Fix tradfri RCE: diyhue#105 (diyhue#888)

7FM · web-flow · commit fc16d0a4e0b7 · 2023-02-04T13:39:45.000+02:00
diff --git a/BridgeEmulator/flaskUI/core/views.py b/BridgeEmulator/flaskUI/core/views.py
@@ -67,7 +67,8 @@ def pairTradfri():
     try:
         data = request.get_json(force=True)
         pprint(data)
-        registration = json.loads(check_output("./coap-client-linux -m post -u \"Client_identity\" -k \"" + data["tradfriCode"] + "\" -e '{\"9090\":\"" + data["identity"] + "\"}' \"coaps://" + data["tradfriGwIp"] + ":5684/15011/9063\"", shell=True).decode('utf-8').rstrip('\n').split("\n")[-1])
+        cmd = ["./coap-client-linux", "-m", "post", "-u", "Client_identity", "-k", data["tradfriCode"], "-e", "{\"9090\":\"" + data["identity"] + "\"}", "coaps://" + data["tradfriGwIp"] + ":5684/15011/9063"]
+        registration = json.loads(check_output(cmd).decode('utf-8').rstrip('\n').split("\n")[-1])
         if "9091" in registration:
             bridgeConfig["config"]["tradfri"] = {"psk": registration["9091"], "tradfriGwIp": data["tradfriGwIp"], "identity": data["identity"]}
             return {"result": "success", "psk": registration["9091"]}
diff --git a/BridgeEmulator/lights/protocols/tradfri.py b/BridgeEmulator/lights/protocols/tradfri.py
@@ -52,11 +52,13 @@ def set_light(light, data):
 
     if "5712" not in payload:
         payload["5712"] = 4 #If no transition add one, might also add check to prevent large transitiontimes
-    check_output("./coap-client-linux -B 2 -m put -u \"" + light.protocol_cfg["identity"] + "\" -k \"" + light.protocol_cfg["psk"] + "\" -e '{ \"3311\": [" + json.dumps(payload) + "] }' \"" + url + "\"", shell=True)
+    cmd = ["./coap-client-linux", "-B", "2", "-m", "put", "-u", light.protocol_cfg["identity"], "-k", light.protocol_cfg["psk"], "-e", "{ \"3311\": [" + json.dumps(payload) + "] }", url]
+    check_output(cmd)
 
 def get_light_state(light):
     state ={}
-    light_data = json.loads(check_output("./coap-client-linux -B 5 -m get -u \"" + light.protocol_cfg["identity"] + "\" -k \"" + light.protocol_cfg["psk"] + "\" \"coaps://" + light.protocol_cfg["ip"] + ":5684/15001/" + str(light.protocol_cfg["id"]) +"\"", shell=True).decode('utf-8').rstrip('\n').split("\n")[-1])
+    cmd = ["./coap-client-linux", "-B", "5", "-m", "get", "-u", light.protocol_cfg["identity"], "-k", light.protocol_cfg["psk"], "coaps://" + light.protocol_cfg["ip"] + ":5684/15001/" + str(light.protocol_cfg["id"])]
+    light_data = json.loads(check_output(cmd).decode('utf-8').rstrip('\n').split("\n")[-1])
     state["on"] = bool(light_data["3311"][0]["5850"])
     state["bri"] = light_data["3311"][0]["5851"]
     if "5706" in light_data["3311"][0]:
@@ -75,10 +77,12 @@ def discover(detectedLights, tradfriConfig):
     if "psk" in tradfriConfig:
         logging.debug("tradfri: <discover> invoked!")
         try:
-            tradriDevices = json.loads(check_output("./coap-client-linux -B 5 -m get -u \"" + tradfriConfig["identity"] + "\" -k \"" + tradfriConfig["psk"] + "\" \"coaps://" + tradfriConfig["tradfriGwIp"] + ":5684/15001\"", shell=True).decode('utf-8').rstrip('\n').split("\n")[-1])
+            cmd = ["./coap-client-linux", "-B", "5", "-m", "get", "-u", tradfriConfig["identity"], "-k", tradfriConfig["psk"], "coaps://" + tradfriConfig["tradfriGwIp"] + ":5684/15001"]
+            tradriDevices = json.loads(check_output(cmd).decode('utf-8').rstrip('\n').split("\n")[-1])
             logging.debug(tradriDevices)
             for device in tradriDevices:
-                deviceParameters = json.loads(check_output("./coap-client-linux -B 5 -m get -u \"" + tradfriConfig["identity"] + "\" -k \"" + tradfriConfig["psk"] + "\" \"coaps://" + tradfriConfig["tradfriGwIp"] + ":5684/15001/" + str(device) +"\"", shell=True).decode('utf-8').rstrip('\n').split("\n")[-1])
+                cmd = ["./coap-client-linux", "-B", "5", "-m", "get", "-u", tradfriConfig["identity"], "-k", tradfriConfig["psk"], "coaps://" + tradfriConfig["tradfriGwIp"] + ":5684/15001/" + str(device)]
+                deviceParameters = json.loads(check_output(cmd).decode('utf-8').rstrip('\n').split("\n")[-1])
                 if "3311" in deviceParameters:
                     logging.debug("found tradfi light " + deviceParameters["9001"])
                     detectedLights.append({"protocol": "tradfri", "name": deviceParameters["9001"], "modelid": "LCT015", "protocol_cfg": {"ip": tradfriConfig["tradfriGwIp"], "id": device, "identity": tradfriConfig["identity"], "psk":  tradfriConfig["psk"]}})
