Don't allow recursive secrets loading (#41812)

Co-authored-by: Martin Hjelmare <marhje52@gmail.com>

homeassistant/util/yaml/loader.py

@@ -275,6 +275,11 @@ def _load_secret_yaml(secret_path: str) -> JSON_TYPE:
 
 def secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node) -> JSON_TYPE:
     """Load secrets and embed it into the configuration YAML."""
+    if os.path.basename(loader.name) == SECRET_YAML:
+        _LOGGER.error("secrets.yaml: attempt to load secret from within secrets file")
+        raise HomeAssistantError(
+            "secrets.yaml: attempt to load secret from within secrets file"
+        )
     secret_path = os.path.dirname(loader.name)
     while True:
         secrets = _load_secret_yaml(secret_path)

tests/util/yaml/test_init.py

@@ -463,6 +463,17 @@ def test_duplicate_key(caplog):
     assert "contains duplicate key" in caplog.text
 
 
+def test_no_recursive_secrets(caplog):
+    """Test that loading of secrets from the secrets file fails correctly."""
+    files = {YAML_CONFIG_FILE: "key: !secret a", yaml.SECRET_YAML: "a: 1\nb: !secret a"}
+    with patch_yaml_files(files), pytest.raises(HomeAssistantError) as e:
+        load_yaml_config_file(YAML_CONFIG_FILE)
+        assert e.value.args == (
+            "secrets.yaml: attempt to load secret from within secrets file",
+        )
+    assert "attempt to load secret from within secrets file" in caplog.text
+
+
 def test_input_class():
     """Test input class."""
     input = yaml_loader.Input("hello")