Avatar for the esphome user
esphome
aioesphomeapi
BlogDocsChangelog

Performance History

Latest Results

Sanitize plaintext hello name/server_info before logs and exceptions Apply the existing noise-path log-injection defense to the plaintext HelloResponse. resp.server_info and resp.name flowed unsanitized into _LOGGER.debug and into the BadNameAPIError message; that message eventually reaches report_fatal_error's _LOGGER.warning via _raise_fatal_connection_exception, so peer-controlled CRLF/ANSI bytes could forge log lines. Hoist _safe_label_str + MAX_NAME_LEN / MAX_MAC_LEN / MAX_EXPLANATION_LEN from _frame_helper/noise.py to _frame_helper/base.py so both the noise and the plaintext path share one implementation. _process_hello_resp now compares against the raw decoded name (so a peer can't bypass expected_name by appending non-printable bytes) and uses the sanitized value only for the log, the exception payload, and self.received_name. Closes #1659.
bluetoothbot:koan/sanitize-plaintext-hello
4 hours ago
Validate bluetooth_device_set_connection_params against BLE Core spec Out-of-range connection params were packed into the protobuf and shipped to the ESP unchanged, where the controller or peer would drop the update with no actionable feedback. Validate up front so callers get a ValueError naming the offending parameter instead. Enforces interval 6..3200 (units of 1.25 ms), latency 0..499, timeout 10..3200 (units of 10 ms), max_interval >= min_interval, and timeout * 4 > (1 + latency) * max_interval per the BLE Core spec. Ported from Bluetooth-Devices/bleak-esphome#305.
bluetoothbot:koan/validate-ble-connection-params
12 hours ago
Redact PSK value from Malformed PSK error messages (#1657) Co-authored-by: J. Nick Koston <nick@koston.org>
main
17 hours ago
Standardize wrong-length PSK error message wording
bluetoothbot:koan/redact-malformed-psk-log
17 hours ago
Redact PSK value from Malformed PSK error messages The raw noise PSK was interpolated into the InvalidEncryptionKeyAPIError message on both decode-failure paths in _decode_noise_psk. The exception flows up through report_fatal_error() and is logged at WARNING level via 'Connection error occurred: %s', leaking long-lived device credentials to any log sink (file, journald, log aggregator, support bundle). Even malformed PSKs are highly sensitive: typos are near-identical to the real key, clipboard pastes may carry stray prefixes/suffixes, and the value may be the real key from a sibling device. Replace the embedded PSK with its length only; that is enough to diagnose a paste error without exposing key material. Fixes #1654
bluetoothbot:koan/redact-malformed-psk-log
18 hours ago
Address Copilot review on noise hello sanitization - Compare expected_name and expected_mac against the *raw* decoded value, not the sanitized one. A peer that sends "servicetest\r\n" would otherwise sanitize to "servicetest" and pass the expected_name check, defeating the point of having one. - Same fix for the "Handshake MAC failure" classification check in _error_on_incorrect_preamble. Sanitization there was demoting an arbitrary peer message like "Handshake MAC failure\0extra" into the canonical InvalidEncryptionKeyAPIError path, masking the real protocol error class. - Move decode("utf-8", "replace") out of _safe_label and into the call sites so each caller has a raw decoded str for protocol comparison and a sanitized str for logs/storage. _safe_label is now _safe_label_str(str, int) -> str (cdef-typed in the .pxd). - Three new regression tests cover each bypass path (name, mac, explanation).
fix/sanitize-noise-hello-fields
18 hours ago
Sanitize unauthenticated noise hello fields before logging The noise hello phase exchanges server_name, mac_address, and a handshake-failure explanation as raw bytes *before* the PSK-authenticated handshake completes. The previous code interpolated those attacker-controlled strings unescaped into log/error messages and stored them on self for reuse by every later error path. An on-path attacker (ARP spoof, compromised VLAN device) could inject CRLF + ANSI escape sequences into operator-visible logs (HA UI, syslog, webhooks) — forging fake log lines, hijacking terminals via CSI sequences, and impersonating a different device's identity in alert messages. Add _safe_label() which decodes with errors='replace' and strips any non-printable character, then caps the length to the firmware's actual wire-format limits: - name: 32 (firmware ESPHOME_DEVICE_NAME_MAX_LEN = 31, +1 margin) - mac: 16 (firmware MAC_ADDRESS_BUFFER_SIZE - 1 = 12, +4 margin) - explanation: 64 (firmware reject buffer is 32, +32 margin) The caps and helper are cdef-typed in the .pxd; MAX_NAME_LEN / MAX_MAC_LEN / MAX_EXPLANATION_LEN are re-exported as Python-importable aliases for tests, following the same MAX_PLAINTEXT_FRAME_SIZE pattern in plain_text.py. Fixes https://github.com/esphome/aioesphomeapi/issues/1655
fix/sanitize-noise-hello-fields
19 hours ago
Bound plaintext varuint length and frame size to prevent buffer-growth DoS (#1651)
main
20 hours ago

Latest Branches

CodSpeed Performance Gauge
0%
Sanitize plaintext hello name/server_info before logs and exceptions#1660
4 hours ago
1bfe748
bluetoothbot:koan/sanitize-plaintext-hello
CodSpeed Performance Gauge
0%
Validate set_connection_params against BLE Core spec#1658
12 hours ago
a9c42a4
bluetoothbot:koan/validate-ble-connection-params
CodSpeed Performance Gauge
0%
Redact PSK value from Malformed PSK error messages#1657
17 hours ago
513b894
bluetoothbot:koan/redact-malformed-psk-log
© 2026 CodSpeed Technology
Home Terms Privacy Docs