Port go2rtc check (#21808)

* version update

* Restrict go2rtc exec sources by default (#21543)

* Restrict go2rtc exec sources by default

* add docs

* check for addon value too

---------

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

Makefile

@@ -1,7 +1,7 @@
 default_target: local
 
 COMMIT_HASH := $(shell git log -1 --pretty=format:"%h"|tail -1)
-VERSION = 0.16.3
+VERSION = 0.16.4
 IMAGE_REPO ?= ghcr.io/blakeblackshear/frigate
 GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
 BOARDS= #Initialized empty

docker/main/rootfs/usr/local/go2rtc/create_config.py

@@ -22,6 +22,22 @@ sys.path.remove("/opt/frigate")
 
 yaml = YAML()
 
+# Check if arbitrary exec sources are allowed (defaults to False for security)
+ALLOW_ARBITRARY_EXEC = os.environ.get(
+    "GO2RTC_ALLOW_ARBITRARY_EXEC", "false"
+).lower() in ("true", "1", "yes")
+
+# check for the add-on options file
+if not ALLOW_ARBITRARY_EXEC and os.path.isfile("/data/options.json"):
+    with open("/data/options.json") as f:
+        raw_options = f.read()
+    options = json.loads(raw_options)
+    addon_value = options.get("go2rtc_allow_arbitrary_exec", False)
+    if isinstance(addon_value, bool):
+        ALLOW_ARBITRARY_EXEC = addon_value
+    elif isinstance(addon_value, str):
+        ALLOW_ARBITRARY_EXEC = addon_value.lower() in ("true", "1", "yes")
+
 FRIGATE_ENV_VARS = {k: v for k, v in os.environ.items() if k.startswith("FRIGATE_")}
 # read docker secret files as env vars too
 if os.path.isdir("/run/secrets"):
@@ -109,14 +125,26 @@ if LIBAVFORMAT_VERSION_MAJOR < 59:
     elif go2rtc_config["ffmpeg"].get("rtsp") is None:
         go2rtc_config["ffmpeg"]["rtsp"] = rtsp_args
 
-for name in go2rtc_config.get("streams", {}):
+
+def is_restricted_source(stream_source: str) -> bool:
+    """Check if a stream source is restricted (echo, expr, or exec)."""
+    return stream_source.strip().startswith(("echo:", "expr:", "exec:"))
+
+
+for name in list(go2rtc_config.get("streams", {})):
     stream = go2rtc_config["streams"][name]
 
     if isinstance(stream, str):
         try:
-            go2rtc_config["streams"][name] = go2rtc_config["streams"][name].format(
-                **FRIGATE_ENV_VARS
-            )
+            formatted_stream = stream.format(**FRIGATE_ENV_VARS)
+            if not ALLOW_ARBITRARY_EXEC and is_restricted_source(formatted_stream):
+                print(
+                    f"[ERROR] Stream '{name}' uses a restricted source (echo/expr/exec) which is disabled by default for security. "
+                    f"Set GO2RTC_ALLOW_ARBITRARY_EXEC=true to enable arbitrary exec sources."
+                )
+                del go2rtc_config["streams"][name]
+                continue
+            go2rtc_config["streams"][name] = formatted_stream
         except KeyError as e:
             print(
                 "[ERROR] Invalid substitution found, see https://docs.frigate.video/configuration/restream#advanced-restream-configurations for more info."
@@ -124,15 +152,33 @@ for name in go2rtc_config.get("streams", {}):
             sys.exit(e)
 
     elif isinstance(stream, list):
-        for i, stream in enumerate(stream):
+        filtered_streams = []
+        for i, stream_item in enumerate(stream):
             try:
-                go2rtc_config["streams"][name][i] = stream.format(**FRIGATE_ENV_VARS)
+                formatted_stream = stream_item.format(**FRIGATE_ENV_VARS)
+                if not ALLOW_ARBITRARY_EXEC and is_restricted_source(formatted_stream):
+                    print(
+                        f"[ERROR] Stream '{name}' item {i + 1} uses a restricted source (echo/expr/exec) which is disabled by default for security. "
+                        f"Set GO2RTC_ALLOW_ARBITRARY_EXEC=true to enable arbitrary exec sources."
+                    )
+                    continue
+
+                filtered_streams.append(formatted_stream)
             except KeyError as e:
                 print(
                     "[ERROR] Invalid substitution found, see https://docs.frigate.video/configuration/restream#advanced-restream-configurations for more info."
                 )
                 sys.exit(e)
 
+        if filtered_streams:
+            go2rtc_config["streams"][name] = filtered_streams
+        else:
+            print(
+                f"[ERROR] Stream '{name}' was removed because all sources were restricted (echo/expr/exec). "
+                f"Set GO2RTC_ALLOW_ARBITRARY_EXEC=true to enable arbitrary exec sources."
+            )
+            del go2rtc_config["streams"][name]
+
 # add birdseye restream stream if enabled
 if config.get("birdseye", {}).get("restream", False):
     birdseye: dict[str, Any] = config.get("birdseye")

docs/docs/configuration/camera_specific.md

@@ -188,10 +188,10 @@ go2rtc:
     # example for connectin to a Reolink camera that supports two way talk
     your_reolink_camera_twt:
       - "ffmpeg:http://reolink_ip/flv?port=1935&app=bcs&stream=channel0_main.bcs&user=username&password=password#video=copy#audio=copy#audio=opus"
-      - "rtsp://username:password@reolink_ip/Preview_01_sub
+      - "rtsp://username:password@reolink_ip/Preview_01_sub"
     your_reolink_camera_twt_sub:
       - "ffmpeg:http://reolink_ip/flv?port=1935&app=bcs&stream=channel0_ext.bcs&user=username&password=password"
-      - "rtsp://username:password@reolink_ip/Preview_01_sub
+      - "rtsp://username:password@reolink_ip/Preview_01_sub"
     # example for connecting to a Reolink NVR
     your_reolink_camera_via_nvr:
       - "ffmpeg:http://reolink_nvr_ip/flv?port=1935&app=bcs&stream=channel3_main.bcs&user=username&password=password" # channel numbers are 0-15
@@ -258,6 +258,10 @@ ffmpeg:
 
 TP-Link VIGI cameras need some adjustments to the main stream settings on the camera itself to avoid issues. The stream needs to be configured as `H264` with `Smart Coding` set to `off`. Without these settings you may have problems when trying to watch recorded footage. For example Firefox will stop playback after a few seconds and show the following error message: `The media playback was aborted due to a corruption problem or because the media used features your browser did not support.`.
 
+### Wyze Wireless Cameras
+
+Some community members have found better performance on Wyze cameras by using an alternative firmware known as [Thingino](https://thingino.com/).
+
 ## USB Cameras (aka Webcams)
 
 To use a USB camera (webcam) with Frigate, the recommendation is to use go2rtc's [FFmpeg Device](https://github.com/AlexxIT/go2rtc?tab=readme-ov-file#source-ffmpeg-device) support:
@@ -290,5 +294,3 @@ cameras:
       width: 1024
       height: 576
 ```
-
-

docs/docs/configuration/object_detectors.md

@@ -395,7 +395,7 @@ After placing the downloaded onnx model in your config/model_cache folder, you c
 detectors:
   ov:
     type: openvino
-    device: GPU
+    device: CPU
 
 model:
   model_type: dfine
@@ -431,10 +431,10 @@ When using Docker Compose:
 ```yaml
 services:
   frigate:
----
-devices:
-  - /dev/dri
-  - /dev/kfd
+    ...
+    devices:
+      - /dev/dri
+      - /dev/kfd
 ```
 
 For reference on recommended settings see [running ROCm/pytorch in Docker](https://rocm.docs.amd.com/projects/install-on-linux/en/develop/how-to/3rd-party/pytorch-install.html#using-docker-with-pytorch-pre-installed).
@@ -462,9 +462,9 @@ When using Docker Compose:
 ```yaml
 services:
   frigate:
-
-environment:
-  HSA_OVERRIDE_GFX_VERSION: "10.0.0"
+    ...
+    environment:
+      HSA_OVERRIDE_GFX_VERSION: "10.0.0"
 ```
 
 Figuring out what version you need can be complicated as you can't tell the chipset name and driver from the AMD brand name.

docs/docs/configuration/restream.md

@@ -154,10 +154,35 @@ go2rtc:
 
 See [this comment](https://github.com/AlexxIT/go2rtc/issues/1217#issuecomment-2242296489) for more information.
 
+## Security: Restricted Stream Sources
+
+For security reasons, the `echo:`, `expr:`, and `exec:` stream sources are disabled by default in go2rtc. These sources allow arbitrary command execution and can pose security risks if misconfigured.
+
+If you attempt to use these sources in your configuration, the streams will be removed and an error message will be printed in the logs.
+
+To enable these sources, you must set the environment variable `GO2RTC_ALLOW_ARBITRARY_EXEC=true`. This can be done in your Docker Compose file or container environment:
+
+```yaml
+environment:
+  - GO2RTC_ALLOW_ARBITRARY_EXEC=true
+```
+
+:::warning
+
+Enabling arbitrary exec sources allows execution of arbitrary commands through go2rtc stream configurations. Only enable this if you understand the security implications and trust all sources of your configuration.
+
+:::
+
 ## Advanced Restream Configurations
 
 The [exec](https://github.com/AlexxIT/go2rtc/tree/v1.9.9#source-exec) source in go2rtc can be used for custom ffmpeg commands. An example is below:
 
+:::warning
+
+The `exec:`, `echo:`, and `expr:` sources are disabled by default for security. You must set `GO2RTC_ALLOW_ARBITRARY_EXEC=true` to use them. See [Security: Restricted Stream Sources](#security-restricted-stream-sources) for more information.
+
+:::
+
 NOTE: The output will need to be passed with two curly braces `{{output}}`
 
 ```yaml

docs/docs/frigate/hardware.md

@@ -18,7 +18,7 @@ Here are some of the cameras I recommend:
 - <a href="https://amzn.to/4fwoNWA" target="_blank" rel="nofollow noopener sponsored">Loryta(Dahua) IPC-T549M-ALED-S3</a> (affiliate link)
 - <a href="https://amzn.to/3YXpcMw" target="_blank" rel="nofollow noopener sponsored">Loryta(Dahua) IPC-T54IR-AS</a> (affiliate link)
 - <a href="https://amzn.to/3AvBHoY" target="_blank" rel="nofollow noopener sponsored">Amcrest IP5M-T1179EW-AI-V3</a> (affiliate link)
-- <a href="https://amzn.to/4ltOpaC" target="_blank" rel="nofollow noopener sponsored">HIKVISION DS-2CD2387G2P-LSU/SL ColorVu 8MP Panoramic Turret IP Camera</a> (affiliate link)
+- <a href="https://www.bhphotovideo.com/c/product/1705511-REG/hikvision_colorvu_ds_2cd2387g2p_lsu_sl_8mp_network.html" target="_blank" rel="nofollow noopener">HIKVISION DS-2CD2387G2P-LSU/SL ColorVu 8MP Panoramic Turret IP Camera</a> (affiliate link)
 
 I may earn a small commission for my endorsement, recommendation, testimonial, or link to any products or services from this website.
 

docs/docusaurus.config.ts

@@ -170,7 +170,7 @@ const config: Config = {
           ],
         },
       ],
-      copyright: `Copyright © ${new Date().getFullYear()} Blake Blackshear`,
+      copyright: `Copyright © ${new Date().getFullYear()} Frigate, Inc.`,
     },
   },
   plugins: [