fix: enforce ownership check on recipe deletion (GHSA-x5v9-9jvh-7c7q) (#7625)

mealie/core/security/providers/openid_provider.py

@@ -35,7 +35,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
             self._logger.debug("[OIDC]   %s: %s", key, value)
 
         if not self.required_claims.issubset(claims.keys()):
-            self._logger.error(
+            self._logger.debug(
                 "[OIDC] Required claims not present. Expected: %s Actual: %s",
                 self.required_claims,
                 claims.keys(),
@@ -45,7 +45,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
         # Check for empty required claims
         for claim in self.required_claims:
             if not claims.get(claim):
-                self._logger.error("[OIDC] Required claim '%s' is empty", claim)
+                self._logger.debug("[OIDC] Required claim '%s' is empty", claim)
                 raise MissingClaimException()
 
         repos = get_repositories(self.session, group_id=None, household_id=None)

mealie/routes/auth/auth.py

@@ -134,6 +134,7 @@ async def oauth_callback(request: Request, session: Session = Depends(generate_s
             auth_provider = OpenIDProvider(session, userinfo, use_default_groups=True)
             auth = auth_provider.authenticate()
         except MissingClaimException:
+            logger.error("[OIDC] Required claims not present in ID token or userinfo endpoint")
             auth = None
 
     if not auth:

mealie/routes/media/media_recipe.py

@@ -58,6 +58,6 @@ async def get_recipe_asset(recipe_id: UUID4, file_name: str):
         raise HTTPException(status.HTTP_400_BAD_REQUEST)
 
     if file.exists():
-        return FileResponse(file)
+        return FileResponse(file, filename=file.name, content_disposition_type="attachment")
     else:
         raise HTTPException(status.HTTP_404_NOT_FOUND)

mealie/routes/recipe/recipe_crud_routes.py

@@ -80,6 +80,8 @@ from mealie.services.scraper.scraper_strategies import (
 
 from ._base import BaseRecipeController, JSONBytes
 
+ASSET_ALLOWED_EXTENSIONS = {"pdf", "jpg", "jpeg", "png", "gif", "webp", "bmp", "avif", "txt", "md", "csv", "json"}
+
 router = UserAPIRouter(prefix="/recipes", route_class=MealieCrudRoute)
 
 
@@ -660,6 +662,10 @@ class RecipeController(BaseRecipeController):
         if "." in extension:
             extension = extension.split(".")[-1]
 
+        extension = extension.lower()
+        if extension not in ASSET_ALLOWED_EXTENSIONS:
+            raise HTTPException(status_code=400, detail="Unsupported file extension")
+
         file_slug = slugify(name)
         if not extension or not file_slug:
             raise HTTPException(status_code=400, detail="Missing required fields")

mealie/routes/recipe/timeline_events.py

@@ -15,6 +15,7 @@ from mealie.schema.recipe.recipe_timeline_events import (
     RecipeTimelineEventPagination,
     RecipeTimelineEventUpdate,
     TimelineEventImage,
+    TimelineEventType,
 )
 from mealie.schema.recipe.request_helpers import UpdateImageResponse
 from mealie.schema.response.pagination import PaginationQuery
@@ -50,6 +51,10 @@ class RecipeTimelineEventsController(BaseCrudController):
             override=RecipeTimelineEventOut,
         )
 
+        for event in response.items:
+            if event.event_type == TimelineEventType.system.value:
+                event.subject = self.t(event.subject)
+
         response.set_pagination_guides(router.url_path_for("get_all"), q.model_dump())
         return response
 
@@ -83,7 +88,10 @@ class RecipeTimelineEventsController(BaseCrudController):
 
     @router.get("/{item_id}", response_model=RecipeTimelineEventOut)
     def get_one(self, item_id: UUID4):
-        return self.mixins.get_one(item_id)
+        event = self.mixins.get_one(item_id)
+        if event.event_type == TimelineEventType.system.value:
+            event.subject = self.t(event.subject)
+        return event
 
