Trivial pincodes are now forbidden

NRCHKB · Jun 25, 2024 · 316349c · 316349c
1 parent 6536c43
commit 316349c
Show file tree

Hide file tree

Showing 10 changed files with 118 additions and 84 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,11 +23,12 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Changed
 
-- Updated hap-nodejs [0.11.1 to 0.12.2](https://github.com/homebridge/HAP-NodeJS/blob/latest/CHANGELOG.md) (features
+- Updated hap-nodejs [0.11.1 to 0.12.3](https://github.com/homebridge/HAP-NodeJS/blob/latest/CHANGELOG.md) (features
  and bug fixes)
 - Dependencies upgrade
-- Node `10`, `12` and `16` no longer supported
+- Node `10`, `12` and `16` no longer supported, use Node 20! Or at least 18
 - Updated GitHub Actions
+- Some trivial PinCodes are no longer allowed
 
 ## [1.6.1] - 2024-02-19
 

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019 Node-RED Contribution - HomeKit Bridged
+Copyright (c) 2024 Node-RED Contribution - HomeKit Bridged
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/SECURITY.md b/SECURITY.md
@@ -11,10 +11,10 @@ If vulnerability is a serious risk then please consider contacting us directly a
 
 ## Supported Versions
 
-| Version | Supported |
-| ------- | ------------------ |
-| > = 1.2.0  | :white_check_mark: |
-| < 1.2.0 | :x: limited  |
+| Version  | Supported |
+|----------|--------------------|
+| >= 1.x.y | :white_check_mark: |
+| < 1.x.y | :x: limited |
 
 ## Reporting a Vulnerability
 
@@ -35,8 +35,10 @@ To use node-red safely you should secure it properly with encryption and passwor
 
 ### Invalid Setup Codes
 
-The following Setup Codes must not be used due to their trivial, insecure nature. In future release (possibly 1.X.Y)
-they will be forbidden programmatically.
+Since 1.3 random Setup Code will be generated for new Host (Bridge or Standalone Accessory) nodes (instead of default 1111-1111)
+
+The following Setup Codes must not be used due to their trivial, insecure nature. 
+Since 1.7.0 they are forbidden programmatically.
 
 - 0000-0000
 - 1111-1111
@@ -51,4 +53,3 @@ they will be forbidden programmatically.
 - 1234-5678
 - 8765-4321
 
-Since 1.3 random Setup Code will be generated for new Bridge nodes (instead of default 1111-1111)
diff --git a/build/nodes/bridge.html b/build/nodes/bridge.html
@@ -95,7 +95,7 @@
 
 <script data-help-name="homekit-bridge" type="text/x-red">
  <h3 id="toc_4">Bridge</h3>
- <p>The Bridge node is a configuration node, specifying the <em>bridge</em> that iOS sees, i.e. the device that is manually being added by the user. All accessories behind a bridge noded are then automatically added by iOS.
+ <p>The Bridge node is a configuration node, specifying the <em>bridge</em> that iOS sees, i.e. the device that is manually being added by the user. All accessories behind a bridge node are then automatically added by iOS.
  </p>
  <ul>
  <li><strong>Pin Code</strong>: Specify the Pin for the pairing process.</li>
@@ -107,7 +107,7 @@ <h3 id="toc_4">Bridge</h3>
  <li><strong>Hardware Revision</strong>: Should be a version number string in the form of <em>MAJOR.MINOR.REVISION</em> e.g. <em>1.2.0</em>. Other types of strings are ignored and won't be displayed.</li>
  <li><strong>Software Revision</strong>: Should be a version number string in the form of <em>MAJOR.MINOR.REVISION</em> e.g. <em>1.2.0</em>. Other types of strings are ignored and won't be displayed.</li>
  <li><strong>Name</strong>: If you intend to simulate a rocket, then why don&#39;t you call it <em>Rocket</em>. Name should be maximum 64 chars long and not contain <pre>.</pre></li>
- <li><strong>Allow Message Passthrough</strong>: If you allow then message from node input will be send to node output.</li>
+ <li><strong>Allow Message Passthrough</strong>: If you allow then message from node input will be sent to node output.</li>
  <li><strong>Custom MDNS Configuration</strong>: Check if you would like to use custom mdns configuration.</li>
  <ul>
  <li><strong>Multicast</strong>: Use udp multicasting. Optional. Default true.</li>
@@ -137,7 +137,7 @@ <h3 id="toc_4">Bridge</h3>
  },
  pinCode: {
  required: true,
- validate: pinCodeRegex,
+ validate: validatePinCode,
  },
  port: {
  required: false,
@@ -229,7 +229,7 @@ <h3 id="toc_4">Bridge</h3>
  return this.bridgeName ? 'node_label_italic' : ''
  },
  oneditprepare: function () {
- if (!pinCodeRegex(this.pinCode)) {
+ if (!validatePinCode(this.pinCode)) {
  this.pinCode = generatePinCode()
  $("#node-config-input-pinCode").val(this.pinCode)
  }

