From 491bde181c9b5c33cfe712edc6da24a6297d1109 Mon Sep 17 00:00:00 2001 From: "J. Nick Koston" Date: Tue, 3 Sep 2024 03:29:02 -1000 Subject: [PATCH] Speed up hassio send_command url check (#125122) * Speed up hassio send_command url check The send_command call checked the resulting path to make sure that the input path was not modified when converting to a URL. Since the host is is pre-set, we only need to check the processed raw_path matches command instead of converting back to a string, and than comparing it against another constructed string. * Speed up hassio send_command url check The send_command call checked the resulting path to make sure that the input path was not modified when converting to a URL. Since the host is is pre-set, we only need to check the processed raw_path matches command instead of converting back to a string, and than comparing it against another constructed string. * adjust --- homeassistant/components/hassio/handler.py | 3 +-- tests/components/hassio/test_handler.py | 7 +++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/homeassistant/components/hassio/handler.py b/homeassistant/components/hassio/handler.py index 305b9d4961b..c57e43f73f3 100644 --- a/homeassistant/components/hassio/handler.py +++ b/homeassistant/components/hassio/handler.py @@ -568,14 +568,13 @@ class HassIO: This method is a coroutine. """ - url = f"http://{self._ip}{command}" joined_url = self._base_url.join(URL(command)) # This check is to make sure the normalized URL string # is the same as the URL string that was passed in. If # they are different, then the passed in command URL # contained characters that were removed by the normalization # such as ../../../../etc/passwd - if url != str(joined_url): + if joined_url.raw_path != command: _LOGGER.error("Invalid request %s", command) raise HassioAPIError diff --git a/tests/components/hassio/test_handler.py b/tests/components/hassio/test_handler.py index c5fa6ff8254..949f96ece38 100644 --- a/tests/components/hassio/test_handler.py +++ b/tests/components/hassio/test_handler.py @@ -468,4 +468,11 @@ async def test_send_command_invalid_command(hass: HomeAssistant) -> None: """Test send command fails when command is invalid.""" hassio: HassIO = hass.data["hassio"] with pytest.raises(HassioAPIError): + # absolute path await hassio.send_command("/test/../bad") + with pytest.raises(HassioAPIError): + # relative path + await hassio.send_command("test/../bad") + with pytest.raises(HassioAPIError): + # relative path with percent encoding + await hassio.send_command("test/%2E%2E/bad")