security: multiple reported CVE fixes (#1515)

* update out of date license * update typing / refactor * fix arbitrarty path injection * use markdown sanatizer to prevent XSS CWE-79 * fix CWE-918 SSRF by validating url and mime type * add security docs * update recipe-scrapers * resolve DOS from arbitrary url * update changelog * bump version * add ref to #1506 * add #1511 to changelog * use requests decoder * actually fix encoding issue
2025-08-03 04:25:24 +02:00 · 2022-07-31 13:10:20 -08:00 · 2022-07-31 13:10:20 -08:00 · 13850cda1f
commit 13850cda1f
parent 483f789b8e
23 changed files with 401 additions and 118 deletions
--- a/tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py
+++ b/tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py
@ -12,7 +12,6 @@ from tests.utils.fixture_schemas import TestUser
 def test_recipe_assets_create(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
    recipe = recipe_ingredient_only
    payload = {
-        "slug": recipe.slug,
        "name": random_string(10),
        "icon": random_string(10),
        "extension": "jpg",
@ -43,6 +42,51 @@ def test_recipe_assets_create(api_client: TestClient, unique_user: TestUser, rec
    assert recipe_respons["assets"][0]["name"] == payload["name"]


+def test_recipe_asset_exploit(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
+    """
+    Test to ensure that users are unable to circumvent the destination directory when uploading a file
+    as an asset to the recipe. This was reported via huntr and was confirmed to be a sevre security issue.
+
+    mitigration is implemented by ensuring that the destination file is checked to ensure that the parent directory
+    is the recipe's asset directory. otherwise an exception is raised and a 400 error is returned.
+
+    Report Details:
+    -------------------
+    Arbitrary template creation leading to Authenticated Remote Code Execution in hay-kot/mealie
+
+    An attacker who is able to execute such a flaw is able to execute commands with the privileges
+    of the programming language or the web server. In this case, since the attacker is root in a
+    Docker container they can execute system commands, read/modify databases, attack adjacent
+    systems. This flaw leads to a complete compromise of the system.
+
+    https://huntr.dev/bounties/3ecd4a78-523e-4f84-a3fd-31a01a68f142/
+    """
+
+    recipe = recipe_ingredient_only
+    payload = {
+        "name": "$",
+        "icon": random_string(10),
+        "extension": "./test.txt",
+    }
+
+    file_payload = {
+        "file": data.images_test_image_1.read_bytes(),
+    }
+
+    response = api_client.post(
+        f"/api/recipes/{recipe.slug}/assets",
+        data=payload,
+        files=file_payload,
+        headers=unique_user.token,
+    )
+
+    assert response.status_code == 400
+
+    # Ensure File was not created
+    assert not (recipe.asset_dir.parent / "test.txt").exists()
+    assert not (recipe.asset_dir / "test.txt").exists()
+
+
 def test_recipe_image_upload(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
    data_payload = {"extension": "jpg"}
    file_payload = {"image": data.images_test_image_1.read_bytes()}