Tandoor Recipes SQLite Database Exposure Vulnerability

A vulnerability in Tandoor Recipes, a recipe manager that can be installed via the Nix package manager, allows for the unintentional exposure of the SQLite database file over the internet. This issue affects Tandoor Recipes versions 23.05, 23.11, 24.05, 24.11, 25.05, and 25.11. The vulnerability arises because the default configuration sets both the working directory and the 'MEDIA_ROOT' to '/var/lib/tandoor-recipes'. As a result, the 'db.sqlite3' database file is created in a publicly accessible directory, where it can be accessed without authentication through HTTP, similar to other media files. This exposure occurs when 'GUNICORN_MEDIA' is enabled or when a web server like Nginx is used to serve media files.

Impact

The default configuration of Tandoor Recipes exposes the entire SQLite database file to the internet, potentially leading to unauthorized access to recipe data and other information stored in the database.

Reproduction

To reproduce this vulnerability, install Tandoor Recipes using the Nix package manager with the default settings. Ensure that 'GUNICORN_MEDIA' is set to true or that a web server like Nginx is configured to serve media files. Once Tandoor Recipes is running, the 'db.sqlite3' file can be accessed through the web server, demonstrating the exposure of the database.

Remediation

Users can move the 'MEDIA_ROOT' to a subdirectory within '/var/lib/tandoor-recipes' to prevent the database from being exposed. After relocating the media files, update the Tandoor Recipes configuration to reflect the new 'MEDIA_ROOT' path. For NixOS versions 26.05 and later, this adjustment is not necessary as the default 'MEDIA_ROOT' is already set to a subfolder of the data directory. NixOS 25.11 also includes the patch, but it requires user intervention to implement.