Skip to content

v0.5.2

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 11 Mar 01:12
· 2 commits to main since this release
v0.5.2
685c29b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v0.5.2 brings homelab support, hardened Bash security, and a big milestone: Earl is now officially home at mathematic-inc/earl under the Apache-2.0 license. Whether you're querying a self-hosted Home Assistant instance or running Earl in a hardened CI pipeline, this release has something for you.

✨ New Features

allow_private_ips — homelab and self-hosted services, unlocked

Earl's SSRF protection has always blocked RFC 1918 private addresses and loopback interfaces by default — the right call for cloud deployments. But if you're running Earl against a self-hosted Frigate camera server, an OPNsense router, or a local Home Assistant instance, those blocks were in the way.

v0.5.2 adds allow_private_ips to the [network] config section. Flip it on and Earl will happily reach your LAN services while still blocking cloud metadata endpoints (169.254.169.254 and friends) unconditionally.

# ~/.config/earl/config.toml
[network]
allow_private_ips = true

With that set, a template targeting your local smart home hub just works:

command "get_light_state" {
  title   = "Get light state"
  summary = "Returns the current state of a Home Assistant light entity"

  param "entity_id" {
    type     = "string"
    required = true
  }

  operation {
    protocol = "http"
    http {
      method = "GET"
      url    = "http://192.168.1.100:8123/api/states/{{ args.entity_id }}"
      headers = {
        Authorization = "Bearer {{ secrets.ha_token }}"
      }
    }
  }
}

Cloud metadata endpoints and all other hazardous ranges remain blocked regardless of this setting — so you get homelab flexibility without giving up cloud safety.

🐛 Bug Fixes

Bash injection prevention in examples

The examples/bash/system.hcl templates were previously interpolating user-supplied arguments directly into the script string — a pattern that could allow shell injection via values containing ;, $(), or backticks. The examples now pass all string arguments through env vars and reference them safely:

# Safe pattern — user input never lands in the script string
bash {
  script = "du -sh \"$EARL_PATH\""
  env = {
    EARL_PATH = "{{ args.path }}"
  }
}

The hardening docs and how-earl-works page have been updated with explicit before/after examples, and a regression test was added to ensure shell metacharacters in env var values are never interpreted.

⚡ Improvements

New home: mathematic-inc/earl

Earl has moved to the mathematic-inc GitHub org. All documentation, install scripts, and CI workflows have been updated to the new canonical URL. The license has also changed from MIT to Apache-2.0 — same permissiveness, broader patent protection.

Hardened CI and release pipeline

  • All GitHub Actions steps are now pinned to full commit SHAs, closing a supply-chain attack vector.
  • Per-job timeouts added across the CI matrix.
  • TypeScript type-checking runs as a dedicated CI job (pnpm turbo run types:check).
  • The release workflow now supports per-crate releases via {crate-name}-vX.Y.Z tags in addition to root vX.Y.Z releases, making it easier to version the protocol crates independently.

Install / Upgrade

Shell one-liner (macOS & Linux):

curl -fsSL https://raw.githubusercontent.com/mathematic-inc/earl/main/scripts/install.sh | bash

Cargo:

cargo install earl

After upgrading, run earl doctor to confirm everything is wired up correctly. Happy calling! 🎉

Assets 9
Loading