homebridge-roborock-vacuum2 1.4.13 → 1.4.15

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.4.15
+- Tightened obstacle photo handling in the map UI to accept only base64-encoded image data and render it through browser-generated blob URLs.
+- Added blob URL cleanup when closing or replacing obstacle photos to avoid leaking browser-side object URLs.
+
+## 1.4.14
+- Hardened region detection by parsing the configured Roborock host instead of using substring matches.
+- Sanitized map obstacle image URLs before assigning them in the browser UI to reduce XSS and client-side redirect risk.
+- Added explicit read-only permissions to the CI workflow, upgraded GitHub Actions versions, and moved Codecov uploads to a repository secret.
+
 ## 1.4.13
 - Adjusted `package.json` repository metadata to match the fork URL exactly for npm Trusted Publishing compatibility.
 - Updated the npm publish workflow to use Node 24 and the latest npm CLI for Trusted Publishing compatibility.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "homebridge-roborock-vacuum2",
-  "version": "1.4.13",
+  "version": "1.4.15",
   "description": "Roborock Vacuum Cleaner - plugin for Homebridge.",
   "license": "MIT",
   "keywords": [

package/roborockLib/lib/map/zones.js

@@ -41,6 +41,63 @@ window.onload = function () {
 	var triangle = document.getElementById("triangle");
 	var largePhoto = document.getElementById("largePhoto");
 	var largePhotoImage = document.getElementById("largePhoto-image");
+	var dataImagePattern = /^data:(image\/[a-z0-9.+-]+);base64,([a-z0-9+/=\s]+)$/i;
+
+	function revokeObjectURL(imageElement) {
+		if (imageElement.dataset.objectUrl) {
+			URL.revokeObjectURL(imageElement.dataset.objectUrl);
+			delete imageElement.dataset.objectUrl;
+		}
+	}
+
+	function decodeImageData(rawValue) {
+		if (typeof rawValue !== "string") {
+			return null;
+		}
+
+		const value = rawValue.trim();
+		if (!value) {
+			return null;
+		}
+
+		const match = value.match(dataImagePattern);
+		if (!match) {
+			return null;
+		}
+
+		const mimeType = match[1].toLowerCase();
+		const base64Payload = match[2].replace(/\s+/g, "");
+
+		try {
+			const binary = atob(base64Payload);
+			const bytes = new Uint8Array(binary.length);
+			for (let index = 0; index < binary.length; index++) {
+				bytes[index] = binary.charCodeAt(index);
+			}
+			return new Blob([bytes], { type: mimeType });
+		} catch {
+			return null;
+		}
+	}
+
+	function clearImageSource(imageElement) {
+		revokeObjectURL(imageElement);
+		imageElement.removeAttribute("src");
+	}
+
+	function applySafeImageSource(imageElement, rawValue) {
+		const imageBlob = decodeImageData(rawValue);
+		if (!imageBlob) {
+			console.warn("Ignoring unsafe obstacle image source");
+			return false;
+		}
+
+		revokeObjectURL(imageElement);
+		const objectUrl = URL.createObjectURL(imageBlob);
+		imageElement.dataset.objectUrl = objectUrl;
+		imageElement.src = objectUrl;
+		return true;
+	}
 
 	var socket = new WebSocket("ws://" + window.location.hostname + ":7906");
 
@@ -281,7 +338,7 @@ window.onload = function () {
 						},
 					};
 
-					if (popupImage.src) popupImage.src = "";
+					clearImageSource(popupImage);
 
 					triangle.style.left = "45px";
 					triangle.style.top = "100px";
@@ -292,8 +349,7 @@ window.onload = function () {
 					socket.onmessage = function (event) {
 						const serverData = JSON.parse(event.data);
 
-						if (serverData.image) {
-							popupImage.src = serverData.image;
+						if (serverData.image && applySafeImageSource(popupImage, serverData.image)) {
 							socket.onmessage = null;
 
 							popupImage.addEventListener("click", function () {
@@ -312,12 +368,13 @@ window.onload = function () {
 								socket.onmessage = function (event) {
 									const serverData = JSON.parse(event.data);
 
-									if (serverData.image) {
+									if (serverData.image && applySafeImageSource(largePhotoImage, serverData.image)) {
 										popup.style.display = "none";
+										clearImageSource(popupImage);
 										largePhoto.style.display = "block";
-										largePhotoImage.src = serverData.image;
 
 										largePhotoImage.onclick = function () {
+											clearImageSource(largePhotoImage);
 											largePhoto.style.display = "none";
 										};
 										socket.onmessage = null;
@@ -325,6 +382,7 @@ window.onload = function () {
 								};
 
 								setTimeout(() => {
+									clearImageSource(largePhotoImage);
 									largePhoto.style.display = "none";
 								}, 10000);
 							});
@@ -335,6 +393,7 @@ window.onload = function () {
 					timeoutStart = Date.now();
 					popupTimeout = setTimeout(() => {
 						popup.style.display = "none";
+						clearImageSource(popupImage);
 						socket.onmessage = null;
 						popupTimeout = null;
 						selectedObstacleID = null;

package/roborockLib/lib/roborockAuth.js

@@ -22,18 +22,27 @@ function normalizeBaseURL(baseURL) {
 	return baseURL.replace(/^https?:\/\//i, "").replace(/\/+$/, "");
 }
 
+function parseHostname(baseURL) {
+	try {
+		return new URL(`https://${normalizeBaseURL(baseURL)}`).hostname.toLowerCase();
+	} catch {
+		return normalizeBaseURL(baseURL).split("/")[0].split(":")[0].toLowerCase();
+	}
+}
+
 function getRegionConfig(baseURL) {
-	const lower = normalizeBaseURL(baseURL).toLowerCase();
-	if (lower.includes("euiot")) {
+	const hostname = parseHostname(baseURL);
+	const labels = hostname.split(".").filter(Boolean);
+	if (labels.includes("euiot")) {
 		return { country: "DE", countryCode: "49" };
 	}
-	if (lower.includes("usiot")) {
+	if (labels.includes("usiot")) {
 		return { country: "US", countryCode: "1" };
 	}
-	if (lower.includes("cniot")) {
+	if (labels.includes("cniot")) {
 		return { country: "CN", countryCode: "86" };
 	}
-	if (lower.includes("api.roborock.com")) {
+	if (hostname === "api.roborock.com") {
 		return { country: "SG", countryCode: "65" };
 	}
 	return { country: "US", countryCode: "1" };