[pull] dev from home-assistant:dev

.github/workflows/ci.yaml

@@ -39,7 +39,7 @@ on:
 env:
   CACHE_VERSION: 3
   MYPY_CACHE_VERSION: 1
-  HA_SHORT_VERSION: "2026.6"
+  HA_SHORT_VERSION: "2026.7"
   ADDITIONAL_PYTHON_VERSIONS: "[]"
   # 10.3 is the oldest supported version
   # - 10.3.32 is the version currently shipped with Synology (as of 17 Feb 2022)

homeassistant/components/backup/backup.py

@@ -11,7 +11,7 @@
 
 from .agent import BackupAgent, LocalBackupAgent, OnProgressCallback
 from .const import DOMAIN, LOGGER
-from .models import AgentBackup, BackupNotFound
+from .models import AgentBackup, BackupNotFound, InvalidBackupFilename
 from .util import read_backup, suggested_filename
 
 
@@ -54,7 +54,13 @@ def _read_backups(self) -> dict[str, tuple[AgentBackup, Path]]:
             try:
                 backup = read_backup(backup_path)
                 backups[backup.backup_id] = (backup, backup_path)
-            except (OSError, TarError, json.JSONDecodeError, KeyError) as err:
+            except (
+                OSError,
+                TarError,
+                json.JSONDecodeError,
+                KeyError,
+                InvalidBackupFilename,
+            ) as err:
                 LOGGER.warning("Unable to read backup %s: %s", backup_path, err)
         return backups
 
@@ -122,7 +128,14 @@ def get_backup_path(self, backup_id: str) -> Path:
 
     def get_new_backup_path(self, backup: AgentBackup) -> Path:
         """Return the local path to a new backup."""
-        return self._backup_dir / suggested_filename(backup)
+        candidate = self._backup_dir / suggested_filename(backup)
+        # suggested_filename does not strip separators; refuse paths that would
+        # land outside the backup directory.
+        if candidate.parent != self._backup_dir:
+            raise InvalidBackupFilename(
+                f"Refusing to write outside {self._backup_dir}: {candidate}"
+            )
+        return candidate
 
     async def async_delete_backup(self, backup_id: str, **kwargs: Any) -> None:
         """Delete a backup file."""

homeassistant/components/backup/manager.py

@@ -1978,7 +1978,13 @@ async def async_receive_backup(
 
         try:
             backup = await async_add_executor_job(read_backup, temp_file)
-        except (OSError, tarfile.TarError, json.JSONDecodeError, KeyError) as err:
+        except (
+            OSError,
+            tarfile.TarError,
+            json.JSONDecodeError,
+            KeyError,
+            InvalidBackupFilename,
+        ) as err:
             LOGGER.warning("Unable to parse backup %s: %s", temp_file, err)
             raise
 

homeassistant/components/backup/util.py

@@ -6,7 +6,7 @@
 from dataclasses import dataclass, replace
 from io import BytesIO
 import json
-from pathlib import Path, PurePath
+from pathlib import Path, PurePath, PureWindowsPath
 from queue import SimpleQueue
 import tarfile
 import threading
@@ -34,7 +34,7 @@
 from homeassistant.util.json import JsonObjectType, json_loads_object
 
 from .const import BUF_SIZE, LOGGER, SECURETAR_CREATE_VERSION
-from .models import AddonInfo, AgentBackup, Folder
+from .models import AddonInfo, AgentBackup, Folder, InvalidBackupFilename
 
 
 class DecryptError(HomeAssistantError):
@@ -109,6 +109,13 @@ def read_backup(backup_path: Path) -> AgentBackup:
         extra_metadata = cast(dict[str, bool | str], data.get("extra", {}))
         date = extra_metadata.get("supervisor.backup_request_date", data["date"])
 
+        name = cast(str, data["name"])
+        # The name is used to derive the on-disk filename via suggested_filename;
+        # reject anything that could escape the backup directory.
+        safe_name = PureWindowsPath(name).name
+        if safe_name != name or name in ("", ".", ".."):
+            raise InvalidBackupFilename(f"Invalid backup name: {name!r}")
+
         return AgentBackup(
             addons=addons,
             backup_id=cast(str, data["slug"]),
@@ -118,7 +125,7 @@ def read_backup(backup_path: Path) -> AgentBackup:
             folders=folders,
             homeassistant_included=homeassistant_included,
             homeassistant_version=homeassistant_version,
-            name=cast(str, data["name"]),
+            name=name,
             protected=cast(bool, data.get("protected", False)),
             size=backup_path.stat().st_size,
         )

homeassistant/components/device_tracker/entity.py

@@ -1,6 +1,7 @@
 """Provide functionality to keep track of devices."""
 
