Raise on smtp notification if attachment is not allowed (#104981)

* Raise smtp notification if attachment not allowed * Pass url as placeholder * Use variable in err message * Add allow_list as placeholder
2023-12-04 11:48:29 +01:00 · 2023-12-04 11:48:29 +01:00 · 64f7855b94
commit 64f7855b94
parent 204cc20bc2
3 changed files with 38 additions and 10 deletions
--- a/homeassistant/components/smtp/notify.py
+++ b/homeassistant/components/smtp/notify.py
@ -32,6 +32,7 @@ from homeassistant.const import (
    Platform,
 )
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import ServiceValidationError
 import homeassistant.helpers.config_validation as cv
 from homeassistant.helpers.reload import setup_reload_service
 from homeassistant.helpers.typing import ConfigType, DiscoveryInfoType
@ -255,13 +256,26 @@ def _attach_file(hass, atch_name, content_id=""):
    """
    try:
        file_path = Path(atch_name).parent
-        if not hass.config.is_allowed_path(str(file_path)):
-            _LOGGER.warning(
-                "'%s' is not secure to load data from, ignoring attachment '%s'!",
-                file_path,
-                atch_name,
+        if os.path.exists(file_path) and not hass.config.is_allowed_path(
+            str(file_path)
+        ):
+            allow_list = "allowlist_external_dirs"
+            file_name = os.path.basename(atch_name)
+            url = "https://www.home-assistant.io/docs/configuration/basic/"
+            raise ServiceValidationError(
+                f"Cannot send email with attachment '{file_name} "
+                f"from directory '{file_path} which is not secure to load data from. "
+                f"Only folders added to `{allow_list}` are accessible. "
+                f"See {url} for more information.",
+                translation_domain=DOMAIN,
+                translation_key="remote_path_not_allowed",
+                translation_placeholders={
+                    "allow_list": allow_list,
+                    "file_path": file_path,
+                    "file_name": file_name,
+                    "url": url,
+                },
            )
-            return
        with open(atch_name, "rb") as attachment_file:
            file_bytes = attachment_file.read()
    except FileNotFoundError:
--- a/homeassistant/components/smtp/strings.json
+++ b/homeassistant/components/smtp/strings.json
@ -4,5 +4,10 @@
      "name": "[%key:common::action::reload%]",
      "description": "Reloads smtp notify services."
    }
+  },
+  "exceptions": {
+    "remote_path_not_allowed": {
+      "message": "Cannot send email with attachment '{file_name} form directory '{file_path} which is not secure to load data from. Only folders added to `{allow_list}` are accessible. See {url} for more information."
+    }
  }
 }
--- a/tests/components/smtp/test_notify.py
+++ b/tests/components/smtp/test_notify.py
@ -11,6 +11,7 @@ from homeassistant.components.smtp.const import DOMAIN
 from homeassistant.components.smtp.notify import MailNotificationService
 from homeassistant.const import SERVICE_RELOAD
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import ServiceValidationError
 from homeassistant.setup import async_setup_component

 from tests.common import get_fixture_path
@ -111,7 +112,7 @@ EMAIL_DATA = [
    ),
    (
        "Test msg",
-        {"html": HTML, "images": ["test.jpg"]},
+        {"html": HTML, "images": ["tests/testing_config/notify/test_not_exists.jpg"]},
        "Content-Type: multipart/related",
    ),
    (
@ -156,7 +157,6 @@ def test_send_message(
 )
 def test_sending_insecure_files_fails(
    hass: HomeAssistant,
-    caplog: pytest.LogCaptureFixture,
    message_data,
    data,
    content_type,
@ -165,10 +165,19 @@ def test_sending_insecure_files_fails(
    """Verify if we cannot send messages with insecure attachments."""
    sample_email = "<mock@mock>"
    message.hass = hass
-    with patch("email.utils.make_msgid", return_value=sample_email):
+    with patch("email.utils.make_msgid", return_value=sample_email), pytest.raises(
+        ServiceValidationError
+    ) as exc:
        result, _ = message.send_message(message_data, data=data)
        assert content_type in result
-    assert "test.jpg' is not secure to load data from, ignoring attachment"
+    assert exc.value.translation_key == "remote_path_not_allowed"
+    assert exc.value.translation_domain == DOMAIN
+    assert (
+        str(exc.value.translation_placeholders["file_path"])
+        == "tests/testing_config/notify"
+    )
+    assert exc.value.translation_placeholders["url"]
+    assert exc.value.translation_placeholders["file_name"] == "test.jpg"


 def test_send_text_message(hass: HomeAssistant, message) -> None: