Don't allow recursive secrets loading (#41812)

Co-authored-by: Martin Hjelmare <marhje52@gmail.com>
2021-02-14 13:23:31 +00:00 · 2021-02-14 13:23:31 +00:00 · 27d16af36b
parent a5a45f29e2
commit 27d16af36b
2 changed files with 16 additions and 0 deletions
--- a/homeassistant/util/yaml/loader.py
+++ b/homeassistant/util/yaml/loader.py
@ -275,6 +275,11 @@ def _load_secret_yaml(secret_path: str) -> JSON_TYPE:

 def secret_yaml(loader: SafeLineLoader, node: yaml.nodes.Node) -> JSON_TYPE:
    """Load secrets and embed it into the configuration YAML."""
+    if os.path.basename(loader.name) == SECRET_YAML:
+        _LOGGER.error("secrets.yaml: attempt to load secret from within secrets file")
+        raise HomeAssistantError(
+            "secrets.yaml: attempt to load secret from within secrets file"
+        )
    secret_path = os.path.dirname(loader.name)
    while True:
        secrets = _load_secret_yaml(secret_path)
--- a/tests/util/yaml/test_init.py
+++ b/tests/util/yaml/test_init.py
@ -463,6 +463,17 @@ def test_duplicate_key(caplog):
    assert "contains duplicate key" in caplog.text


+def test_no_recursive_secrets(caplog):
+    """Test that loading of secrets from the secrets file fails correctly."""
+    files = {YAML_CONFIG_FILE: "key: !secret a", yaml.SECRET_YAML: "a: 1\nb: !secret a"}
+    with patch_yaml_files(files), pytest.raises(HomeAssistantError) as e:
+        load_yaml_config_file(YAML_CONFIG_FILE)
+        assert e.value.args == (
+            "secrets.yaml: attempt to load secret from within secrets file",
+        )
+    assert "attempt to load secret from within secrets file" in caplog.text
+
+
 def test_input_class():
    """Test input class."""
    input = yaml_loader.Input("hello")