diff --git a/homeassistant/components/http/security_filter.py b/homeassistant/components/http/security_filter.py index 32ebcacfff4..eab0a2b0764 100644 --- a/homeassistant/components/http/security_filter.py +++ b/homeassistant/components/http/security_filter.py @@ -40,12 +40,19 @@ def setup_security_filter(app): @middleware async def security_filter_middleware(request, handler): """Process request and block commonly known exploit attempts.""" - if FILTERS.search(request.raw_path): + if FILTERS.search(request.path): _LOGGER.warning( "Filtered a potential harmful request to: %s", request.raw_path ) raise HTTPBadRequest + if FILTERS.search(request.query_string): + _LOGGER.warning( + "Filtered a request with a potential harmful query string: %s", + request.raw_path, + ) + raise HTTPBadRequest + return await handler(request) app.middlewares.append(security_filter_middleware) diff --git a/homeassistant/const.py b/homeassistant/const.py index 582a5260fb5..318166c0f7d 100644 --- a/homeassistant/const.py +++ b/homeassistant/const.py @@ -1,7 +1,7 @@ """Constants used by Home Assistant components.""" MAJOR_VERSION = 2021 MINOR_VERSION = 1 -PATCH_VERSION = "2" +PATCH_VERSION = "3" __short_version__ = f"{MAJOR_VERSION}.{MINOR_VERSION}" __version__ = f"{__short_version__}.{PATCH_VERSION}" REQUIRED_PYTHON_VER = (3, 7, 1) diff --git a/homeassistant/package_constraints.txt b/homeassistant/package_constraints.txt index 11e7dd89918..fa9a1ed5640 100644 --- a/homeassistant/package_constraints.txt +++ b/homeassistant/package_constraints.txt @@ -1,6 +1,6 @@ PyJWT==1.7.1 PyNaCl==1.3.0 -aiohttp==3.7.1 +aiohttp==3.7.3 aiohttp_cors==0.7.0 astral==1.10.1 async_timeout==3.0.1 @@ -29,7 +29,7 @@ ruamel.yaml==0.15.100 sqlalchemy==1.3.20 voluptuous-serialize==2.4.0 voluptuous==0.12.1 -yarl==1.4.2 +yarl==1.6.3 zeroconf==0.28.8 pycryptodome>=3.6.6 diff --git a/requirements.txt b/requirements.txt index cbe339fd835..ece5a5a3709 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ -c homeassistant/package_constraints.txt # Home Assistant Core -aiohttp==3.7.1 +aiohttp==3.7.3 astral==1.10.1 async_timeout==3.0.1 attrs==19.3.0 @@ -21,4 +21,4 @@ requests==2.25.0 ruamel.yaml==0.15.100 voluptuous==0.12.1 voluptuous-serialize==2.4.0 -yarl==1.4.2 +yarl==1.6.3 diff --git a/setup.py b/setup.py index c9acb4d82d7..096e376b1a1 100755 --- a/setup.py +++ b/setup.py @@ -32,7 +32,7 @@ PROJECT_URLS = { PACKAGES = find_packages(exclude=["tests", "tests.*"]) REQUIRES = [ - "aiohttp==3.7.1", + "aiohttp==3.7.3", "astral==1.10.1", "async_timeout==3.0.1", "attrs==19.3.0", @@ -53,7 +53,7 @@ REQUIRES = [ "ruamel.yaml==0.15.100", "voluptuous==0.12.1", "voluptuous-serialize==2.4.0", - "yarl==1.4.2", + "yarl==1.6.3", ] MIN_PY_VERSION = ".".join(map(str, hass_const.REQUIRED_PYTHON_VER)) diff --git a/tests/components/http/test_security_filter.py b/tests/components/http/test_security_filter.py index 8190c514603..eb1ac54d8f6 100644 --- a/tests/components/http/test_security_filter.py +++ b/tests/components/http/test_security_filter.py @@ -1,6 +1,7 @@ """Test security filter middleware.""" from aiohttp import web import pytest +import urllib3 from homeassistant.components.http.security_filter import setup_security_filter @@ -35,17 +36,26 @@ async def test_ok_requests(request_path, request_params, aiohttp_client): @pytest.mark.parametrize( - "request_path,request_params", + "request_path,request_params,fail_on_query_string", [ - ("/proc/self/environ", {}), - ("/", {"test": "/test/../../api"}), - ("/", {"test": "test/../../api"}), - ("/", {"sql": ";UNION SELECT (a, b"}), - ("/", {"sql": "concat(..."}), - ("/", {"xss": "