Security: XSS-Fix, localhost-Binding, API-Validierung (v1.1.3)

- Flask bindet auf 127.0.0.1 statt 0.0.0.0 — Port 8099 nicht mehr direkt im LAN erreichbar (host_network: true umgeht sonst HA-Auth) - XSS: esc() Funktion + HTML-Escaping für alle user-controlled Werte in innerHTML (inv.name, modbus_ip, mqtt_topic_prefix, s.name, s.unit) - API: POST /api/inverters-config validiert inverter_model, Port (1-65535), Modbus-Adresse (1-247) vor dem Speichern - _poll_loop: int()-Aufrufe in try/except — kein Thread-Crash bei ungültiger Config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-26 12:34:21 +02:00
parent 37ef054bbe
commit 5b490c0aea
3 changed files with 36 additions and 13 deletions
@@ -87,12 +87,18 @@ def _poll_loop(inv_cfg: Dict[str, Any], stop: threading.Event):
    inverter = INVERTERS.get(model_id, INVERTERS["MIC_1500_TL_X"])
    prefix = inv_cfg.get("mqtt_topic_prefix", f"growatt/{inv_id}")
    device_id = f"growatt_{inv_id}"
-    interval = max(5, int(inv_cfg.get("update_interval", 30)))
+    try:
+        interval = max(5, int(inv_cfg.get("update_interval", 30)))
+        port = int(inv_cfg.get("modbus_port", 502))
+        slave = int(inv_cfg.get("modbus_address", 1))
+    except (ValueError, TypeError) as e:
+        log.error("[%s] Ungültige Konfiguration: %s", inv_id, e)
+        return

    reader = ModbusReader(
        host=inv_cfg["modbus_ip"],
-        port=int(inv_cfg.get("modbus_port", 502)),
-        slave=int(inv_cfg.get("modbus_address", 1)),
+        port=port,
+        slave=slave,
    )

    with State.lock:
@@ -202,6 +208,19 @@ def api_get_inverters():
@app.post("/api/inverters-config")
 def api_save_inverters():
    data = request.get_json(force=True) or []
+    if not isinstance(data, list):
+        return jsonify({"error": "invalid"}), 400
+    for inv in data:
+        if not isinstance(inv, dict):
+            return jsonify({"error": "invalid"}), 400
+        if inv.get("inverter_model") not in INVERTERS:
+            return jsonify({"error": f"unknown model: {inv.get('inverter_model')}"}), 400
+        port = inv.get("modbus_port", 502)
+        if not isinstance(port, int) or not (1 <= port <= 65535):
+            return jsonify({"error": "invalid port"}), 400
+        addr = inv.get("modbus_address", 1)
+        if not isinstance(addr, int) or not (1 <= addr <= 247):
+            return jsonify({"error": "invalid modbus address (1-247)"}), 400
    with State.lock:
        State.inverters_cfg = data
        save_config()
@@ -284,4 +303,4 @@ if __name__ == "__main__":
    _restart_all()
    port = int(os.environ.get("INGRESS_PORT", "8099"))
    log.info("Web UI startet auf Port %d", port)
-    app.run(host="0.0.0.0", port=port, threaded=True)
+    app.run(host="127.0.0.1", port=port, threaded=True)