From 4c873b71827c9bf8830fc30b7a6d6ee4d1aae2ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Beye?= <github@hypfer.de>
Date: Mon, 31 Oct 2022 16:15:05 +0100
Subject: [PATCH] fix(miio): Protect against invalid Wi-Fi passwords

---
 .../MiioWifiConfigurationCapability.js        | 35 ++++++++++++++++---
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/backend/lib/robots/common/miioCapabilities/MiioWifiConfigurationCapability.js b/backend/lib/robots/common/miioCapabilities/MiioWifiConfigurationCapability.js
index 3e110c1f42..22ed9a08b8 100644
--- a/backend/lib/robots/common/miioCapabilities/MiioWifiConfigurationCapability.js
+++ b/backend/lib/robots/common/miioCapabilities/MiioWifiConfigurationCapability.js
@@ -42,11 +42,19 @@ class MiioWifiConfigurationCapability extends LinuxWifiConfigurationCapability {
      */
     async setWifiConfiguration(wifiConfig) {
         if (
-            wifiConfig && wifiConfig.ssid && wifiConfig.credentials &&
-            wifiConfig.credentials.type === ValetudoWifiConfiguration.CREDENTIALS_TYPE.WPA2_PSK &&
-            wifiConfig.credentials.typeSpecificSettings && wifiConfig.credentials.typeSpecificSettings.password
+            wifiConfig?.ssid !== undefined &&
+            wifiConfig.credentials?.type === ValetudoWifiConfiguration.CREDENTIALS_TYPE.WPA2_PSK &&
+            wifiConfig.credentials.typeSpecificSettings?.password !== undefined
         ) {
-            //This command will only work when received on the local interface!
+            if (!MiioWifiConfigurationCapability.IS_VALID_PARAMETER(wifiConfig.ssid)) {
+                throw new Error(`SSID must not contain any of the following characters: ${INVALID_CHARACTERS.join(" ")}`);
+            }
+
+            if (!MiioWifiConfigurationCapability.IS_VALID_PARAMETER(wifiConfig.credentials.typeSpecificSettings.password)) {
+                throw new Error(`Password must not contain any of the following characters: ${INVALID_CHARACTERS.join(" ")}`);
+            }
+
+
             await this.robot.sendCommand(
                 "miIO.config_router",
                 {
@@ -58,7 +66,7 @@ class MiioWifiConfigurationCapability extends LinuxWifiConfigurationCapability {
                     "config_type": "app"
                 },
                 {
-                    interface: "local"
+                    interface: "local" //This command will only work when received on the local interface!
                 }
             );
         } else {
@@ -67,4 +75,21 @@ class MiioWifiConfigurationCapability extends LinuxWifiConfigurationCapability {
     }
 }
 
+MiioWifiConfigurationCapability.IS_VALID_PARAMETER = (password) => {
+    return !(
+        new RegExp(
+            `[${INVALID_CHARACTERS.join("")}]`
+        ).test(password)
+    );
+};
+
+const INVALID_CHARACTERS = [
+    ";",
+    "\\",
+    "/",
+    "#",
+    "'",
+    "\""
+];
+
 module.exports = MiioWifiConfigurationCapability;