fix: Security Patches (#6743)

tests/integration_tests/user_recipe_tests/test_recipe_bulk_action.py

@@ -123,11 +123,12 @@ def test_bulk_export_recipes(api_client: TestClient, unique_user: TestUser, ten_
     response_data = response.json()
     assert len(response_data) == 1
 
+    export_id = response_data[0]["id"]
     export_path = response_data[0]["path"]
 
     # Get Export Token
     response = api_client.get(
-        f"{api_routes.recipes_bulk_actions_export_download}?path={export_path}", headers=unique_user.token
+        f"{api_routes.recipes_bulk_actions_export_export_id_download(export_id)}", headers=unique_user.token
     )
     assert response.status_code == 200
 

tests/unit_tests/test_security.py

@@ -2,10 +2,11 @@ from pathlib import Path
 
 import ldap
 import pytest
+from fastapi import HTTPException
 from pytest import MonkeyPatch
 
 from mealie.core import security
-from mealie.core.config import get_app_settings
+from mealie.core.config import get_app_dirs, get_app_settings
 from mealie.core.dependencies import validate_file_token
 from mealie.core.security.providers.credentials_provider import (
     CredentialsProvider,
@@ -15,6 +16,7 @@ from mealie.core.security.providers.ldap_provider import LDAPProvider
 from mealie.db.db_setup import session_context
 from mealie.db.models.users.users import AuthMethod
 from mealie.repos.repository_factory import AllRepositories
+from mealie.routes.utility_routes import download_file
 from mealie.schema.user.auth import CredentialsRequestForm
 from mealie.schema.user.user import PrivateUser
 from tests.utils import random_string
@@ -122,6 +124,46 @@ def test_create_file_token():
     assert file_path == validate_file_token(file_token)
 
 
+@pytest.mark.asyncio
+async def test_download_file_security_restrictions():
+    dirs = get_app_dirs()
+
+    # Test 1: File in DATA_DIR but outside allowed dirs should be blocked
+    secret_file = dirs.DATA_DIR / ".secret"
+
+    with pytest.raises(HTTPException) as exc_info:
+        await download_file(secret_file)
+    assert exc_info.value.status_code == 400
+
+    # Test 2: File in BACKUP_DIR should be allowed (but only if it exists)
+    backup_file = dirs.BACKUP_DIR / "test.zip"
+    dirs.BACKUP_DIR.mkdir(parents=True, exist_ok=True)
+    backup_file.write_text("test backup content")
+
+    try:
+        response = await download_file(backup_file)
+        assert response.media_type == "application/octet-stream"
+        assert response.path == backup_file
+    finally:
+        backup_file.unlink(missing_ok=True)
+
+    # Test 3: File in GROUPS_DIR should be allowed (but only if it exists)
+    export_dir = dirs.GROUPS_DIR / "some-group-id" / "export"
+    export_dir.mkdir(parents=True, exist_ok=True)
+    export_file = export_dir / "test.zip"
+    export_file.write_text("test export content")
+
+    try:
+        response = await download_file(export_file)
+        assert response.media_type == "application/octet-stream"
+        assert response.path == export_file
+    finally:
+        export_file.unlink(missing_ok=True)
+        # Clean up the directory structure
+        export_dir.rmdir()
+        (dirs.GROUPS_DIR / "some-group-id").rmdir()
+
+
 def get_provider(session, username: str, password: str):
     request_data = CredentialsRequest(username=username, password=password)
     return LDAPProvider(session, request_data)

tests/utils/api_routes/__init__.py

@@ -141,8 +141,6 @@ recipes_bulk_actions_delete = "/api/recipes/bulk-actions/delete"
 """`/api/recipes/bulk-actions/delete`"""
 recipes_bulk_actions_export = "/api/recipes/bulk-actions/export"
 """`/api/recipes/bulk-actions/export`"""
-recipes_bulk_actions_export_download = "/api/recipes/bulk-actions/export/download"
-"""`/api/recipes/bulk-actions/export/download`"""
 recipes_bulk_actions_export_purge = "/api/recipes/bulk-actions/export/purge"
 """`/api/recipes/bulk-actions/export/purge`"""
 recipes_bulk_actions_settings = "/api/recipes/bulk-actions/settings"
@@ -463,6 +461,11 @@ def organizers_tools_slug_tool_slug(tool_slug):
     return f"{prefix}/organizers/tools/slug/{tool_slug}"
 
 
+def recipes_bulk_actions_export_export_id_download(export_id):
+    """`/api/recipes/bulk-actions/export/{export_id}/download`"""
+    return f"{prefix}/recipes/bulk-actions/export/{export_id}/download"
+
+
 def recipes_shared_token_id(token_id):
     """`/api/recipes/shared/{token_id}`"""
     return f"{prefix}/recipes/shared/{token_id}"