evlli/hass-core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Speed up hassio send_command url check (#125122)

Browse source 
* Speed up hassio send_command url check

The send_command call checked the resulting path to make
sure that the input path was not modified when converting
to a URL. Since the host is is pre-set, we only need to check
the processed raw_path matches command instead of converting
back to a string, and than comparing it against another
constructed string.

* Speed up hassio send_command url check

The send_command call checked the resulting path to make
sure that the input path was not modified when converting
to a URL. Since the host is is pre-set, we only need to check
the processed raw_path matches command instead of converting
back to a string, and than comparing it against another
constructed string.

* adjust
This commit is contained in:
J. Nick Koston 2024-09-03 03:29:02 -10:00 committed by GitHub
parent fdce524811
commit 491bde181c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
homeassistant/components/hassio/handler.py
View file

@ -568,14 +568,13 @@ class HassIO:
This method is a coroutine.
"""
url = f"http://{self._ip}{command}"
joined_url = self._base_url.join(URL(command))
# This check is to make sure the normalized URL string
# is the same as the URL string that was passed in. If
# they are different, then the passed in command URL
# contained characters that were removed by the normalization
# such as ../../../../etc/passwd
if url != str(joined_url):
if joined_url.raw_path != command:
_LOGGER.error("Invalid request %s", command)
raise HassioAPIError

7
tests/components/hassio/test_handler.py
View file

@ -468,4 +468,11 @@ async def test_send_command_invalid_command(hass: HomeAssistant) -> None:
"""Test send command fails when command is invalid."""
hassio: HassIO = hass.data["hassio"]
with pytest.raises(HassioAPIError):
# absolute path
await hassio.send_command("/test/../bad")
with pytest.raises(HassioAPIError):
# relative path
await hassio.send_command("test/../bad")
with pytest.raises(HassioAPIError):
# relative path with percent encoding
await hassio.send_command("test/%2E%2E/bad")