fix: enforce ownership check on recipe deletion (GHSA-x5v9-9jvh-7c7q) (#7625)

mealie/core/security/providers/openid_provider.py

@@ -35,7 +35,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
             self._logger.debug("[OIDC]   %s: %s", key, value)
 
         if not self.required_claims.issubset(claims.keys()):
-            self._logger.error(
+            self._logger.debug(
                 "[OIDC] Required claims not present. Expected: %s Actual: %s",
                 self.required_claims,
                 claims.keys(),
@@ -45,7 +45,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
         # Check for empty required claims
         for claim in self.required_claims:
             if not claims.get(claim):
-                self._logger.error("[OIDC] Required claim '%s' is empty", claim)
+                self._logger.debug("[OIDC] Required claim '%s' is empty", claim)
                 raise MissingClaimException()
 
         repos = get_repositories(self.session, group_id=None, household_id=None)

mealie/lang/messages/en-US.json

@@ -5,13 +5,6 @@
     "recipe": {
         "unique-name-error": "Recipe names must be unique",
         "recipe-created": "Recipe Created",
-        "made-this-as-side": "{name} made this as a side",
-        "made-this-for-breakfast": "{name} made this for breakfast",
-        "made-this-for-lunch": "{name} made this for lunch",
-        "made-this-for-dinner": "{name} made this for dinner",
-        "made-this-for-snack": "{name} made this for a snack",
-        "made-this-for-drink": "{name} made this for a drink",
-        "made-this-for-dessert": "{name} made this for dessert",
         "recipe-image-deleted": "Recipe image deleted",
         "recipe-defaults": {
             "ingredient-note": "1 Cup Flour",

mealie/routes/auth/auth.py

@@ -134,6 +134,7 @@ async def oauth_callback(request: Request, session: Session = Depends(generate_s
             auth_provider = OpenIDProvider(session, userinfo, use_default_groups=True)
             auth = auth_provider.authenticate()
         except MissingClaimException:
+            logger.error("[OIDC] Required claims not present in ID token or userinfo endpoint")
             auth = None
 
     if not auth:

mealie/routes/media/media_recipe.py

@@ -58,6 +58,6 @@ async def get_recipe_asset(recipe_id: UUID4, file_name: str):
         raise HTTPException(status.HTTP_400_BAD_REQUEST)
 
     if file.exists():
-        return FileResponse(file)
+        return FileResponse(file, filename=file.name, content_disposition_type="attachment")
     else:
         raise HTTPException(status.HTTP_404_NOT_FOUND)

mealie/routes/recipe/recipe_crud_routes.py

@@ -80,6 +80,8 @@ from mealie.services.scraper.scraper_strategies import (
 
 from ._base import BaseRecipeController, JSONBytes
 
+ASSET_ALLOWED_EXTENSIONS = {"pdf", "jpg", "jpeg", "png", "gif", "webp", "bmp", "avif", "txt", "md", "csv", "json"}
+
 router = UserAPIRouter(prefix="/recipes", route_class=MealieCrudRoute)
 
 
@@ -660,6 +662,10 @@ class RecipeController(BaseRecipeController):
         if "." in extension:
             extension = extension.split(".")[-1]
 
+        extension = extension.lower()
+        if extension not in ASSET_ALLOWED_EXTENSIONS:
+            raise HTTPException(status_code=400, detail="Unsupported file extension")
+
         file_slug = slugify(name)
         if not extension or not file_slug:
             raise HTTPException(status_code=400, detail="Missing required fields")

mealie/routes/recipe/timeline_events.py

@@ -4,7 +4,6 @@ from functools import cached_property
 from fastapi import Depends, File, Form, HTTPException
 from pydantic import UUID4
 
-from mealie.lang.providers import get_locale_provider
 from mealie.repos.all_repositories import get_repositories
 from mealie.routes._base import BaseCrudController, controller
 from mealie.routes._base.mixins import HttpRepo
@@ -45,21 +44,6 @@ class RecipeTimelineEventsController(BaseCrudController):
             self.registered_exceptions,
         )
 
-    def _translate_event_subject(self, event: RecipeTimelineEventOut) -> None:
-        """Translate auto-generated event subjects stored as i18n key references.
-
-        Subjects are stored as ``<i18n-key>|<name>`` (e.g. ``recipe.made-this-for-dinner|Alice``).
-        Falls back to en-US when the requested locale has not yet been translated.
-        """
-        if event.event_type == TimelineEventType.info.value and "|" in event.subject:
-            key, _, name = event.subject.partition("|")
-            if key.startswith("recipe."):
-                translated = self.t(key, name=name)
-                if translated == key:
-                    translated = get_locale_provider("en-US").t(key, name=name)
-                if translated != key:
-                    event.subject = translated
-
     @router.get("", response_model=RecipeTimelineEventPagination)
     def get_all(self, q: PaginationQuery = Depends(PaginationQuery)):
         response = self.repo.page_all(
@@ -68,7 +52,8 @@ class RecipeTimelineEventsController(BaseCrudController):
         )
 
         for event in response.items:
-            self._translate_event_subject(event)
+            if event.event_type == TimelineEventType.system.value:
+                event.subject = self.t(event.subject)
 
         response.set_pagination_guides(router.url_path_for("get_all"), q.model_dump())
         return response
@@ -104,7 +89,8 @@ class RecipeTimelineEventsController(BaseCrudController):
     @router.get("/{item_id}", response_model=RecipeTimelineEventOut)
     def get_one(self, item_id: UUID4):
         event = self.mixins.get_one(item_id)
-        self._translate_event_subject(event)
+        if event.event_type == TimelineEventType.system.value:
+            event.subject = self.t(event.subject)
         return event
 
     @router.put("/{item_id}", response_model=RecipeTimelineEventOut)

mealie/services/recipe/recipe_service.py

@@ -38,6 +38,8 @@ from mealie.services.scraper import cleaner
 
 from .template_service import TemplateService
 
+RECIPE_CREATED_EVENT_SUBJECT = "recipe.recipe-created"
+
 
 class RecipeServiceBase(BaseService):
     def __init__(self, repos: AllRepositories, user: PrivateUser, household: HouseholdInDB, translator: Translator):
@@ -69,8 +71,19 @@ class RecipeService(RecipeServiceBase):
     def can_delete(self, recipe_slugs: list[str]) -> bool:
         if self.user.admin:
             return True
-        else:
-            return self.can_update(recipe_slugs)
+
+        # Deletion requires ownership; collaborative editing rules (can_update) do not apply
+        model = self.group_recipes.model
+        owned_count = self.group_recipes.session.scalar(
+            sa.select(sa.func.count())
+            .select_from(model)
+            .where(
+                model.slug.in_(recipe_slugs),
+                model.group_id == self.user.group_id,
+                model.user_id == self.user.id,
+            )
+        )
+        return owned_count == len(recipe_slugs)
 
     def can_update(self, recipe_slugs: list[str]) -> bool:
         sql = dedent(
@@ -224,7 +237,7 @@ class RecipeService(RecipeServiceBase):
         timeline_event_data = RecipeTimelineEventCreate(
             user_id=new_recipe.user_id,
             recipe_id=new_recipe.id,
-            subject=self.t("recipe.recipe-created"),
+            subject=RECIPE_CREATED_EVENT_SUBJECT,
             event_type=TimelineEventType.system,
             timestamp=new_recipe.created_at or datetime.now(UTC),
         )

mealie/services/scheduler/tasks/create_timeline_events.py

@@ -43,10 +43,12 @@ def _create_mealplan_timeline_events_for_household(
         if not user:
             continue
 
