search

mealie-recipes / mealie

Mealie is a self hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. Easily add recipes into your database by providing the url and mealie will automatically import the relevant data or add a family recipe with the UI editor
https://docs.mealie.io
GNU Affero General Public License v3.0
6.61k stars 679 forks source link

[SECURITY] - Audit NEEDED, so many unprotected endpoints #3941

Closed FireFingers21 closed 1 week ago

FireFingers21 commented 1 month ago

Hello,

Looking at the docs for how to use the API, I came across a lot of end points that require zero authentication to access. This includes the http://<your-mealie-site>/docs site, which lets anybody see all available endpoints on my server and which ones are unprotected. This also includes exposing user ids (among ALL other recipe data) through recipe queries, then using that to get their pictures from image queries. The list goes on.

With that said, I no longer feel that running Mealie on my server is safe, and as of right now, others should consider the security risks of using Mealie too.

Onto solutions, I think a full audit is in order of every mealie webpage and API endpoint. I would much prefer everything be protected by default, with better configuration options to open up specific endpoints should the admin choose (right now I see no easy way to protect these vulnerable endpoints). Since the majority of users are probably using Mealie for its web interface rather than its API, this would offer the best security posture by default, while still allowing flexibility with the API. This would also probably solve a lot of the security issues already outlined in the documentation's Security page, as it's completely unreasonable to suggest third-party security tools for endpoints you selectively don't protect.

I've enjoyed using Mealie otherwise, so I look forward to hearing back from you about potential fixes so I can start using it once again.

hay-kot commented 1 month ago

This includes the http:///docs site,

Given that this is an open source project, I don't really understand how having this endpoint exposed is any different than the source code being widely available. Security through obscurity isn't actual security, it's just pretend.

You can turn this off by setting API_DOCS=false in your configuration as is documented.

This also includes exposing user ids (among ALL other recipe data) through recipe queries, then using that to get their pictures from image queries. The list goes on.

You can configure your group to be private which will disable the Recipe queries from unauthenticated users.

as it's completely unreasonable to suggest third-party security tools for endpoints you selectively don't protect.

I don't think this assessment is fair at all. Every single production application I've worked on professionally that was deployed to the public internet used 3rd party tooling to properly secure the application. It is unreasonable to expect application developers to re-implement security mitigation tools within their app when they are easily accessible through other means.

--

We'd be happy to look at any actual vulnerabilities, but to me this just sounds like stuff you don't like and could potentially disable through configuration anyways.

Do you have specific vulnerabilities you'd like us to look into?

--

Edit:

Sorry if any of this sounds combative, I just don't know what we're supposed to do with "I think a full audit is in order of every mealie webpage and API endpoint".

FireFingers21 commented 1 month ago

This includes the http:///docs site,

Seeing the "Authorize" buttons, I mistakenly perceived the docs site to also be a configuration site. I agree that security through obscurity is a non-issue.

You can configure your group to be private which will disable the Recipe queries from unauthenticated users.

This might be a vulnerability then. The Private Group checkbox states it "overrides an individual recipes public view settings", but it doesn't. I need to disable the Allow users outside of your group to see your recipes checkbox, otherwise my "Private Group" defaults to creating public recipes queryable by anyone over the API.

It is unreasonable to expect application developers to re-implement security mitigation tools within their app when they are easily accessible through other means.

You're totally right about that, and I'm not asking you to reinvent the wheel with the app's security when the wheel already exists. What I am asking is since it seems like you've already implemented authentication for most endpoints anyway, why not add an option to protect all of them?

I appreciate your understanding, and don't worry about sounding combative. My intention was not to come off all doom and gloom and demand a bunch of busywork. I just found discrepancies in how certain data is exposed, and wanted an option to secure more of it with functionality I assume is already built into Mealie.

github-actions[bot] commented 2 weeks ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.