Removal of Undocumented Device Type Data Storage Option - 1/19/2017

Isn’t that a bit like saying “Well my car hasn’t been broken into for 14 years, guess I don’t need to start locking the door for another few weeks!” :slight_smile:

6 Likes

If this is the case, it seems like the best solution would be for ST to fix hubAction so that it actually returns the body (bytes) for image requests, thus avoiding the whole S3 workaround and removed function. Or maybe I’m missing something?

Didn’t realize how much I liked those snapshots… :confounded:

1 Like

Tim the answer is very simple just fix HubAction to return the body content when a camera sends a picture. I don’t know why it’s filtering it out for no apparent reason.

1 Like

Currently there isn’t a workaround to fix the broken camera DTHs. This functionality will be broken until we are able to release next week.

However, I just submitted a PR that adds the following method:

ByteArrayInputStream getTemporaryImage(String key)

This method will enable you to access the redirected output that is stored in S3 when using the option of outputMsgToS3:true. This forgoes the need to extract/check for bucket and only uses the key.

1 Like

Thanks Luke, can I request to please put in a PR to return the “body” content of a HubAction when a camera or any device for that matter returns an image or binary content? This is avoid the need to use S3 in the first place

@RBoy this is a larger request than you probably realize. In order to do what you are asking we would have to modify multiple services within our cloud layer. More importantly the way those services communicate is over RabbitMQ which is not designed to handle large messages.

1 Like

Thanks for the details, very helpful. I guess then you’ve appropriately called the API getTemporaryImage and ST will probably find a better way to address large images.

While we’re on HubAction, I’ve been requesting to allow https communication also in addition to http, that’s a pretty severe limitation while talking to local devices, especially as more and more local devices are going with https instead of http. Is that also a very complex change or do you think it could addressed through a doable PR request?

2 Likes

soooo… why not make those USB ports worth something… local storage and retrieval??? the hardware is there already.

7 Likes

This just knocked off all 3 of my Genric IP Camera’s… if your looking to P!$$ off your user base then mission accomplished… what an Epic Fail. Time to find a new hub…

I’ll take a week of inconvenience in the name of security any day…

7 Likes

Similar to the insecure rejoin option.

You assume the security ‘issue’ is just with people viewing images. It could be a larger issue, much like a cross site scripting attack sort of thing. That by putting things in those s3 buckets ‘unofficially’ might be opening up a vector for wider spread issues. Not only viewing of content you put up there (not totally related to images), but scripting, or even things like guessing of file names to pull other things down or push them up.

When something is unofficial, and dealing with cloud storage it gets kinda scary. Its like saying let any website download items onto your computer…oh wait javascript does that… Tin foil hat back on.

2 Likes

There were many other options. Since I “found” this hack / undocumented feature years ago, I felt responsible for trying to find work arounds. However, since not getting any heads up (par for the course)… I haven’t been able to lend to much time to this…

But for the idea that this was a recently discovered exploit, I reported it as a potential exploit over 2 years ago . So the decision to act immediately without a replacement process in place is concerning to me. But then again, now they are owned by a different company. Maybe that explains the quick response on a potential exploit that is at least 2 years old.

This is of course, assuming it is the same exploit… Again, if we had any communication prior, we could have worked together.

9 Likes

Please get the alternative method working sooner than later. People rely on ST for security and this obviously broke quite a bit of that for some folks. It’d be prudent to have the alternative method finished before whacking the one method that’s been working for years.

I’ve read through some of this thread, and don’t understand all the security implications… any reason we can’t just have the option to reference an image via URL like is done with SmartTiles?

A new method is now available for DeviceTypeHandlers.

`

  • key - The key extracted from the event
  • name - String consisting of alphanumeric, ‘_’, ‘.’, and ‘-’ characters.
    Can be used to retrieve the storedImage via the getImage method
    `
void storeTemporaryImage(String key, String name)

This method moves the image outputted into S3 from HubAction into the collection of images saved by that device. It also emits an event to inform clients that a new image is available.

This methodology should be more performant than what was done previously considering the image is no longer has to be streamed down into your DTHs from S3 and then streamed back again into the collection of images for a given device in S3.

There is another change that has been merged but not yet deployed to change the where the key on the event is stored and remove the bucket value off the event description. The key to access the image is being moved from stringToMap(description).key to stringToMap(description).tempImageKey. This is being done to mitigate users accidentally keying off of other events.

4 Likes

Thanks. Can you please elaborate a few things you’ve mentioned.

This method moves the image outputted into S3 from HubAction into the collection of images saved by that device. It also emits an event to inform clients that a new image is available.

How does one subscribe to this event.
Does one need to push th image to the carousel or is that still automatic.

Can you give an example of this works ?

The key to access the image is being moved from stringToMap(description).key to stringToMap(description).tempImageKey.

Your updates should look something like these changes

3 Likes

The carousel will update automatically.

I will update the PR I posted when the release of the other service goes out.

1 Like

That worked perfectly! :thumbsup:

Thx!!

1 Like