Disallow uploading files to bypass the media dirs (#91817)

2023-04-21 10:21:20 -04:00 · 2023-04-21 10:21:20 -04:00 · 78e29d526c
commit 78e29d526c
parent 9665bc61f2
2 changed files with 14 additions and 2 deletions
--- a/homeassistant/components/media_source/local_source.py
+++ b/homeassistant/components/media_source/local_source.py
@ -48,7 +48,10 @@ class LocalSource(MediaSource):
    @callback
    def async_full_path(self, source_dir_id: str, location: str) -> Path:
        """Return full path."""
-        return Path(self.hass.config.media_dirs[source_dir_id], location)
+        base_path = self.hass.config.media_dirs[source_dir_id]
+        full_path = Path(base_path, location)
+        full_path.relative_to(base_path)
+        return full_path

    @callback
    def async_parse_identifier(self, item: MediaSourceItem) -> tuple[str, str]:
@ -65,6 +68,9 @@ class LocalSource(MediaSource):
        except ValueError as err:
            raise Unresolvable("Invalid path.") from err

+        if Path(location).is_absolute():
+            raise Unresolvable("Invalid path.")
+
        return source_dir_id, location

    async def async_resolve_media(self, item: MediaSourceItem) -> PlayMedia:
--- a/tests/components/media_source/test_local_source.py
+++ b/tests/components/media_source/test_local_source.py
@ -132,9 +132,13 @@ async def test_upload_view(
    hass: HomeAssistant,
    hass_client: ClientSessionGenerator,
    temp_dir,
+    tmpdir,
    hass_admin_user: MockUser,
 ) -> None:
    """Allow uploading media."""
+    # We need a temp dir that's not under tempdir fixture
+    extra_media_dir = tmpdir
+    hass.config.media_dirs["another_path"] = temp_dir

    img = (Path(__file__).parent.parent / "image_upload/logo.png").read_bytes()

@ -167,6 +171,8 @@ async def test_upload_view(
        "media-source://media_source/test_dir/..",
        # Domain != media_source
        "media-source://nest/test_dir/.",
+        # Other directory
+        f"media-source://media_source/another_path///{extra_media_dir}/",
        # Completely something else
        "http://bla",
    ):
@ -178,7 +184,7 @@ async def test_upload_view(
            },
        )

-        assert res.status == 400
+        assert res.status == 400, bad_id
        assert not (Path(temp_dir) / "bad-source-id.png").is_file()

    # Test invalid POST data