     @router.put("/{item_id}", response_model=RecipeTimelineEventOut)
     def update_one(self, item_id: UUID4, data: RecipeTimelineEventUpdate):

mealie/services/recipe/recipe_service.py

@@ -38,6 +38,8 @@ from mealie.services.scraper import cleaner
 
 from .template_service import TemplateService
 
+RECIPE_CREATED_EVENT_SUBJECT = "recipe.recipe-created"
+
 
 class RecipeServiceBase(BaseService):
     def __init__(self, repos: AllRepositories, user: PrivateUser, household: HouseholdInDB, translator: Translator):
@@ -69,8 +71,19 @@ class RecipeService(RecipeServiceBase):
     def can_delete(self, recipe_slugs: list[str]) -> bool:
         if self.user.admin:
             return True
-        else:
+
-            return self.can_update(recipe_slugs)
+        # Deletion requires ownership; collaborative editing rules (can_update) do not apply
+        model = self.group_recipes.model
+        owned_count = self.group_recipes.session.scalar(
+            sa.select(sa.func.count())
+            .select_from(model)
+            .where(
+                model.slug.in_(recipe_slugs),
+                model.group_id == self.user.group_id,
+                model.user_id == self.user.id,
+            )
+        )
+        return owned_count == len(recipe_slugs)
 
     def can_update(self, recipe_slugs: list[str]) -> bool:
         sql = dedent(
@@ -224,7 +237,7 @@ class RecipeService(RecipeServiceBase):
         timeline_event_data = RecipeTimelineEventCreate(
             user_id=new_recipe.user_id,
             recipe_id=new_recipe.id,
-            subject=self.t("recipe.recipe-created"),
+            subject=RECIPE_CREATED_EVENT_SUBJECT,
             event_type=TimelineEventType.system,
             timestamp=new_recipe.created_at or datetime.now(UTC),
         )

tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py

@@ -201,19 +201,12 @@ def test_delete_recipes_from_other_households(
     assert recipe_json["id"] == h2_recipe_id
 
     response = api_client.delete(api_routes.recipes_slug(recipe_json["slug"]), headers=unique_user.token)
-    if household_lock_recipe_edits:
+    assert response.status_code == 403
-        assert response.status_code == 403
 
-        # confirm the recipe still exists
+    # confirm the recipe still exists
-        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
+    response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-        assert response.status_code == 200
+    assert response.status_code == 200
-        assert response.json()["id"] == h2_recipe_id
+    assert response.json()["id"] == h2_recipe_id
-    else:
-        assert response.status_code == 200
-
-        # confirm the recipe was deleted
-        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-        assert response.status_code == 404
 
 
 @pytest.mark.parametrize("is_private_household", [True, False])

tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py

@@ -87,6 +87,23 @@ def test_recipe_asset_exploit(api_client: TestClient, unique_user: TestUser, rec
     assert not (recipe.asset_dir / "test.txt").exists()
 
 
+def test_recipe_asset_dangerous_extension_blocked(
+    api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe
+):
+    """Ensure scriptable extensions are rejected to prevent stored XSS (GHSA-gfwc-pjx4-mg9p)."""
+    recipe = recipe_ingredient_only
+    for ext in ("html", "svg", "js", "htm", "xhtml"):
+        payload = {"name": random_string(10), "icon": "mdi-file", "extension": ext}
+        file_payload = {"file": b"<script>alert(1)</script>"}
+        response = api_client.post(
+            f"/api/recipes/{recipe.slug}/assets",
+            data=payload,
+            files=file_payload,
+            headers=unique_user.token,
+        )
+        assert response.status_code == 400, f"expected 400 for extension={ext}, got {response.status_code}"
+
+
 def test_recipe_image_upload(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
     data_payload = {"extension": "jpg"}
     file_payload = {"image": data.images_test_image_1.read_bytes()}

tests/integration_tests/user_recipe_tests/test_recipe_owner.py

@@ -160,6 +160,24 @@ def test_other_user_cant_delete_recipe(api_client: TestClient, user_tuple: list[
     assert response.status_code == 403
 
 
+def test_other_user_cant_delete_unlocked_recipe(api_client: TestClient, user_tuple: list[TestUser]):
+    """Non-owner must not delete an unlocked recipe — BOLA regression (GHSA-x5v9-9jvh-7c7q)."""
+    slug = random_string(10)
+    unique_user, other_user = user_tuple
+
+    unique_user.repos.recipes.create(
+        Recipe(
+            user_id=unique_user.user_id,
+            group_id=unique_user.group_id,
+            name=slug,
+            settings=RecipeSettings(locked=False),
+        )
+    )
+
+    response = api_client.delete(api_routes.recipes_slug(slug), headers=other_user.token)
+    assert response.status_code == 403
+
+
 def test_other_user_bulk_delete(api_client: TestClient, user_tuple: list[TestUser]):
     slug_locked = random_string(10)
     slug_unlocked = random_string(10)
@@ -190,6 +208,30 @@ def test_other_user_bulk_delete(api_client: TestClient, user_tuple: list[TestUse
     assert response.status_code == 403
 
