllItemsAsReviewed,
   onSelectReview,
   onSelectAllReviews,
   setSelectedReviews,
@@ -794,7 +788,12 @@ function DetectionReview({
           break;
         case "r":
           if (selectedReviews.length > 0 && !modifiers.repeat) {
-            markItemsAsReviewed(currentItems || [], selectedReviews);
+            currentItems?.forEach((item) => {
+              if (selectedReviews.some((r) => r.id === item.id)) {
+                item.has_been_reviewed = true;
+                markItemAsReviewed(item);
+              }
+            });
             setSelectedReviews([]);
             return true;
           }
@@ -904,7 +903,7 @@ function DetectionReview({
                   variant="select"
                   onClick={() => {
                     setSelectedReviews([]);
-                    markItemsAsReviewed(currentItems ?? []);
+                    markAllItemsAsReviewed(currentItems ?? []);
                   }}
                 >
                   {t("markTheseItemsAsReviewed")}

web/tailwind.config.cjs

@@ -40,8 +40,6 @@ module.exports = {
       animation: {
         "accordion-down": "accordion-down 0.2s ease-out",
         "accordion-up": "accordion-up 0.2s ease-out",
-        "collapsible-down": "collapsible-down 0.2s ease-out",
-        "collapsible-up": "collapsible-up 0.2s ease-out",
         move: "move 3s ease-in-out infinite",
         scale1: "scale1 3s ease-in-out infinite",
         scale2: "scale2 3s ease-in-out infinite",
@@ -150,14 +148,6 @@ module.exports = {
           from: { height: "var(--radix-accordion-content-height)" },
           to: { height: 0 },
         },
-        "collapsible-down": {
-          from: { height: "0px" },
-          to: { height: "var(--radix-collapsible-content-height)" },
-        },
-        "collapsible-up": {
-          from: { height: "var(--radix-collapsible-content-height)" },
-          to: { height: "0px" },
-        },
         move: {
           "50%": { left: "calc(100% - 7px)" },
         },