Skip to content

fix: 8 bug fixes — sensor data loss, SSL bypass, JSON injection, ZeroDivisionError, and more#145

Open
KJonline wants to merge 10 commits into
devfrom
bug-analysis
Open

fix: 8 bug fixes — sensor data loss, SSL bypass, JSON injection, ZeroDivisionError, and more#145
KJonline wants to merge 10 commits into
devfrom
bug-analysis

Conversation

@KJonline

@KJonline KJonline commented May 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Sensor data loss (sensor.py:160): HIVE_TYPES["Sensor"] branch was keying into data.devices with hive_id instead of device_id, causing device_data, props, and parent_device to always be empty for contact/motion sensors
  • Security (hive_async_api.py): Removed verify=False SSL bypass and urllib3.disable_warnings; replaced string-concatenated JSON payload in set_state with json.dumps to eliminate injection risk
  • Crash on zero (color.py): Colour-temperature conversion methods silently swallowed KeyError but not ZeroDivisionError — added ZeroDivisionError to all three except clauses
  • None dereference (hive_auth_async.py): async_init and get_password_authentication_key called .split() on values from .get() without guarding against None; now raises HiveUnknownConfiguration with a descriptive message
  • Broken epoch_time (hive_helper.py): The to_epoch branch hardcoded its own pattern, ignoring the pattern argument passed by the caller
  • updateInterval no-op (compat_aliases.py): The HA backwards-compat alias was silently returning True without updating config.scan_interval; now correctly sets timedelta(seconds=new_interval)
  • Dead code removed (srp_crypto.py, hive_async_api.py): Unused ThreadPoolExecutor pool (spawned threads on import), deprecated refresh_tokens method and its tests, dead if url is not None guard
  • Log context (heating.py, hotwater.py, boost.py): Bare _LOGGER.error(e) calls now include method name and device name

Test Plan

  • pytest tests/ — 956 passed, 99.17% coverage (above 99% threshold)
  • One pre-existing failure in test_polling.py::TestGetDevicesSlowPoll::test_auth_error_sets_last_poll_slow_false — predates this branch, unrelated to these changes
  • New unit tests added for every fix (sensor device_id key, None guards, ZeroDivisionError paths, epoch_time pattern, json.dumps encoding, updateInterval timedelta)

🤖 Generated with Claude Code

KJonline and others added 10 commits May 23, 2026 16:37
@KJonline
refactor: improve exception handling and code organization
12f8a35 
- Replace __class__.__name__ string checks with direct error.response parsing for boto3 ClientError
- Remove redundant if checks when re-raising EndpointConnectionError as HiveApiError
- Defer asyncio.get_event_loop() call to async_init() using get_running_loop()
- Remove deprecated pool_region parameter from HiveAuthAsync.__init__
- Add HiveError base class and reorganize exception hierarchy (HiveConfigurationError, HiveAuthCredentialError)
@KJonline @claude
fix: use device_id (not hive_id) to look up data.devices in sensor HI…
fc7d0fb 
…VE_TYPES branch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline @claude
fix: guard against None from .get() before .split() in async_init and…
82db9cf 
… get_password_authentication_key

Import HiveUnknownConfiguration and raise it instead of letting AttributeError
propagate when REGION or UPID are absent from the SSO login info response, and
when _pool_id is None or missing an underscore in get_password_authentication_key.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline @claude
fix: catch ZeroDivisionError in colour-temperature conversion methods
27d4a31 
Extend the except clause in get_min_color_temp, get_max_color_temp, and
get_color_temp from KeyError-only to (KeyError, ZeroDivisionError) so that
a zero colourTemperature value returned by the Hive API returns None instead
of raising an unhandled ZeroDivisionError. Tests added for all three cases.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline @claude
fix: epoch_time to_epoch now honours the pattern argument instead of …
487bc10 
…hardcoding it

Removes the line that overwrote the caller-supplied `pattern` with a
hardcoded Hive format string, so custom format strings are respected.
Adds TestEpochTimePattern tests to confirm the fix and prevent regression.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline @claude
fix: remove SSL verify=False and urllib3 warning suppression; use jso…
d47ee02 
…n.dumps in set_state

- Replace manual string-concatenation JSON building in set_state with json.dumps(kwargs)
  to prevent JSON injection when kwarg values contain double-quotes or backslashes
- Remove requests.get(verify=False) SSL bypass from get_login_info
- Remove urllib3 import and disable_warnings call that suppressed the SSL warning
- Update TestGetLoginInfo assertion to match new call signature (no verify=False)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline @claude
chore: remove unused POOL, deprecated refresh_tokens and its tests, a…
b7b6494 
…nd dead url/status guard

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline
fix: add device context to bare _LOGGER.error(e) calls in get_mode an…
f6faebc 
…d boost helpers
@KJonline @claude
fix: updateInterval now sets config.scan_interval instead of silently…
2461256 
… returning True

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@KJonline @claude
fix: wrap updateInterval new_interval in timedelta(seconds=) to match…
d5154b4 
… SessionConfig type

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KJonline