starred/Synology_enable_M2_volume
1
0
Fork 0
mirror of https://github.com/007revad/Synology_enable_M2_volume.git synced 2026-04-25 13:05:54 +03:00
Code Issues 9 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #134] please disable autoupdate per default #238

New issue
Closed
opened 2026-03-11 08:51:46 +03:00 by kerem · 2 comments
kerem commented 2026-03-11 08:51:46 +03:00
Owner
Copy link

Originally created by @capullo on GitHub (Nov 24, 2023).
Original GitHub issue: https://github.com/007revad/Synology_enable_M2_volume/issues/134

Your bash script is well written, good work!!

The only thing right now i don't like, is that autoupdate is enabled by default, which is a pure backdoor to any NAS, where this feature is enabled.
I know sure you don't have any bad intentions, but consider your Github account will get hacked. or access token get stolen.
You can put a disclaimer behind the autoupdate feature to inform users, what this means, if they enable this feature.

Maybe you just put the signature (hexstring) in an own config and autoupdate is just updating this config.
ok, you will be then able to DOS any NAS user using this feature with a corrupt libhwcontrol.so.1, but injecting code into libhwcontrol.so.1 should be very hard :)

Originally created by @capullo on GitHub (Nov 24, 2023). Original GitHub issue: https://github.com/007revad/Synology_enable_M2_volume/issues/134 Your bash script is well written, good work!! The only thing right now i don't like, is that autoupdate is enabled by default, which is a pure backdoor to any NAS, where this feature is enabled. I know sure you don't have any bad intentions, but consider your Github account will get hacked. or access token get stolen. You can put a disclaimer behind the autoupdate feature to inform users, what this means, if they enable this feature. Maybe you just put the signature (hexstring) in an own config and autoupdate is just updating this config. ok, you will be then able to DOS any NAS user using this feature with a corrupt libhwcontrol.so.1, but injecting code into libhwcontrol.so.1 should be very hard :)
kerem closed this issue 2026-03-11 08:51:51 +03:00
kerem commented 2026-03-11 08:51:57 +03:00
Author
Owner
Copy link

@007revad commented on GitHub (Nov 24, 2023):

Auto update is an option. If the script is not run with --autoupdate=# it will ask the user if they want to update. It they don't answer the [y/n] prompt it times out after the 30 seconds and the script continues without updating itself.

I actually hardened the script against GitHub account hacking just 2 days ago in response to issue #129

https://github.com/007revad/Synology_enable_M2_volume/releases/tag/v1.1.13

v1.1.13

  • Changed to avoid downloading malicious file if GitHub account is hacked:
    • Now only downloads bc if bc is not found in PATH or in script location.
    • Now asks to download bc if --autoupdate option not used.
    • Now checks md5 hash of downloaded bc file.
<!-- gh-comment-id:1825040818 --> @007revad commented on GitHub (Nov 24, 2023): Auto update is an option. If the script is not run with --autoupdate=# it will ask the user if they want to update. It they don't answer the [y/n] prompt it times out after the 30 seconds and the script continues without updating itself. I actually hardened the script against GitHub account hacking just 2 days ago in response to issue #129 https://github.com/007revad/Synology_enable_M2_volume/releases/tag/v1.1.13 v1.1.13 - Changed to avoid downloading malicious file if GitHub account is hacked: - Now only downloads bc if bc is not found in PATH or in script location. - Now asks to download bc if --autoupdate option not used. - Now checks md5 hash of downloaded bc file.
kerem commented 2026-03-11 08:52:02 +03:00
Author
Owner
Copy link

@007revad commented on GitHub (Nov 24, 2023):

Your xargs code replaced 160 lines of code with 2 lines. Nice.

<!-- gh-comment-id:1825062746 --> @007revad commented on GitHub (Nov 24, 2023): Your xargs code replaced 160 lines of code with 2 lines. Nice.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
develop
v1.1.22
v1.1.21
v1.1.20
v1.1.19
v1.1.18
v1.1.17
v1.1.15
V1.1.14
v1.1.13
v1.1.12-RC
v1.1.11-RC
v1.0.10
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

No labels
enhancement
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Synology_enable_M2_volume#238
No description provided.