security: multiple reported CVE fixes (#1515)

* update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue
2025-08-02 20:15:24 +02:00 · 2022-07-31 13:10:20 -08:00 · 2022-07-31 13:10:20 -08:00 · 13850cda1f
commit 13850cda1f
parent 483f789b8e
23 changed files with 401 additions and 118 deletions
--- a/frontend/components/Domain/Recipe/RecipeIngredients.vue
+++ b/frontend/components/Domain/Recipe/RecipeIngredients.vue
@ -11,7 +11,7 @@
        <v-list-item dense @click="toggleChecked(index)">
          <v-checkbox hide-details :value="checked[index]" class="pt-0 my-auto py-auto" color="secondary" />
          <v-list-item-content :key="ingredient.quantity">
-            <VueMarkdown class="ma-0 pa-0 text-subtitle-1 dense-markdown" :source="ingredientDisplay[index]" />
+            <SafeMarkdown class="ma-0 pa-0 text-subtitle-1 dense-markdown" :source="ingredientDisplay[index]" />
          </v-list-item-content>
        </v-list-item>
      </div>
@ -22,14 +22,11 @@
 <script lang="ts">
 import { computed, defineComponent, reactive, toRefs } from "@nuxtjs/composition-api";
 // @ts-ignore vue-markdown has no types
-import VueMarkdown from "@adapttive/vue-markdown";
 import { parseIngredientText } from "~/composables/recipes";
 import { RecipeIngredient } from "~/types/api-types/recipe";

 export default defineComponent({
-  components: {
-    VueMarkdown,
-  },
+  components: {},
  props: {
    value: {
      type: Array as () => RecipeIngredient[],
--- a/frontend/components/Domain/Recipe/RecipeInstructions.vue
+++ b/frontend/components/Domain/Recipe/RecipeInstructions.vue
@ -197,7 +197,7 @@
              <v-expand-transition>
                <div v-show="!isChecked(index) && !edit" class="m-0 p-0">
                  <v-card-text class="markdown">
-                    <VueMarkdown class="markdown" :source="step.text"> </VueMarkdown>
+                    <SafeMarkdown class="markdown" :source="step.text" />
                    <div v-if="cookMode && step.ingredientReferences && step.ingredientReferences.length > 0">
                      <v-divider class="mb-2"></v-divider>
                      <div
@ -219,8 +219,6 @@

 <script lang="ts">
 import draggable from "vuedraggable";
-// @ts-ignore vue-markdown has no types
-import VueMarkdown from "@adapttive/vue-markdown";
 import {
  ref,
  toRefs,
@ -245,7 +243,6 @@ interface MergerHistory {

 export default defineComponent({
  components: {
-    VueMarkdown,
    draggable,
  },
  props: {
--- a/frontend/components/Domain/Recipe/RecipeNotes.vue
+++ b/frontend/components/Domain/Recipe/RecipeNotes.vue
@ -18,7 +18,7 @@
          {{ note.title }}
        </v-card-title>
        <v-card-text>
-          <VueMarkdown :source="note.text"> </VueMarkdown>
+          <SafeMarkdown :source="note.text" />
        </v-card-text>
      </div>
    </div>
@ -30,15 +30,10 @@
 </template>

 <script lang="ts">
-// @ts-ignore vue-markdown has no types
-import VueMarkdown from "@adapttive/vue-markdown";
 import { defineComponent } from "@nuxtjs/composition-api";
 import { RecipeNote } from "~/types/api-types/recipe";

 export default defineComponent({
-  components: {
-    VueMarkdown,
-  },
  props: {
    value: {
      type: Array as () => RecipeNote[],
--- a/frontend/components/Domain/Recipe/RecipePrintView.vue
+++ b/frontend/components/Domain/Recipe/RecipePrintView.vue
@ -11,7 +11,7 @@
    </section>

    <v-card-text class="px-0">
-      <VueMarkdown :source="recipe.description" />
+      <SafeMarkdown :source="recipe.description" />
    </v-card-text>

    <!-- Ingredients -->
@ -47,7 +47,7 @@
              {{ step.title }}
            </h4>
            <h5>{{ $t("recipe.step-index", { step: stepIndex + instructionSection.stepOffset + 1 }) }}</h5>
-            <VueMarkdown :source="step.text" class="recipe-step-body" />
+            <SafeMarkdown :source="step.text" class="recipe-step-body" />
          </div>
        </div>
      </div>
@ -60,7 +60,7 @@
      <div v-for="(note, index) in recipe.notes" :key="index + 'note'">
        <div class="print-section">
          <h4>{{ note.title }}</h4>
-          <VueMarkdown :source="note.text" class="note-body" />
+          <SafeMarkdown :source="note.text" class="note-body" />
        </div>
      </div>
    </section>
@ -69,8 +69,6 @@

 <script lang="ts">
 import { defineComponent, computed } from "@nuxtjs/composition-api";
-// @ts-ignore vue-markdown has no types
-import VueMarkdown from "@adapttive/vue-markdown";
 import RecipeTimeCard from "~/components/Domain/Recipe/RecipeTimeCard.vue";
 import { Recipe, RecipeIngredient, RecipeStep } from "~/types/api-types/recipe";
 import { parseIngredientText } from "~/composables/recipes";
@ -89,7 +87,6 @@ type InstructionSection = {
 export default defineComponent({
  components: {
    RecipeTimeCard,
-    VueMarkdown,
  },
  props: {
    recipe: {