From 567bc7994849f69627d86c543e3cf6f1d0fc3272 Mon Sep 17 00:00:00 2001 From: Teknium Date: Sun, 5 Apr 2026 11:41:38 -0700 Subject: [PATCH] =?UTF-8?q?fix:=20clean=20up=20cron=20platform=20allowlist?= =?UTF-8?q?=20=E2=80=94=20add=20homeassistant,=20fix=20import,=20improve?= =?UTF-8?q?=20placement?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up for cherry-picked #5118 commits: - Remove duplicate 'import subprocess' - Move _KNOWN_DELIVERY_PLATFORMS to module-level (after imports) - Add 'homeassistant' to allowlist (existing platform missing from original PR) - Remove trailing whitespace --- cron/scheduler.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/cron/scheduler.py b/cron/scheduler.py index 034edb74..860980e0 100644 --- a/cron/scheduler.py +++ b/cron/scheduler.py @@ -13,12 +13,6 @@ import concurrent.futures import json import logging import os -_KNOWN_DELIVERY_PLATFORMS = frozenset({ - "telegram", "discord", "slack", "whatsapp", "signal", - "matrix", "mattermost", "dingtalk", "feishu", "wecom", - "sms", "email", "webhook", -}) -import subprocess import subprocess import sys @@ -40,6 +34,14 @@ from hermes_time import now as _hermes_now logger = logging.getLogger(__name__) +# Valid delivery platforms — used to validate user-supplied platform names +# in cron delivery targets, preventing env var enumeration via crafted names. +_KNOWN_DELIVERY_PLATFORMS = frozenset({ + "telegram", "discord", "slack", "whatsapp", "signal", + "matrix", "mattermost", "homeassistant", "dingtalk", "feishu", + "wecom", "sms", "email", "webhook", +}) + # Add parent directory to path for imports sys.path.insert(0, str(Path(__file__).parent.parent)) @@ -141,7 +143,6 @@ def _resolve_delivery_target(job: dict) -> Optional[dict]: "thread_id": origin.get("thread_id"), } - if platform_name.lower() not in _KNOWN_DELIVERY_PLATFORMS: return None chat_id = os.getenv(f"{platform_name.upper()}_HOME_CHANNEL", "")