diff --git a/build/nodes/nrchkb.html b/build/nodes/nrchkb.html
@@ -414,12 +414,38 @@
  return Math.floor(Math.random() * (max - min + 1) + min);
  }
 
+ const forbiddenPinCodes = [
+ '00000000',
+ '11111111',
+ '22222222',
+ '33333333',
+ '44444444',
+ '55555555',
+ '66666666',
+ '77777777',
+ '88888888',
+ '99999999',
+ '12345678',
+ '87654321'
+ ]
+
  const generatePinCode = function () {
  const [a, b, c, d, e, f, g, h] = Array.from({length: 9}, () => getRandomIntInclusive(0, 9));
+
+ if (forbiddenPinCodes.includes(`${a}${b}${c}${d}${e}${f}${g}${h}`)) {
+ return generatePinCode()
+ }
+
  return `${a}${b}${c}${d}-${e}${f}${g}${h}`
  }
 
- const pinCodeRegex = RED.validators.regex(/([0-9]{3}-[0-9]{2}-[0-9]{3}|[0-9]{4}-[0-9]{4})/)
+ const validatePinCode = function (value) {
+ if (!RED.validators.regex(/([0-9]{3}-[0-9]{2}-[0-9]{3}|[0-9]{4}-[0-9]{4})/)) {
+ return false
+ }
+
+ return !forbiddenPinCodes.includes(value.replaceAll("-", ""));
+ }
 </script>
 
 <script data-template-name="nrchkb" type="text/x-red">

diff --git a/build/nodes/standalone.html b/build/nodes/standalone.html
@@ -114,7 +114,7 @@ <h3 id="toc_4">Bridge</h3>
  <li><strong>Hardware Revision</strong>: Should be a version number string in the form of <em>MAJOR.MINOR.REVISION</em> e.g. <em>1.2.0</em>. Other types of strings are ignored and won't be displayed.</li>
  <li><strong>Software Revision</strong>: Should be a version number string in the form of <em>MAJOR.MINOR.REVISION</em> e.g. <em>1.2.0</em>. Other types of strings are ignored and won't be displayed.</li>
  <li><strong>Name</strong>: If you intend to simulate a rocket, then why don&#39;t you call it <em>Rocket</em>. Name should be maximum 64 chars long and not contain <pre>.</pre></li>
- <li><strong>Allow Message Passthrough</strong>: If you allow then message from node input will be send to node output.</li>
+ <li><strong>Allow Message Passthrough</strong>: If you allow then message from node input will be sent to node output.</li>
  <li><strong>Custom MDNS Configuration</strong>: Check if you would like to use custom mdns configuration.</li>
  <ul>
  <li><strong>Multicast</strong>: Use udp multicasting. Optional. Default true.</li>
@@ -146,7 +146,7 @@ <h3 id="toc_4">Bridge</h3>
  },
  pinCode: {
  required: true,
- validate: pinCodeRegex,
+ validate: validatePinCode,
  },
  port: {
  required: false,
@@ -240,7 +240,7 @@ <h3 id="toc_4">Bridge</h3>
  oneditprepare: function () {
  const node = this
 
- if (!pinCodeRegex(node.pinCode)) {
+ if (!validatePinCode(node.pinCode)) {
  node.pinCode = generatePinCode()
  $("#node-config-input-pinCode").val(node.pinCode)
  }