 import asyncio
+import logging
 from typing import TYPE_CHECKING, Any, final
 
 from propcache.api import cached_property
@@ -22,6 +23,7 @@
     EventStateChangedData,
     HomeAssistant,
     State,
+    async_get_hass_or_none,
     callback,
 )
 from homeassistant.helpers import (
@@ -37,6 +39,7 @@
 from homeassistant.helpers.entity import Entity, EntityDescription
 from homeassistant.helpers.entity_platform import EntityPlatform
 from homeassistant.helpers.event import async_track_state_change_event
+from homeassistant.loader import async_suggest_report_issue
 from homeassistant.util.hass_dict import HassKey
 
 from .const import (
@@ -52,6 +55,8 @@
     SourceType,
 )
 
+_LOGGER = logging.getLogger(__name__)
+
 DATA_KEY: HassKey[dict[str, tuple[str, str]]] = HassKey(f"{DOMAIN}_mac")
 
 
@@ -164,11 +169,35 @@ class BaseTrackerEntity(Entity):
     _attr_entity_category = EntityCategory.DIAGNOSTIC
     _attr_source_type: SourceType
 
+    def __init_subclass__(cls, **kwargs: Any) -> None:
+        """Post initialisation processing."""
+        super().__init_subclass__(**kwargs)
+        if "battery_level" in cls.__dict__:
+            if cls.__module__.startswith("homeassistant.components."):
+                # Don't ask users to report issue for built in integrations,
+                # they already have issues opened on them.
+                return
+            report_issue = async_suggest_report_issue(
+                async_get_hass_or_none(), module=cls.__module__
+            )
+            _LOGGER.warning(
+                (
+                    "%s::%s is overriding the deprecated battery_level property on "
+                    "a subclass of BaseTrackerEntity, this will be unsupported from "
+                    "Home Assistant 2027.7, please %s"
+                ),
+                cls.__module__,
+                cls.__name__,
+                report_issue,
+            )
+
     @cached_property
     def battery_level(self) -> int | None:
         """Return the battery level of the device.
 
         Percentage from 0-100.
+
+        The property is deprecated and will be removed in Home Assistant 2027.7.
         """
         return None
 
@@ -212,13 +241,38 @@ class TrackerEntity(
     _attr_in_zones: list[str] | None = None
     _attr_latitude: float | None = None
     _attr_location_accuracy: float = 0
+    # _attr_location_name is deprecated and will be removed in Home Assistant 2027.7
     _attr_location_name: str | None = None
     _attr_longitude: float | None = None
     _attr_source_type: SourceType = SourceType.GPS
 
     __active_zone: State | None = None
+    # If we reported setting deprecated _attr_location_name
+    __deprecated_attr_location_name_reported = False
     __in_zones: list[str] | None = None
 
+    def __init_subclass__(cls, **kwargs: Any) -> None:
+        """Post initialisation processing."""
+        super().__init_subclass__(**kwargs)
+        if "location_name" in cls.__dict__:
+            if cls.__module__.startswith("homeassistant.components."):
+                # Don't ask users to report issue for built in integrations,
+                # they already have issues opened on them.
+                return
+            report_issue = async_suggest_report_issue(
+                async_get_hass_or_none(), module=cls.__module__
+            )
+            _LOGGER.warning(
+                (
+                    "%s::%s is overriding the deprecated location_name property on "
+                    "an instance of TrackerEntity, this will be unsupported from "
+                    "Home Assistant 2027.7, please %s"
+                ),
+                cls.__module__,
+                cls.__name__,
+                report_issue,
+            )
+
     @cached_property
     def should_poll(self) -> bool:
         """No polling for entities that have location pushed."""
@@ -249,7 +303,32 @@ def location_accuracy(self) -> float:
 
     @cached_property
     def location_name(self) -> str | None:
-        """Return a location name for the current location of the device."""
+        """Return a location name for the current location of the device.
+
+        The property is deprecated and will be removed in Home Assistant 2027.7.
+        """
+        if (location_name := self._attr_location_name) is not None:
+            if (
+                not self.__deprecated_attr_location_name_reported
+                and not self.__class__.__module__.startswith(
+                    "homeassistant.components."
+                )
+            ):
+                report_issue = async_suggest_report_issue(
+                    self.hass, module=self.__class__.__module__
+                )
+                _LOGGER.warning(
+                    (
+                        "%s::%s is setting the deprecated _attr_location_name attribute "
+                        "on an instance of TrackerEntity, this will be unsupported from "
+                        "Home Assistant 2027.7, please %s"
+                    ),
+                    self.__class__.__module__,
+                    self.__class__.__name__,
+                    report_issue,
+                )
+                self.__deprecated_attr_location_name_reported = True
+            return location_name
         return self._attr_location_name
 
