Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please add homebridge-camera-ui #1996

Open
Albert711 opened this issue May 16, 2024 · 12 comments
Open

Please add homebridge-camera-ui #1996

Albert711 opened this issue May 16, 2024 · 12 comments

Comments

@Albert711
Copy link

https://www.npmjs.com/package/homebridge-camera-ui
I will be very grateful.

@nxhack
Copy link
Owner

nxhack commented May 17, 2024

Hi @Albert711

I tried to port it, but there are some vulnerabilities in the modules that the "camera.ui" module depends on, and there is no fixed version, so I have to abandon the porting. Sorry for the inconvenience.

# npm audit report

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    multer  <=2.0.0-rc.3
    Depends on vulnerable versions of busboy
    node_modules/multer

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
No fix available
node_modules/jsonwebtoken
  socketio-jwt  *
  Depends on vulnerable versions of jsonwebtoken
  node_modules/socketio-jwt

@Albert711
Copy link
Author

But why not use [email protected] instead of [email protected], which no longer depends on the busboy, which in turn depends on the vulnerable dicer? Even busboy >=1.0.0 didn't depends on the dicer anymore.

@Albert711
Copy link
Author

And the latest version of "camera.ui" (1.1.17) requires the "multer" module higher than 1.4.4 which, as I mentioned earlier, does not depend on the vulnerable modules.
Maybe you trying to port some very old version of "camera.ui" module.

@nxhack
Copy link
Owner

nxhack commented May 17, 2024

This is a snapshot of the implementation in progress. Please try it out.

https://github.com/nxhack/openwrt-node-packages/tree/212d6cbee2109e40fd25e0953f9b71ef0e9e6147

@Albert711
Copy link
Author

As for the "dicer" module, I figured out what was wrong with the audit failure.
It turns out that the "camera.ui" module uses the "multer" module version 1.4.4 instead of 1.4.4-lts.1 (I even tried 1.4.5-lts.1). After I changed the “camera.ui” module dependencies to the correct version, there are no more NPM audit warnings regarding the “dicer” module. Just need to add the right version to the patch file.

But regarding the vulnerability in the "jsonwebtoken" module, here is the problem:
The "camera.ui" module uses the "socketio-jwt" module, which has not been updated for over 4 years (seems to be abandoned) and it, in turn, uses an old version of the "jsonwebtoken" module (with a vulnerability).
Could you add the "socketio-jwt" module to your repository and patch it to use the latest version of the "jsonwebtoken" module? And now we can use this for the “camera.ui” module.

And I also noticed that in one of the modules of your repository, “tar” was removed from the module dependencies. Maybe this also needs to be removed from the dependencies of the "camera.ui" module? I just don't understand this very deeply.

@nxhack
Copy link
Owner

nxhack commented May 18, 2024

"camara.ui" gives this warning. In any case, it is not desirable because it is not maintained.

npm warn deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated [email protected]: this library is no longer supported
npm warn deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm warn deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

https://github.com/nxhack/openwrt-node-packages/tree/dev

@Albert711
Copy link
Author

Well, let's see if I can at least do something about it.

@nxhack
Copy link
Owner

nxhack commented May 19, 2024

For now. I was able to adjust the module version consistency and start it with config-ui. Please check the actual connection to the camera device.

@Albert711
Copy link
Author

Thank you @nxhack
Today I will definitely try to check everything.

@Albert711 Albert711 reopened this Jul 14, 2024
@Albert711
Copy link
Author

Albert711 commented Jul 14, 2024

Thank you for your responsiveness and for the quick implementation. I am grateful to you.

And I apologize for such a late reply. The household routine bogged me down completely.

I checked everything and I have to say that everything works as expected. I am satisfied.

And of course it is a pity that the author of the plugin has not updated this for a long time. During this time I also managed to test Scrypted. And I must say it turned out to be a little better. But unfortunately (as far as I understand), it cannot be built into OpenWrt. And it requires an additional server, which is not always convenient and possible. I hope the author of the camera.ui plugin will wake up and fix all the imperfections 🙂

@Albert711
Copy link
Author

@nxhack Is it possible to also add Scrypted?

@nxhack
Copy link
Owner

nxhack commented Aug 8, 2024

scrypted seems to be a huge, complex application server.
It seems that simply 'npm install scrypted' is not enough, so I can't do anything about it.

I introduced 'scrypted' in my local environment to try it out, but with require('scrypted');,

> require('scrypted');
usage:
   npx scrypted install npm-package-name [127.0.0.1[:10443]]
   npx scrypted install npm-package-name[/0.0.1] [127.0.0.1[:10443]]
   npx scrypted login [127.0.0.1[:10443]]
   npx scrypted serve
   npx scrypted serve@latest
   npx scrypted serve[@version]
   npx scrypted command name-or-id[@127.0.0.1[:10443]] method-name [...method-arguments]
   npx scrypted ffplay name-or-id[@127.0.0.1[:10443]] method-name [...method-arguments]
   npx scrypted create-cert-json /path/to/key.pem /path/to/cert.pem
   npx scrypted shell [127.0.0.1[:10443]] [-- cmd [...cmd-args]]

examples:
   npx scrypted install @scrypted/rtsp
   npx scrypted install @scrypted/rtsp/0.0.51
   npx scrypted install @scrypted/rtsp/0.0.51 192.168.2.100
{}
> 

I don't have the time and energy to cover everything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants