jeans/core
jeans/core
1
0
Fork 0
mirror of https://github.com/home-assistant/core.git synced 2025-07-17 18:27:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disallow uploading files to bypass the media dirs (#91817)

Browse Source
This commit is contained in:
Paulus Schoutsen 2023-04-21 10:21:20 -04:00
parent 30da629285
commit deb55a74da
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
homeassistant/components/media_source/local_source.py
View File

@ -48,7 +48,10 @@ class LocalSource(MediaSource):
@callback @callback
def async_full_path(self, source_dir_id: str, location: str) -> Path: def async_full_path(self, source_dir_id: str, location: str) -> Path:
"""Return full path.""" """Return full path."""
return Path(self.hass.config.media_dirs[source_dir_id], location) base_path = self.hass.config.media_dirs[source_dir_id]
full_path = Path(base_path, location)
full_path.relative_to(base_path)
return full_path
@callback @callback
def async_parse_identifier(self, item: MediaSourceItem) -> tuple[str, str]: def async_parse_identifier(self, item: MediaSourceItem) -> tuple[str, str]:
@ -65,6 +68,9 @@ class LocalSource(MediaSource):
except ValueError as err: except ValueError as err:
raise Unresolvable("Invalid path.") from err raise Unresolvable("Invalid path.") from err
if Path(location).is_absolute():
raise Unresolvable("Invalid path.")
return source_dir_id, location return source_dir_id, location
async def async_resolve_media(self, item: MediaSourceItem) -> PlayMedia: async def async_resolve_media(self, item: MediaSourceItem) -> PlayMedia:

8
tests/components/media_source/test_local_source.py
View File

@ -132,9 +132,13 @@ async def test_upload_view(
hass: HomeAssistant, hass: HomeAssistant,
hass_client: ClientSessionGenerator, hass_client: ClientSessionGenerator,
temp_dir, temp_dir,
tmpdir,
hass_admin_user: MockUser, hass_admin_user: MockUser,
) -> None: ) -> None:
"""Allow uploading media.""" """Allow uploading media."""
# We need a temp dir that's not under tempdir fixture
extra_media_dir = tmpdir
hass.config.media_dirs["another_path"] = temp_dir
img = (Path(__file__).parent.parent / "image_upload/logo.png").read_bytes() img = (Path(__file__).parent.parent / "image_upload/logo.png").read_bytes()
@ -167,6 +171,8 @@ async def test_upload_view(
"media-source://media_source/test_dir/..", "media-source://media_source/test_dir/..",
# Domain != media_source # Domain != media_source
"media-source://nest/test_dir/.", "media-source://nest/test_dir/.",
# Other directory
f"media-source://media_source/another_path///{extra_media_dir}/",
# Completely something else # Completely something else
"http://bla", "http://bla",
): ):
@ -178,7 +184,7 @@ async def test_upload_view(
}, },
) )
assert res.status == 400 assert res.status == 400, bad_id
assert not (Path(temp_dir) / "bad-source-id.png").is_file() assert not (Path(temp_dir) / "bad-source-id.png").is_file()
# Test invalid POST data # Test invalid POST data