Avoid re-encoding the hassio command URL each request (#109031)

* Avoid reconstructing the hassio command URL each request The host had to be re-encoded every time which creates an ip_address object By doing a join we avoid this. It was actually happening twice since we passed constructed the URL for testing and than passed it as a string so aiohttp did it as well * make url the same

Avoid re-encoding the hassio command URL each request (#109031)
5183eed0 · J. Nick Koston · GitHub · 030727b0 · 5183eed0
Unverified Commit 5183eed0 authored 1 year ago by J. Nick Koston Committed by GitHub 1 year ago
--- a/homeassistant/components/hassio/handler.py
+++ b/homeassistant/components/hassio/handler.py
@@ -330,6 +330,7 @@ class HassIO:
        self.loop = loop
        self.websession = websession
        self._ip = ip
+        self._base_url = URL(f"http://{ip}")
    @_api_bool
    def is_connected(self) -> Coroutine:
@@ -559,14 +560,20 @@ class HassIO:
        This method is a coroutine.
        """
        url = f"http://{self._ip}{command}"
-        if url != str(URL(url)):
+        joined_url = self._base_url.join(URL(command))
+        # This check is to make sure the normalized URL string
+        # is the same as the URL string that was passed in. If
+        # they are different, then the passed in command URL
+        # contained characters that were removed by the normalization
+        # such as ../../../../etc/passwd
+        if url != str(joined_url):
            _LOGGER.error("Invalid request %s", command)
            raise HassioAPIError()
        try:
            request = await self.websession.request(
                method,
-                f"http://{self._ip}{command}",
+                joined_url,
                json=payload,
                headers={
                    aiohttp.hdrs.AUTHORIZATION: (