From 42f53ff91722ad69ad1dd053271a98f24fe7129e Mon Sep 17 00:00:00 2001 From: Erik Montnemery Date: Thu, 8 May 2025 22:30:35 +0200 Subject: [PATCH] Don't encrypt or decrypt unknown files in backup archives (#144495) --- homeassistant/components/backup/http.py | 16 ++- homeassistant/components/backup/util.py | 92 +++++++++++++----- .../backup/fixtures/test_backups/c0cb53bd.tar | Bin 10240 -> 10240 bytes .../test_backups/c0cb53bd.tar.decrypted | Bin 10240 -> 10240 bytes tests/components/backup/test_http.py | 4 +- tests/components/backup/test_util.py | 64 ++++++++---- 6 files changed, 129 insertions(+), 47 deletions(-) diff --git a/homeassistant/components/backup/http.py b/homeassistant/components/backup/http.py index 8f241e6363d..11d8199bdc5 100644 --- a/homeassistant/components/backup/http.py +++ b/homeassistant/components/backup/http.py @@ -22,7 +22,7 @@ from . import util from .agent import BackupAgent from .const import DATA_MANAGER from .manager import BackupManager -from .models import BackupNotFound +from .models import AgentBackup, BackupNotFound @callback @@ -85,7 +85,15 @@ class DownloadBackupView(HomeAssistantView): request, headers, backup_id, agent_id, agent, manager ) return await self._send_backup_with_password( - hass, request, headers, backup_id, agent_id, password, agent, manager + hass, + backup, + request, + headers, + backup_id, + agent_id, + password, + agent, + manager, ) except BackupNotFound: return Response(status=HTTPStatus.NOT_FOUND) @@ -116,6 +124,7 @@ class DownloadBackupView(HomeAssistantView): async def _send_backup_with_password( self, hass: HomeAssistant, + backup: AgentBackup, request: Request, headers: dict[istr, str], backup_id: str, @@ -144,7 +153,8 @@ class DownloadBackupView(HomeAssistantView): stream = util.AsyncIteratorWriter(hass) worker = threading.Thread( - target=util.decrypt_backup, args=[reader, stream, password, on_done, 0, []] + target=util.decrypt_backup, + args=[backup, reader, stream, password, on_done, 0, []], ) try: worker.start() diff --git a/homeassistant/components/backup/util.py b/homeassistant/components/backup/util.py index bd77880738e..8112faf4459 100644 --- a/homeassistant/components/backup/util.py +++ b/homeassistant/components/backup/util.py @@ -295,13 +295,26 @@ def validate_password_stream( raise BackupEmpty +def _get_expected_archives(backup: AgentBackup) -> set[str]: + """Get the expected archives in the backup.""" + expected_archives = set() + if backup.homeassistant_included: + expected_archives.add("homeassistant") + for addon in backup.addons: + expected_archives.add(addon.slug) + for folder in backup.folders: + expected_archives.add(folder.value) + return expected_archives + + def decrypt_backup( + backup: AgentBackup, input_stream: IO[bytes], output_stream: IO[bytes], password: str | None, on_done: Callable[[Exception | None], None], minimum_size: int, - nonces: list[bytes], + nonces: NonceGenerator, ) -> None: """Decrypt a backup.""" error: Exception | None = None @@ -315,7 +328,7 @@ def decrypt_backup( fileobj=output_stream, mode="w|", bufsize=BUF_SIZE ) as output_tar, ): - _decrypt_backup(input_tar, output_tar, password) + _decrypt_backup(backup, input_tar, output_tar, password) except (DecryptError, SecureTarError, tarfile.TarError) as err: LOGGER.warning("Error decrypting backup: %s", err) error = err @@ -333,15 +346,18 @@ def decrypt_backup( def _decrypt_backup( + backup: AgentBackup, input_tar: tarfile.TarFile, output_tar: tarfile.TarFile, password: str | None, ) -> None: """Decrypt a backup.""" + expected_archives = _get_expected_archives(backup) for obj in input_tar: # We compare with PurePath to avoid issues with different path separators, # for example when backup.json is added as "./backup.json" - if PurePath(obj.name) == PurePath("backup.json"): + object_path = PurePath(obj.name) + if object_path == PurePath("backup.json"): # Rewrite the backup.json file to indicate that the backup is decrypted if not (reader := input_tar.extractfile(obj)): raise DecryptError @@ -352,7 +368,13 @@ def _decrypt_backup( metadata_obj.size = len(updated_metadata_b) output_tar.addfile(metadata_obj, BytesIO(updated_metadata_b)) continue - if not obj.name.endswith((".tar", ".tgz", ".tar.gz")): + prefix, _, suffix = object_path.name.partition(".") + if suffix not in ("tar", "tgz", "tar.gz"): + LOGGER.debug("Unknown file %s will not be decrypted", obj.name) + output_tar.addfile(obj, input_tar.extractfile(obj)) + continue + if prefix not in expected_archives: + LOGGER.debug("Unknown inner tar file %s will not be decrypted", obj.name) output_tar.addfile(obj, input_tar.extractfile(obj)) continue istf = SecureTarFile( @@ -371,12 +393,13 @@ def _decrypt_backup( def encrypt_backup( + backup: AgentBackup, input_stream: IO[bytes], output_stream: IO[bytes], password: str | None, on_done: Callable[[Exception | None], None], minimum_size: int, - nonces: list[bytes], + nonces: NonceGenerator, ) -> None: """Encrypt a backup.""" error: Exception | None = None @@ -390,7 +413,7 @@ def encrypt_backup( fileobj=output_stream, mode="w|", bufsize=BUF_SIZE ) as output_tar, ): - _encrypt_backup(input_tar, output_tar, password, nonces) + _encrypt_backup(backup, input_tar, output_tar, password, nonces) except (EncryptError, SecureTarError, tarfile.TarError) as err: LOGGER.warning("Error encrypting backup: %s", err) error = err @@ -408,17 +431,20 @@ def encrypt_backup( def _encrypt_backup( + backup: AgentBackup, input_tar: tarfile.TarFile, output_tar: tarfile.TarFile, password: str | None, - nonces: list[bytes], + nonces: NonceGenerator, ) -> None: """Encrypt a backup.""" inner_tar_idx = 0 + expected_archives = _get_expected_archives(backup) for obj in input_tar: # We compare with PurePath to avoid issues with different path separators, # for example when backup.json is added as "./backup.json" - if PurePath(obj.name) == PurePath("backup.json"): + object_path = PurePath(obj.name) + if object_path == PurePath("backup.json"): # Rewrite the backup.json file to indicate that the backup is encrypted if not (reader := input_tar.extractfile(obj)): raise EncryptError @@ -429,16 +455,21 @@ def _encrypt_backup( metadata_obj.size = len(updated_metadata_b) output_tar.addfile(metadata_obj, BytesIO(updated_metadata_b)) continue - if not obj.name.endswith((".tar", ".tgz", ".tar.gz")): + prefix, _, suffix = object_path.name.partition(".") + if suffix not in ("tar", "tgz", "tar.gz"): + LOGGER.debug("Unknown file %s will not be encrypted", obj.name) output_tar.addfile(obj, input_tar.extractfile(obj)) continue + if prefix not in expected_archives: + LOGGER.debug("Unknown inner tar file %s will not be encrypted", obj.name) + continue istf = SecureTarFile( None, # Not used gzip=False, key=password_to_key(password) if password is not None else None, mode="r", fileobj=input_tar.extractfile(obj), - nonce=nonces[inner_tar_idx], + nonce=nonces.get(inner_tar_idx), ) inner_tar_idx += 1 with istf.encrypt(obj) as encrypted: @@ -456,17 +487,33 @@ class _CipherWorkerStatus: writer: AsyncIteratorWriter +class NonceGenerator: + """Generate nonces for encryption.""" + + def __init__(self) -> None: + """Initialize the generator.""" + self._nonces: dict[int, bytes] = {} + + def get(self, index: int) -> bytes: + """Get a nonce for the given index.""" + if index not in self._nonces: + # Generate a new nonce for the given index + self._nonces[index] = os.urandom(16) + return self._nonces[index] + + class _CipherBackupStreamer: """Encrypt or decrypt a backup.""" _cipher_func: Callable[ [ + AgentBackup, IO[bytes], IO[bytes], str | None, Callable[[Exception | None], None], int, - list[bytes], + NonceGenerator, ], None, ] @@ -484,7 +531,7 @@ class _CipherBackupStreamer: self._hass = hass self._open_stream = open_stream self._password = password - self._nonces: list[bytes] = [] + self._nonces = NonceGenerator() def size(self) -> int: """Return the maximum size of the decrypted or encrypted backup.""" @@ -508,7 +555,15 @@ class _CipherBackupStreamer: writer = AsyncIteratorWriter(self._hass) worker = threading.Thread( target=self._cipher_func, - args=[reader, writer, self._password, on_done, self.size(), self._nonces], + args=[ + self._backup, + reader, + writer, + self._password, + on_done, + self.size(), + self._nonces, + ], ) worker_status = _CipherWorkerStatus( done=asyncio.Event(), reader=reader, thread=worker, writer=writer @@ -538,17 +593,6 @@ class DecryptedBackupStreamer(_CipherBackupStreamer): class EncryptedBackupStreamer(_CipherBackupStreamer): """Encrypt a backup.""" - def __init__( - self, - hass: HomeAssistant, - backup: AgentBackup, - open_stream: Callable[[], Coroutine[Any, Any, AsyncIterator[bytes]]], - password: str | None, - ) -> None: - """Initialize.""" - super().__init__(hass, backup, open_stream, password) - self._nonces = [os.urandom(16) for _ in range(self._num_tar_files())] - _cipher_func = staticmethod(encrypt_backup) def backup(self) -> AgentBackup: diff --git a/tests/components/backup/fixtures/test_backups/c0cb53bd.tar b/tests/components/backup/fixtures/test_backups/c0cb53bd.tar index f3b2845d5eb19b9708ae6d4fd68f7d220fb39c45..29e61d5e4c11683b126dcc08b0736dca19eda9f4 100644 GIT binary patch delta 283 zcmZn&Xb70lB57`F!eD>^3w}8B;bhGKMkL>nJECrljQO6)RaOL{}>n z=ai-cSxU+IMX82LK*_ws+*FW&Gf+SQEK-(QRGgWg2NE>UGXSY6&a48d0rF~f6j04D z!Y~6Y0yjepn<25a69q*Uv9O3_7`dq6bzW0!ePX2WMFIr l_X#I6JBJ}m!NQ2iDFUV}hHzOyX7w}8B;bhGKMiR)&iL;7O}8Q5@4Ck%Mm_N rfpc<-fC;MsLKP=7`(_pi8K%t&LQhy3jUlQyfT~PcjNwK}{^tV#9Tpno diff --git a/tests/components/backup/fixtures/test_backups/c0cb53bd.tar.decrypted b/tests/components/backup/fixtures/test_backups/c0cb53bd.tar.decrypted index c97533fc1afb35fafb7be57651fc72e4069f44b3..386ea021247a5b5f9658a1e2009e956f73dcca9d 100644 GIT binary patch delta 282 zcmZn&Xb70lB57`F%3y#13w}8B;bhGKMqN>nJECrljQO6)RaOL{}>n z=ai-cSxU+IMX82LK*_ws+*FW&Gf+SQEK-(QRGgWg2NE>UGXSY6&a48d0rF~f6j04D z!Y~6Y0yjepn<25a69t7Av9O3_7`dq6bzW0!ePX2WMFIz k_X#I6JBJ}m!NQ2iDFUV}MsQg{X7w}8B;bhGKMoT)&iN!7qPHR5@4Ck%Mm_N qfpc<-fC;MsLKP=7`(_r2Kg^p%SXda1A&NMFicDEd;3i4_=K}x=rW(lr diff --git a/tests/components/backup/test_http.py b/tests/components/backup/test_http.py index 92bf454095e..b3845b1209a 100644 --- a/tests/components/backup/test_http.py +++ b/tests/components/backup/test_http.py @@ -177,7 +177,7 @@ async def _test_downloading_encrypted_backup( enc_metadata = json.loads(outer_tar.extractfile("./backup.json").read()) assert enc_metadata["protected"] is True with ( - outer_tar.extractfile("core.tar.gz") as inner_tar_file, + outer_tar.extractfile("homeassistant.tar.gz") as inner_tar_file, pytest.raises(tarfile.ReadError, match="file could not be opened"), ): # pylint: disable-next=consider-using-with @@ -209,7 +209,7 @@ async def _test_downloading_encrypted_backup( dec_metadata = json.loads(outer_tar.extractfile("./backup.json").read()) assert dec_metadata == enc_metadata | {"protected": False} with ( - outer_tar.extractfile("core.tar.gz") as inner_tar_file, + outer_tar.extractfile("homeassistant.tar.gz") as inner_tar_file, tarfile.open(fileobj=inner_tar_file, mode="r") as inner_tar, ): assert inner_tar.getnames() == [ diff --git a/tests/components/backup/test_util.py b/tests/components/backup/test_util.py index 97e94eafb73..a999672e7f6 100644 --- a/tests/components/backup/test_util.py +++ b/tests/components/backup/test_util.py @@ -174,7 +174,10 @@ async def test_decrypted_backup_streamer(hass: HomeAssistant) -> None: ) encrypted_backup_path = get_fixture_path("test_backups/c0cb53bd.tar", DOMAIN) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -218,7 +221,10 @@ async def test_decrypted_backup_streamer_interrupt_stuck_reader( """Test the decrypted backup streamer.""" encrypted_backup_path = get_fixture_path("test_backups/c0cb53bd.tar", DOMAIN) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -253,7 +259,10 @@ async def test_decrypted_backup_streamer_interrupt_stuck_writer( """Test the decrypted backup streamer.""" encrypted_backup_path = get_fixture_path("test_backups/c0cb53bd.tar", DOMAIN) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -283,7 +292,10 @@ async def test_decrypted_backup_streamer_wrong_password(hass: HomeAssistant) -> """Test the decrypted backup streamer with wrong password.""" encrypted_backup_path = get_fixture_path("test_backups/c0cb53bd.tar", DOMAIN) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -320,7 +332,10 @@ async def test_encrypted_backup_streamer(hass: HomeAssistant) -> None: ) encrypted_backup_path = get_fixture_path("test_backups/c0cb53bd.tar", DOMAIN) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -353,15 +368,16 @@ async def test_encrypted_backup_streamer(hass: HomeAssistant) -> None: bytes.fromhex("00000000000000000000000000000000"), ) encryptor = EncryptedBackupStreamer(hass, backup, open_backup, "hunter2") - assert encryptor.backup() == dataclasses.replace( - backup, protected=True, size=backup.size + len(expected_padding) - ) - encrypted_stream = await encryptor.open_stream() - encrypted_output = b"" - async for chunk in encrypted_stream: - encrypted_output += chunk - await encryptor.wait() + assert encryptor.backup() == dataclasses.replace( + backup, protected=True, size=backup.size + len(expected_padding) + ) + + encrypted_stream = await encryptor.open_stream() + encrypted_output = b"" + async for chunk in encrypted_stream: + encrypted_output += chunk + await encryptor.wait() # Expect the output to match the stored encrypted backup file, with additional # padding. @@ -377,7 +393,10 @@ async def test_encrypted_backup_streamer_interrupt_stuck_reader( "test_backups/c0cb53bd.tar.decrypted", DOMAIN ) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -414,7 +433,10 @@ async def test_encrypted_backup_streamer_interrupt_stuck_writer( "test_backups/c0cb53bd.tar.decrypted", DOMAIN ) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -447,7 +469,10 @@ async def test_encrypted_backup_streamer_random_nonce(hass: HomeAssistant) -> No ) encrypted_backup_path = get_fixture_path("test_backups/c0cb53bd.tar", DOMAIN) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False, @@ -490,7 +515,7 @@ async def test_encrypted_backup_streamer_random_nonce(hass: HomeAssistant) -> No await encryptor1.wait() await encryptor2.wait() - # Output from the two streames should differ but have the same length. + # Output from the two streams should differ but have the same length. assert encrypted_output1 != encrypted_output3 assert len(encrypted_output1) == len(encrypted_output3) @@ -508,7 +533,10 @@ async def test_encrypted_backup_streamer_error(hass: HomeAssistant) -> None: "test_backups/c0cb53bd.tar.decrypted", DOMAIN ) backup = AgentBackup( - addons=["addon_1", "addon_2"], + addons=[ + AddonInfo(name="Core 1", slug="core1", version="1.0.0"), + AddonInfo(name="Core 2", slug="core2", version="1.0.0"), + ], backup_id="1234", date="2024-12-02T07:23:58.261875-05:00", database_included=False,