mirror of
https://github.com/home-assistant/supervisor.git
synced 2026-04-02 08:12:47 +01:00
6070d54860
* Harden backup tar extraction with Python data filter Replace filter="fully_trusted" with a custom backup_data_filter that wraps tarfile.data_filter. This adds protection against symlink attacks (absolute targets, destination escapes), device node injection, and path traversal, while resetting uid/gid and sanitizing permissions. Unlike using data_filter directly, the custom filter skips problematic entries with a warning instead of aborting the entire extraction. This ensures existing backups containing absolute symlinks (e.g. in shared folders) still restore successfully with the dangerous entries omitted. Also removes the now-redundant secure_path member filtering, as data_filter is a strict superset of its protections. Fixes a standalone bug in _folder_restore which had no member filtering at all. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Simplify security tests to test backup_data_filter directly Test the public backup_data_filter function with plain tarfile extraction instead of going through Backup internals. Removes protected-access pylint warnings and unnecessary coresys setup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Switch to tar filter instead of custom data filter wrapper Replace backup_data_filter (which wrapped data_filter and skipped problematic entries) with the built-in tar filter. The tar filter rejects path traversal and absolute names while preserving uid/gid and file permissions, which is important for add-ons running as non-root users. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Apply suggestions from code review Co-authored-by: Erik Montnemery <erik@montnemery.com> * Use BackupInvalidError instead of BackupError for tarfile.TarError Make sure FilterErrors lead to BackupInvalidError instead of BackupError, as they are not related to the backup process itself but rather to the integrity of the backup data. * Improve test coverage and use pytest.raises * Only make FilterError a BackupInvalidError * Add test case for FilterError during Home Assistant Core restore * Add test cases for Add-ons * Fix pylint warnings --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Erik Montnemery <erik@montnemery.com>