fix: harden recipe content against stored XSS (chips, instructions, asset media) (#7719)

2026-06-01 22:50:26 -04:00 · 2026-05-31 11:14:16 -05:00
parent 48752bcd06
commit 2d8b74282a
15 changed files with 362 additions and 49 deletions
--- a/tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py
+++ b/tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py
@@ -104,6 +104,33 @@ def test_recipe_asset_dangerous_extension_blocked(
        assert response.status_code == 400, f"expected 400 for extension={ext}, got {response.status_code}"


+def test_recipe_asset_served_as_attachment(
+    api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe
+):
+    """Assets must be served as downloads with MIME sniffing disabled so uploaded files cannot
+    execute as active content in Mealie's origin."""
+    recipe = recipe_ingredient_only
+    payload = {"name": random_string(10), "icon": "mdi-file", "extension": "txt"}
+    file_payload = {"file": b"<script>alert(1)</script>"}
+
+    response = api_client.post(
+        f"/api/recipes/{recipe.slug}/assets",
+        data=payload,
+        files=file_payload,
+        headers=unique_user.token,
+    )
+    assert response.status_code == 200
+
+    recipe_response = api_client.get(f"/api/recipes/{recipe.slug}", headers=unique_user.token).json()
+    recipe_id = recipe_response["id"]
+    file_name = recipe_response["assets"][0]["fileName"]
+
+    media_response = api_client.get(f"/api/media/recipes/{recipe_id}/assets/{file_name}")
+    assert media_response.status_code == 200
+    assert "attachment" in media_response.headers["content-disposition"].lower()
+    assert media_response.headers["x-content-type-options"] == "nosniff"
+
+
 def test_recipe_image_upload(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
    data_payload = {"extension": "jpg"}
    file_payload = {"image": data.images_test_image_1.read_bytes()}
--- a/tests/unit_tests/test_config.py
+++ b/tests/unit_tests/test_config.py
@@ -27,6 +27,31 @@ def test_non_default_settings(monkeypatch):
    assert app_settings.DOCS_URL is None


+def test_allowed_iframe_hosts_defaults(monkeypatch):
+    monkeypatch.delenv("ALLOWED_IFRAME_HOSTS", raising=False)
+    get_app_settings.cache_clear()
+    app_settings = get_app_settings()
+
+    # Secure defaults are always present and never empty (empty would disable iframe embeds).
+    assert "youtube.com" in app_settings.allowed_iframe_hosts
+    assert "vimeo.com" in app_settings.allowed_iframe_hosts
+
+
+def test_allowed_iframe_hosts_extends_defaults(monkeypatch):
+    monkeypatch.setenv("ALLOWED_IFRAME_HOSTS", " Example.com , trusted.tld ,, ")
+    get_app_settings.cache_clear()
+    app_settings = get_app_settings()
+
+    hosts = app_settings.allowed_iframe_hosts
+    # Configured hosts are normalized, blanks dropped, and defaults retained.
+    assert "example.com" in hosts
+    assert "trusted.tld" in hosts
+    assert "youtube.com" in hosts
+    assert "" not in hosts
+    # No duplicates.
+    assert len(hosts) == len(set(hosts))
+
+
 def test_default_connection_args(monkeypatch):
    monkeypatch.setenv("DB_ENGINE", "sqlite")
    get_app_settings.cache_clear()