+        # TODO: make this translatable
         if mealplan.entry_type == PlanEntryType.side:
-            event_subject = f"recipe.made-this-as-side|{user.full_name}"
+            event_subject = f"{user.full_name} made this as a side"
+
         else:
-            event_subject = f"recipe.made-this-for-{mealplan.entry_type.value}|{user.full_name}"
+            event_subject = f"{user.full_name} made this for {mealplan.entry_type.value}"
 
         query_start_time = datetime.combine(datetime.now(UTC).date(), time.min)
         query_end_time = query_start_time + timedelta(days=1)

tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py

@@ -201,19 +201,12 @@ def test_delete_recipes_from_other_households(
     assert recipe_json["id"] == h2_recipe_id
 
     response = api_client.delete(api_routes.recipes_slug(recipe_json["slug"]), headers=unique_user.token)
-    if household_lock_recipe_edits:
-        assert response.status_code == 403
+    assert response.status_code == 403
 
-        # confirm the recipe still exists
-        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-        assert response.status_code == 200
-        assert response.json()["id"] == h2_recipe_id
-    else:
-        assert response.status_code == 200
-
-        # confirm the recipe was deleted
-        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-        assert response.status_code == 404
+    # confirm the recipe still exists
+    response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
+    assert response.status_code == 200
+    assert response.json()["id"] == h2_recipe_id
 
 
 @pytest.mark.parametrize("is_private_household", [True, False])

tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py

@@ -87,6 +87,23 @@ def test_recipe_asset_exploit(api_client: TestClient, unique_user: TestUser, rec
     assert not (recipe.asset_dir / "test.txt").exists()
 
 
+def test_recipe_asset_dangerous_extension_blocked(
+    api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe
+):
+    """Ensure scriptable extensions are rejected to prevent stored XSS (GHSA-gfwc-pjx4-mg9p)."""
+    recipe = recipe_ingredient_only
+    for ext in ("html", "svg", "js", "htm", "xhtml"):
+        payload = {"name": random_string(10), "icon": "mdi-file", "extension": ext}
+        file_payload = {"file": b"<script>alert(1)</script>"}
+        response = api_client.post(
+            f"/api/recipes/{recipe.slug}/assets",
+            data=payload,
+            files=file_payload,
+            headers=unique_user.token,
+        )
+        assert response.status_code == 400, f"expected 400 for extension={ext}, got {response.status_code}"
+
+
 def test_recipe_image_upload(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
     data_payload = {"extension": "jpg"}
     file_payload = {"image": data.images_test_image_1.read_bytes()}

tests/integration_tests/user_recipe_tests/test_recipe_owner.py

@@ -160,6 +160,24 @@ def test_other_user_cant_delete_recipe(api_client: TestClient, user_tuple: list[
     assert response.status_code == 403
 
 
+def test_other_user_cant_delete_unlocked_recipe(api_client: TestClient, user_tuple: list[TestUser]):
+    """Non-owner must not delete an unlocked recipe — BOLA regression (GHSA-x5v9-9jvh-7c7q)."""
+    slug = random_string(10)
+    unique_user, other_user = user_tuple
+
+    unique_user.repos.recipes.create(
+        Recipe(
+            user_id=unique_user.user_id,
+            group_id=unique_user.group_id,
+            name=slug,
+            settings=RecipeSettings(locked=False),
+        )
+    )
+
+    response = api_client.delete(api_routes.recipes_slug(slug), headers=other_user.token)
+    assert response.status_code == 403
+
+
 def test_other_user_bulk_delete(api_client: TestClient, user_tuple: list[TestUser]):
     slug_locked = random_string(10)
     slug_unlocked = random_string(10)
@@ -190,6 +208,30 @@ def test_other_user_bulk_delete(api_client: TestClient, user_tuple: list[TestUse
     assert response.status_code == 403
 