     @cached_property

homeassistant/components/matter/sensor.py

@@ -439,6 +439,19 @@ def _update_from_device(self) -> None:
         ),
         allow_multi=True,  # also used for climate entity
     ),
+    MatterDiscoverySchema(
+        platform=Platform.SENSOR,
+        entity_description=MatterSensorEntityDescription(
+            key="SoilMoistureSensor",
+            native_unit_of_measurement=PERCENTAGE,
+            device_class=SensorDeviceClass.MOISTURE,
+            state_class=SensorStateClass.MEASUREMENT,
+        ),
+        entity_class=MatterSensor,
+        required_attributes=(
+            clusters.SoilMeasurement.Attributes.SoilMoistureMeasuredValue,
+        ),
+    ),
     MatterDiscoverySchema(
         platform=Platform.SENSOR,
         entity_description=MatterSensorEntityDescription(

homeassistant/components/omie/sensor.py

@@ -52,6 +52,11 @@ def __init__(
         self._attr_unique_id = pyomie_series_name
         self._pyomie_series_name = pyomie_series_name
 
+    async def async_added_to_hass(self) -> None:
+        """Call when entity is added to hass."""
+        await super().async_added_to_hass()
+        self._handle_coordinator_update()
+
     @callback
     def _handle_coordinator_update(self) -> None:
         """Update this sensor's state from the coordinator results."""

homeassistant/const.py

@@ -14,7 +14,7 @@
 
 APPLICATION_NAME: Final = "HomeAssistant"
 MAJOR_VERSION: Final = 2026
-MINOR_VERSION: Final = 6
+MINOR_VERSION: Final = 7
 PATCH_VERSION: Final = "0.dev0"
 __short_version__: Final = f"{MAJOR_VERSION}.{MINOR_VERSION}"
 __version__: Final = f"{__short_version__}.{PATCH_VERSION}"

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "homeassistant"
-version = "2026.6.0.dev0"
+version = "2026.7.0.dev0"
 license = "Apache-2.0"
 license-files = ["LICENSE*", "homeassistant/backports/LICENSE*"]
 description = "Open-source home automation platform running on Python 3."

tests/components/backup/test_manager.py

@@ -2088,6 +2088,36 @@ async def test_receive_backup_path_traversal(
     assert resp.status == 400
 
 
+@pytest.mark.parametrize(
+    "name",
+    [
+        "/absolute/path",
+        "../parent",
+        "with/slash",
+    ],
+)
+async def test_receive_backup_rejects_unsafe_inner_name(
+    hass: HomeAssistant,
+    hass_client: ClientSessionGenerator,
+    name: str,
+) -> None:
+    """Test receive backup rejects an inner name that would escape the backup dir."""
+    await setup_backup_integration(hass)
+    client = await hass_client()
+
+    backup = replace(TEST_BACKUP_ABC123, name=name)
+    with patch(
+        "homeassistant.components.backup.manager.read_backup",
+        return_value=backup,
+    ):
+        resp = await client.post(
+            "/api/backup/upload?agent_id=backup.local",
+            data={"file": StringIO("test")},
+        )
+
+    assert resp.status == 400
+
+
 async def test_receive_backup_busy_manager(
     hass: HomeAssistant,
     hass_client: ClientSessionGenerator,

tests/components/backup/test_util.py

@@ -14,6 +14,7 @@
 import securetar
 
 from homeassistant.components.backup import DOMAIN, AddonInfo, AgentBackup, Folder
+from homeassistant.components.backup.models import InvalidBackupFilename
 from homeassistant.components.backup.util import (
     DecryptedBackupStreamer,
     EncryptedBackupStreamer,
@@ -158,6 +159,37 @@ def test_read_backup(backup_json_content: bytes, expected_backup: AgentBackup) -
         assert backup == expected_backup
 
 
+@pytest.mark.parametrize(
+    "name",
+    [
+        "/absolute/path",
+        "../parent",
+        "with/slash",
+        "with\\backslash",
+        "C:\\drive\\path",
+        "",
+        ".",
+        "..",
+    ],
+)
+def test_read_backup_rejects_unsafe_name(name: str) -> None:
+    """Test that read_backup rejects names that could escape the backup directory."""
+    backup_json_content = (
+        b'{"compressed":true,"date":"2024-12-02T07:23:58.261875-05:00","homeassistant":'
+        b'{"exclude_database":true,"version":"2024.12.0.dev0"},"name":"'
+        + name.encode().replace(b"\\", b"\\\\")
+        + b'","protected":true,"slug":"455645fe","type":"partial","version":2}'
+    )
+    mock_path = Mock()
+    mock_path.stat.return_value.st_size = 1234
+
+    with patch("homeassistant.components.backup.util.tarfile.open") as mock_open_tar:
+        tar_ctx = mock_open_tar.return_value.__enter__.return_value
+        tar_ctx.extractfile.return_value.read.return_value = backup_json_content
+        with pytest.raises(InvalidBackupFilename):
+            read_backup(mock_path)
+
+
 @pytest.mark.parametrize(
     ("backup", "password", "validation_result", "expected_messages"),
     [