fix: Don't allow publishing wildcards in MQTT topic (#27025)

Author: Koenkk

lib/mqtt.ts

@@ -176,6 +176,12 @@ export default class MQTT {
         skipLog = false,
         skipReceive = true,
     ): Promise<void> {
+        if (topic.includes('+') || topic.includes('#')) {
+            // https://github.com/Koenkk/zigbee2mqtt/issues/26939#issuecomment-2772309646
+            logger.error(`Topic '${topic}' includes wildcard characters, skipping publish.`);
+            return;
+        }
+
         const defaultOptions = {qos: 0 as const, retain: false};
         topic = `${base}/${topic}`;
 

test/controller.test.ts

@@ -283,6 +283,20 @@ describe('Controller', () => {
         controller.mqtt.client.reconnecting = false;
     });
 
+    it('Should not allow publishing wildcard characters in topic', async () => {
+        await controller.start();
+        await flushPromises();
+        mockMQTTPublishAsync.mockClear();
+        // @ts-expect-error private
+        await controller.mqtt.publish('z2m/#/status', 'empty');
+        expect(mockMQTTPublishAsync).toHaveBeenCalledTimes(0);
+        expect(mockLogger.error).toHaveBeenCalledWith(`Topic 'z2m/#/status' includes wildcard characters, skipping publish.`);
+        // @ts-expect-error private
+        await controller.mqtt.publish('z2m/+/status', 'empty');
+        expect(mockMQTTPublishAsync).toHaveBeenCalledTimes(0);
+        expect(mockLogger.error).toHaveBeenCalledWith(`Topic 'z2m/+/status' includes wildcard characters, skipping publish.`);
+    });
+
     it('Load empty state when state file does not exist', async () => {
         data.removeState();
         await controller.start();