Ensure provided uris match their normalized version (#9)

* Ensure provided uris match their normalized version

* not endswith rather then not equals

Author: mdegat01

aiohasupervisor/client.py

@@ -70,7 +70,17 @@ async def _request(
         data: Any = None,
     ) -> Response:
         """Handle a request to Supervisor."""
-        url = URL(self.api_host).joinpath(uri)
+        try:
+            url = URL(self.api_host).joinpath(uri)
+        except ValueError as err:
+            raise SupervisorError from err
+
+        # This check is to make sure the normalized URL string is the same as the URL
+        # string that was passed in. If they are different, then the passed in uri
+        # contained characters that were removed by the normalization
+        # such as ../../../../etc/passwd
+        if not url.raw_path.endswith(uri):
+            raise SupervisorError(f"Invalid request {uri}")
 
         match response_type:
             case ResponseType.TEXT:

tests/test_client.py

@@ -0,0 +1,24 @@
+"""Tests for client."""
+
+import pytest
+
+from aiohasupervisor.client import _SupervisorClient
+from aiohasupervisor.exceptions import SupervisorError
+
+from .const import SUPERVISOR_URL
+
+
+@pytest.mark.parametrize("method", ["get", "post", "put", "delete"])
+async def test_path_manipulation_blocked(method: str) -> None:
+    """Test path manipulation prevented."""
+    client = _SupervisorClient(SUPERVISOR_URL, "abc123", 10)
+    action = getattr(client, method)
+    with pytest.raises(SupervisorError):
+        # absolute path
+        await action("/test/../bad")
+    with pytest.raises(SupervisorError):
+        # relative path
+        await action("test/../bad")
+    with pytest.raises(SupervisorError):
+        # relative path with percent encoding
+        await action("test/%2E%2E/bad")