 
+def test_other_user_cant_bulk_delete_unlocked_recipes(api_client: TestClient, user_tuple: list[TestUser]):
+    """Non-owner must not bulk-delete unlocked recipes — BOLA regression (GHSA-x5v9-9jvh-7c7q)."""
+    slug_1 = random_string(10)
+    slug_2 = random_string(10)
+    unique_user, other_user = user_tuple
+
+    for slug in (slug_1, slug_2):
+        unique_user.repos.recipes.create(
+            Recipe(
+                user_id=unique_user.user_id,
+                group_id=unique_user.group_id,
+                name=slug,
+                settings=RecipeSettings(locked=False),
+            )
+        )
+
+    response = api_client.post(
+        api_routes.recipes_bulk_actions_delete,
+        json={"recipes": [slug_1, slug_2]},
+        headers=other_user.token,
+    )
+    assert response.status_code == 403
+
+
 def test_admin_can_delete_locked_recipe_owned_by_another_user(
     api_client: TestClient, unfiltered_database: AllRepositories, unique_user: TestUser, admin_user: TestUser
 ):

tests/integration_tests/user_recipe_tests/test_recipe_timeline_events.py

@@ -3,18 +3,24 @@ from uuid import uuid4
 import pytest
 from fastapi.testclient import TestClient
 
+from mealie.lang.providers import get_all_translations
 from mealie.schema.recipe.recipe import Recipe
 from mealie.schema.recipe.recipe_timeline_events import (
     RecipeTimelineEventOut,
     RecipeTimelineEventPagination,
     TimelineEventImage,
+    TimelineEventType,
 )
 from mealie.schema.recipe.request_helpers import UpdateImageResponse
+from mealie.services.recipe.recipe_service import RECIPE_CREATED_EVENT_SUBJECT
 from tests.utils import api_routes
 from tests.utils.factories import random_string
 from tests.utils.fixture_schemas import TestUser
 
 
+PERSISTED_TRANSLATION_KEYS = [RECIPE_CREATED_EVENT_SUBJECT]
+
+
 @pytest.fixture(scope="function")
 def recipes(api_client: TestClient, unique_user: TestUser):
     recipes = []
@@ -341,6 +347,50 @@ def test_create_recipe_with_timeline_event(
         assert events_pagination.items
 
 
+@pytest.mark.parametrize("translation_key", PERSISTED_TRANSLATION_KEYS)
+def test_persisted_translation_keys_have_translations(translation_key: str):
+    translations = get_all_translations(translation_key)
+    missing_translations = [locale for locale, translation in translations.items() if translation == translation_key]
+
+    assert missing_translations == []
+
+
+def test_recipe_created_system_event_is_translated(
+    api_client: TestClient,
+    unique_user: TestUser,
+    recipes: list[Recipe],
+):
+    recipe = recipes[0]
+    params = {"queryFilter": f"recipe_id={recipe.id}"}
+
+    # fetch events in French — the system "recipe created" event should be translated
+    fr_headers = {**unique_user.token, "Accept-Language": "fr-FR"}
+    events_response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=fr_headers)
+    assert events_response.status_code == 200
+    events_pagination = RecipeTimelineEventPagination.model_validate(events_response.json())
+
+    system_events = [e for e in events_pagination.items if e.event_type == TimelineEventType.system.value]
+    assert system_events, "expected at least one system event for a newly created recipe"
+
+    for event in system_events:
+        assert event.subject == "Recette créée", f"expected French translation, got: {event.subject!r}"
+
+        # also verify the individual GET endpoint translates correctly
+        single_response = api_client.get(api_routes.recipes_timeline_events_item_id(event.id), headers=fr_headers)
+        assert single_response.status_code == 200
+        single_event = RecipeTimelineEventOut.model_validate(single_response.json())
+        assert single_event.subject == "Recette créée"
+
+    # fetch the same events in English — subject should be the English string
+    en_headers = {**unique_user.token, "Accept-Language": "en-US"}
+    events_response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=en_headers)
+    events_pagination = RecipeTimelineEventPagination.model_validate(events_response.json())
+
+    system_events = [e for e in events_pagination.items if e.event_type == TimelineEventType.system.value]
+    for event in system_events:
+        assert event.subject == "Recipe Created", f"expected English string, got: {event.subject!r}"
+
+
 @pytest.mark.parametrize("use_other_household_user", [True, False])
 def test_invalid_recipe_id(
     api_client: TestClient, unique_user: TestUser, h2_user: TestUser, use_other_household_user: bool

tests/unit_tests/services_tests/scheduler/tasks/test_create_timeline_events.py

@@ -13,49 +13,6 @@ from tests.utils.factories import random_int, random_string
 from tests.utils.fixture_schemas import TestUser
 