 
+def test_other_user_cant_bulk_delete_unlocked_recipes(api_client: TestClient, user_tuple: list[TestUser]):
+    """Non-owner must not bulk-delete unlocked recipes — BOLA regression (GHSA-x5v9-9jvh-7c7q)."""
+    slug_1 = random_string(10)
+    slug_2 = random_string(10)
+    unique_user, other_user = user_tuple
+
+    for slug in (slug_1, slug_2):
+        unique_user.repos.recipes.create(
+            Recipe(
+                user_id=unique_user.user_id,
+                group_id=unique_user.group_id,
+                name=slug,
+                settings=RecipeSettings(locked=False),
+            )
+        )
+
+    response = api_client.post(
+        api_routes.recipes_bulk_actions_delete,
+        json={"recipes": [slug_1, slug_2]},
+        headers=other_user.token,
+    )
+    assert response.status_code == 403
+
+
 def test_admin_can_delete_locked_recipe_owned_by_another_user(
     api_client: TestClient, unfiltered_database: AllRepositories, unique_user: TestUser, admin_user: TestUser
 ):

tests/integration_tests/user_recipe_tests/test_recipe_timeline_events.py

@@ -3,18 +3,24 @@ from uuid import uuid4
 import pytest
 from fastapi.testclient import TestClient
 
+from mealie.lang.providers import get_all_translations
 from mealie.schema.recipe.recipe import Recipe
 from mealie.schema.recipe.recipe_timeline_events import (
     RecipeTimelineEventOut,
     RecipeTimelineEventPagination,
     TimelineEventImage,
+    TimelineEventType,
 )
 from mealie.schema.recipe.request_helpers import UpdateImageResponse
+from mealie.services.recipe.recipe_service import RECIPE_CREATED_EVENT_SUBJECT
 from tests.utils import api_routes
 from tests.utils.factories import random_string
 from tests.utils.fixture_schemas import TestUser
 
 
+PERSISTED_TRANSLATION_KEYS = [RECIPE_CREATED_EVENT_SUBJECT]
+
+
 @pytest.fixture(scope="function")
 def recipes(api_client: TestClient, unique_user: TestUser):
     recipes = []
@@ -341,6 +347,50 @@ def test_create_recipe_with_timeline_event(
         assert events_pagination.items
 
 
+@pytest.mark.parametrize("translation_key", PERSISTED_TRANSLATION_KEYS)
+def test_persisted_translation_keys_have_translations(translation_key: str):
+    translations = get_all_translations(translation_key)
+    missing_translations = [locale for locale, translation in translations.items() if translation == translation_key]
+
+    assert missing_translations == []
+
+
+def test_recipe_created_system_event_is_translated(
+    api_client: TestClient,
+    unique_user: TestUser,
+    recipes: list[Recipe],
+):
+    recipe = recipes[0]
+    params = {"queryFilter": f"recipe_id={recipe.id}"}
+
+    # fetch events in French — the system "recipe created" event should be translated
+    fr_headers = {**unique_user.token, "Accept-Language": "fr-FR"}
+    events_response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=fr_headers)
+    assert events_response.status_code == 200
+    events_pagination = RecipeTimelineEventPagination.model_validate(events_response.json())
+
+    system_events = [e for e in events_pagination.items if e.event_type == TimelineEventType.system.value]
+    assert system_events, "expected at least one system event for a newly created recipe"
+
+    for event in system_events:
+        assert event.subject == "Recette créée", f"expected French translation, got: {event.subject!r}"
+
+        # also verify the individual GET endpoint translates correctly
+        single_response = api_client.get(api_routes.recipes_timeline_events_item_id(event.id), headers=fr_headers)
+        assert single_response.status_code == 200
+        single_event = RecipeTimelineEventOut.model_validate(single_response.json())
+        assert single_event.subject == "Recette créée"
+
+    # fetch the same events in English — subject should be the English string
+    en_headers = {**unique_user.token, "Accept-Language": "en-US"}
+    events_response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=en_headers)
+    events_pagination = RecipeTimelineEventPagination.model_validate(events_response.json())
+
+    system_events = [e for e in events_pagination.items if e.event_type == TimelineEventType.system.value]
+    for event in system_events:
+        assert event.subject == "Recipe Created", f"expected English string, got: {event.subject!r}"
+
+
 @pytest.mark.parametrize("use_other_household_user", [True, False])
 def test_invalid_recipe_id(
     api_client: TestClient, unique_user: TestUser, h2_user: TestUser, use_other_household_user: bool