security: gh security recs

[hay-kot]

What type of PR is this?

(REQUIRED)

• security
• bug

What this PR does / why we need it:

Addresses several security concerns raised by external audit/review

1. All user HTTP requests now use a custom Transport class that applies a timeout and blocks known internal address spaces
2. Note that you can't simple whitelist specific IP's, you must resolve the domain name first and then check the address space of the resolved IP. This prevents attackers from creating a DNS entry that resolves to a local address space and using that url to attack a Mealie instance.

Also, note that these are mitigations, they are not 100% fixes.

Which issue(s) this PR fixes:

• Closes fix: Add 127.0.1.1 to exclude list #3364

Special notes for your reviewer:

I've tested locally and all the automated testing should pass. If possible, I would like another reviewer to pull down these changes and attempt to

1. Scrape a few recipes from different domains
2. Use the Scrape Image functionality to pull external images into Mealie from a few different domains.

Testing

See Above

[boc-the-git]

The code changes all look good.
In testing the happy path, everything went well (i.e. I can still import recipes and images from legitimate internet sites.

In testing the negative path (trying to access things on my internal network), things came unstuck.

This first series of images is when accessing my Vikunja instance via the URL/reverse proxy (note I installed ping in the dev container to confirm what it's resolving to):

Then for a further test, I popped the IP/port in directly, avoiding the reverse proxy and any DNS resolution:

@hay-kot I'm interested in whether you can replicate this scenario.

I dug a bit deeper, and wanted to get some evidence of what was happening, which this code change and error message shows.. effectively the IP is None, rather than 192.168.x.y as I'd expect.

[p0lycarpio]

Along the same lines as the ALLOW_SIGNUP variable which was set to False, I suggest setting all groups to private by default when they are created. This is an additional security measure and also when using Mealie for the first time the user would be redirected to the login/welcome page instead of the empty group.
What is your opinion ?

The change would be made in the group_preferences.py schema. I don't know the impacts though.

[boc-the-git]

@p0lycarpio do you want to raise a feature request for that (or discuss it on Discord)?
We wouldn't likely tackle that under this PR.

That's more a privacy issue than a security issue, if you take my meaning.
I don't have strong feelings on it one way or the other; other people might.

[hay-kot]

@boc-the-git should be good now. Thanks to some folks on discord it's 99% less bad too!

[boc-the-git]

The check here doesn't align with the comment.. should this be checking for ... > 2?
I won't stop this delaying a merge, but will circle back to it, via Discord.

[boc-the-git]

... > 1 will always be true, except in some weird scenario where : was the first or last character of netloc (and tbh I'm not certain what happens in that scenario)

[tba-code]

It was a typo.

[boc-the-git]

@hay-kot see this log.. showing that even when user:pass is included in the url, it was being stripped out before getting to this netloc variable. Thus, the check on parts is irrelevant here.

[boc-the-git]

@hay-kot this has my blessing, but note I had to make a fix. Please review, and merge/release as desired.