From dee0f887deff663df77e74e379a68345cca5bb98 Mon Sep 17 00:00:00 2001
From: Franck Nijhof <git@frenck.dev>
Date: Fri, 15 Jan 2021 10:30:29 +0100
Subject: [PATCH] Extend filter and filter tests (#45179)

---
 .../components/http/security_filter.py        |  9 +++++-
 tests/components/http/test_security_filter.py | 30 ++++++++++++++-----
 2 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/homeassistant/components/http/security_filter.py b/homeassistant/components/http/security_filter.py
index 32ebcacfff4..eab0a2b0764 100644
--- a/homeassistant/components/http/security_filter.py
+++ b/homeassistant/components/http/security_filter.py
@@ -40,12 +40,19 @@ def setup_security_filter(app):
     @middleware
     async def security_filter_middleware(request, handler):
         """Process request and block commonly known exploit attempts."""
-        if FILTERS.search(request.raw_path):
+        if FILTERS.search(request.path):
             _LOGGER.warning(
                 "Filtered a potential harmful request to: %s", request.raw_path
             )
             raise HTTPBadRequest
 
+        if FILTERS.search(request.query_string):
+            _LOGGER.warning(
+                "Filtered a request with a potential harmful query string: %s",
+                request.raw_path,
+            )
+            raise HTTPBadRequest
+
         return await handler(request)
 
     app.middlewares.append(security_filter_middleware)
diff --git a/tests/components/http/test_security_filter.py b/tests/components/http/test_security_filter.py
index 8190c514603..91fde9c6c54 100644
--- a/tests/components/http/test_security_filter.py
+++ b/tests/components/http/test_security_filter.py
@@ -35,17 +35,26 @@ async def test_ok_requests(request_path, request_params, aiohttp_client):
 
 
 @pytest.mark.parametrize(
-    "request_path,request_params",
+    "request_path,request_params,fail_on_query_string",
     [
-        ("/proc/self/environ", {}),
-        ("/", {"test": "/test/../../api"}),
-        ("/", {"test": "test/../../api"}),
-        ("/", {"sql": ";UNION SELECT (a, b"}),
-        ("/", {"sql": "concat(..."}),
-        ("/", {"xss": "<script >"}),
+        ("/proc/self/environ", {}, False),
+        ("/", {"test": "/test/../../api"}, True),
+        ("/", {"test": "test/../../api"}, True),
+        ("/", {"test": "/test/%2E%2E%2f%2E%2E%2fapi"}, True),
+        ("/", {"test": "test/%2E%2E%2f%2E%2E%2fapi"}, True),
+        ("/test/%2E%2E%2f%2E%2E%2fapi", {}, False),
+        ("/", {"sql": ";UNION SELECT (a, b"}, True),
+        ("/", {"sql": "UNION%20SELECT%20%28a%2C%20b"}, True),
+        ("/UNION%20SELECT%20%28a%2C%20b", {}, False),
+        ("/", {"sql": "concat(..."}, True),
+        ("/", {"xss": "<script >"}, True),
+        ("/<script >", {"xss": ""}, False),
+        ("/%3Cscript%3E", {}, False),
     ],
 )
-async def test_bad_requests(request_path, request_params, aiohttp_client):
+async def test_bad_requests(
+    request_path, request_params, fail_on_query_string, aiohttp_client, caplog
+):
     """Test request paths that should be filtered."""
     app = web.Application()
     app.router.add_get("/{all:.*}", mock_handler)
@@ -56,3 +65,8 @@ async def test_bad_requests(request_path, request_params, aiohttp_client):
     resp = await mock_api_client.get(request_path, params=request_params)
 
     assert resp.status == 400
+
+    message = "Filtered a potential harmful request to:"
+    if fail_on_query_string:
+        message = "Filtered a request with a potential harmful query string:"
+    assert message in caplog.text