 
-def _create_recipe_and_mealplan(api_client: TestClient, user: TestUser, entry_type: str) -> tuple[RecipeSummary, int]:
-    recipe_name = random_string(length=25)
-    response = api_client.post(api_routes.recipes, json={"name": recipe_name}, headers=user.token)
-    assert response.status_code == 201
-
-    response = api_client.get(api_routes.recipes_slug(recipe_name), headers=user.token)
-    recipe = RecipeSummary.model_validate(response.json())
-
-    params = {"queryFilter": f"recipe_id={recipe.id}"}
-    response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=user.token)
-    initial_event_count = len(response.json()["items"])
-
-    new_plan = CreatePlanEntry(date=datetime.now(UTC).date(), entry_type=entry_type, recipe_id=recipe.id).model_dump(
-        by_alias=True
-    )
-    new_plan["date"] = datetime.now(UTC).date().isoformat()
-    new_plan["recipeId"] = str(recipe.id)
-    response = api_client.post(api_routes.households_mealplans, json=new_plan, headers=user.token)
-    assert response.status_code == 201
-
-    return recipe, initial_event_count
-
-
-def _get_mealplan_event(
-    api_client: TestClient, user: TestUser, recipe: RecipeSummary, initial_count: int, extra_headers: dict
-) -> dict:
-    create_mealplan_timeline_events()
-
-    params = {
-        "page": "1",
-        "perPage": "-1",
-        "orderBy": "created_at",
-        "orderDirection": "desc",
-        "queryFilter": f"recipe_id={recipe.id}",
-    }
-    response = api_client.get(
-        api_routes.recipes_timeline_events, headers={**user.token, **extra_headers}, params=params
-    )
-    items = response.json()["items"]
-    assert len(items) == initial_count + 1
-    return items[0]
-
-
 def test_no_mealplans():
     # make sure this task runs successfully even if it doesn't do anything
     create_mealplan_timeline_events()
@@ -294,27 +251,3 @@ def test_preserve_future_made_date(api_client: TestClient, unique_user: TestUser
     response = api_client.get(api_routes.households_self_recipes_recipe_slug(recipe.slug), headers=h2_user.token)
     household_recipe = HouseholdRecipeSummary.model_validate(response.json())
     assert household_recipe.last_made is None
-
-
-def test_mealplan_event_subject_is_translated(api_client: TestClient, unique_user: TestUser):
-    """Mealplan timeline event subjects are stored as i18n keys and translated at serve time."""
-    # --- dinner entry type ---
-    recipe, initial_count = _create_recipe_and_mealplan(api_client, unique_user, "dinner")
-    event = _get_mealplan_event(api_client, unique_user, recipe, initial_count, {"Accept-Language": "en-US"})
-
-    expected = f"{unique_user.full_name} made this for dinner"
-    assert event["subject"] == expected, f"expected {expected!r}, got {event['subject']!r}"
-
-    # --- side entry type uses a distinct phrase ---
-    recipe2, initial_count2 = _create_recipe_and_mealplan(api_client, unique_user, "side")
-    event2 = _get_mealplan_event(api_client, unique_user, recipe2, initial_count2, {"Accept-Language": "en-US"})
-
-    expected2 = f"{unique_user.full_name} made this as a side"
-    assert event2["subject"] == expected2, f"expected {expected2!r}, got {event2['subject']!r}"
-
-    # --- locale fallback: fr-FR doesn't have these keys yet, should fall back to en-US ---
-    recipe3, initial_count3 = _create_recipe_and_mealplan(api_client, unique_user, "lunch")
-    event3 = _get_mealplan_event(api_client, unique_user, recipe3, initial_count3, {"Accept-Language": "fr-FR"})
-
-    expected3 = f"{unique_user.full_name} made this for lunch"
-    assert event3["subject"] == expected3, f"expected en-US fallback {expected3!r}, got {event3['subject']!r}"