From 481ea0aa5be3c1a6dd91b783c2f34d87757525da Mon Sep 17 00:00:00 2001
From: Paulus Schoutsen <balloob@gmail.com>
Date: Wed, 5 Feb 2020 13:57:17 -0800
Subject: [PATCH] Check for known Hue vulnerability (#31494)

---
 homeassistant/components/hue/__init__.py | 17 ++++++++++--
 tests/components/hue/test_init.py        | 34 +++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/homeassistant/components/hue/__init__.py b/homeassistant/components/hue/__init__.py
index c8864e97607..ff51fc667e6 100644
--- a/homeassistant/components/hue/__init__.py
+++ b/homeassistant/components/hue/__init__.py
@@ -6,6 +6,7 @@ from aiohue.util import normalize_bridge_id
 import voluptuous as vol
 
 from homeassistant import config_entries, core
+from homeassistant.components import persistent_notification
 from homeassistant.const import CONF_HOST
 from homeassistant.helpers import config_validation as cv, device_registry as dr
 
@@ -142,8 +143,20 @@ async def async_setup_entry(
         sw_version=config.swversion,
     )
 
-    if config.swupdate2_bridge_state == "readytoinstall":
-        err = "Please check for software updates of the bridge in the Philips Hue App."
+    if config.modelid == "BSB002" and config.swversion < "1935144040":
+        persistent_notification.async_create(
+            hass,
+            "Your Hue hub has a known security vulnerability ([CVE-2020-6007](https://cve.circl.lu/cve/CVE-2020-6007)). Go to the Hue app and check for software updates.",
+            "Signify Hue",
+            "hue_hub_firmware",
+        )
+
+    elif config.swupdate2_bridge_state == "readytoinstall":
+        err = (
+            "Please check for software updates of the bridge in the Philips Hue App.",
+            "Signify Hue",
+            "hue_hub_firmware",
+        )
         _LOGGER.warning(err)
 
     return True
diff --git a/tests/components/hue/test_init.py b/tests/components/hue/test_init.py
index 35e1ba689b4..375d5da4456 100644
--- a/tests/components/hue/test_init.py
+++ b/tests/components/hue/test_init.py
@@ -1,5 +1,7 @@
 """Test Hue setup process."""
-from unittest.mock import Mock, patch
+from unittest.mock import Mock
+
+from asynctest import CoroutineMock, patch
 
 from homeassistant.components import hue
 from homeassistant.setup import async_setup_component
@@ -184,3 +186,33 @@ async def test_setting_unique_id(hass):
         assert await async_setup_component(hass, hue.DOMAIN, {}) is True
 
     assert entry.unique_id == "mock-id"
+
+
+async def test_security_vuln_check(hass):
+    """Test that we report security vulnerabilities."""
+    assert await async_setup_component(hass, "persistent_notification", {})
+    entry = MockConfigEntry(domain=hue.DOMAIN, data={"host": "0.0.0.0"})
+    entry.add_to_hass(hass)
+
+    with patch.object(
+        hue,
+        "HueBridge",
+        Mock(
+            return_value=Mock(
+                async_setup=CoroutineMock(return_value=True),
+                api=Mock(
+                    config=Mock(
+                        bridgeid="", mac="", modelid="BSB002", swversion="1935144020"
+                    )
+                ),
+            )
+        ),
+    ):
+
+        assert await async_setup_component(hass, "hue", {})
+
+    await hass.async_block_till_done()
+
+    state = hass.states.get("persistent_notification.hue_hub_firmware")
+    assert state is not None
+    assert "CVE-2020-6007" in state.attributes["message"]