Hide TTS filename behind random token #131192
Conversation
home-assistant
bot
added
integration: tts
new-feature
small-pr
|
Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration ( Code owner commandsCode owners of
|
| self.filename_token[filename] = token | ||
| self.filename_token[token] = filename |
There was a problem hiding this comment.
Can we track this in 2 different dictionaries. Feels weird to reuse.
Also, shouldn't _async_get_tts_audio( just return a data class that contains filename and token ?
There was a problem hiding this comment.
I split the dictionaries for now. A larger refactoring here where the token and cache key are the same should be done in the future.
| if not (record := _RE_VOICE_FILE.match(filename.lower())) and not ( | ||
| record := _RE_LEGACY_VOICE_FILE.match(filename.lower()) |
There was a problem hiding this comment.
It's still needed to reconstruct the cache key correctly right below. I'll save this clean up for a future PR.
| """Read a voice file and return binary. | ||
|
|
||
| This method is a coroutine. | ||
| """ | ||
| filename = self.filename_token.get(token) | ||
| if not filename: | ||
| raise HomeAssistantError(f"{token} was not recognized!") |
There was a problem hiding this comment.
This should raise a 401, as we shouldn't expose if the key existed or not.
There was a problem hiding this comment.
Wouldn't raising a different error here than in the other conditions (404) make it obvious that the key doesn't exist?
Breaking change
TTS URLs of the form
/api/tts_proxy/{filename}no longer map to{filename}directly in the TTS cache. This means that TTS URLs will change every time HA is restarted.Proposed change
The text-to-speech (TTS) cache stores audio files using a SHA1 hash of the text as part of the file name. The filename is currently used directly in the web API, where
/api/tts_proxy/{filename}maps directly to{filename}in the TTS cache.This presents a small security issue when an HA instance is exposed publicly, as a malicious actor could try to retrieve files with a known SHA1 to determine whether or not a particular message was spoken.
A simple fix is provided in this PR: the TTS
SpeechManagercontains a mapping between cache file names and a randomly generated token using thesecretslibrary. This ensures there is no relationship between the URL to retrieve a TTS audio file and its message.Type of change
Additional information
Checklist
ruff format homeassistant tests)If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
Updated and included derived files by running:
python3 -m script.hassfest.requirements_all.txt.Updated by running
python3 -m script.gen_requirements_all.To help with the load of incoming pull requests: