Validate password before restoring backup (#133647)

* Validate password before restoring backup * Raise specific error when password is incorrect
2025-11-09 02:49:40 +00:00 · 2024-12-20 15:43:46 +01:00
parent 1c0135880d
commit 5afb9a5053
7 changed files with 220 additions and 17 deletions
--- a/homeassistant/components/backup/util.py
+++ b/homeassistant/components/backup/util.py
@@ -9,11 +9,13 @@ import tarfile
 from typing import cast

 import aiohttp
+from securetar import SecureTarFile

+from homeassistant.backup_restore import password_to_key
 from homeassistant.core import HomeAssistant
 from homeassistant.util.json import JsonObjectType, json_loads_object

-from .const import BUF_SIZE
+from .const import BUF_SIZE, LOGGER
 from .models import AddonInfo, AgentBackup, Folder


@@ -71,6 +73,39 @@ def read_backup(backup_path: Path) -> AgentBackup:
        )


+def validate_password(path: Path, password: str | None) -> bool:
+    """Validate the password."""
+    with tarfile.open(path, "r:", bufsize=BUF_SIZE) as backup_file:
+        compressed = False
+        ha_tar_name = "homeassistant.tar"
+        try:
+            ha_tar = backup_file.extractfile(ha_tar_name)
+        except KeyError:
+            compressed = True
+            ha_tar_name = "homeassistant.tar.gz"
+            try:
+                ha_tar = backup_file.extractfile(ha_tar_name)
+            except KeyError:
+                LOGGER.error("No homeassistant.tar or homeassistant.tar.gz found")
+                return False
+        try:
+            with SecureTarFile(
+                path,  # Not used
+                gzip=compressed,
+                key=password_to_key(password) if password is not None else None,
+                mode="r",
+                fileobj=ha_tar,
+            ):
+                # If we can read the tar file, the password is correct
+                return True
+        except tarfile.ReadError:
+            LOGGER.debug("Invalid password")
+            return False
+        except Exception:  # noqa: BLE001
+            LOGGER.exception("Unexpected error validating password")
+    return False
+
+
 async def receive_file(
    hass: HomeAssistant, contents: aiohttp.BodyPartReader, path: Path
 ) -> None: