[BUG] - Uploading a recipe image accepts non image files

[ph-256]

First Check

• This is not a feature request.
• I added a very descriptive title to this issue (title field is above this).
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the Mealie documentation, with the integrated search.
• I already read the docs and didn't find an answer.
• This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

Internal server error as a response and a possible malicious file left behind in the recipe folder.

Steps to Reproduce

When I manually create or edit a recipe and use the upload button to upload an image, I pass a non-image file (.exe) that generates an internal error and the file remains in the recipe folder as "original.exe".

Please provide relevant logs

cat mealie.log
[ERROR|httptools_impl|L414] 2025-02-27T23:31:52: Exception in ASGI application
Traceback (most recent call last):
File "/opt/pysetup/.venv/lib/python3.12/site-packages/uvicorn/protocols/http/httptools_impl.py", line 409, in run_asgi
result = await app( # type: ignore[func-returns-value]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in call
return await self.app(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in call
await super().call(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/applications.py", line 113, in call
await self.middleware_stack(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in call
raise exc
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in call
await self.app(scope, receive, _send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/middleware/sessions.py", line 85, in call
await self.app(scope, receive, send_wrapper)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 20, in call
await responder(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 39, in call
await self.app(scope, receive, self.send_with_gzip)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in call
await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/routing.py", line 715, in call
await self.middleware_stack(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/routing.py", line 735, in app
await route.handle(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle
await self.app(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/routing.py", line 76, in app
await wrap_app_handling_exceptions(app, request)(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/routing.py", line 73, in app
response = await f(request)
^^^^^^^^^^^^^^^^
File "/app/mealie/routes/_base/routers.py", line 35, in custom_route_handler
response = await original_route_handler(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app
raw_response = await run_endpoint_function(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 214, in run_endpoint_function
return await run_in_threadpool(dependant.call, **values)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/starlette/concurrency.py", line 39, in run_in_threadpool
return await anyio.to_thread.run_sync(func, *args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/anyio/to_thread.py", line 33, in run_sync
return await get_asynclib().run_sync_in_worker_thread(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 877, in run_sync_in_worker_thread
return await future
^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 807, in run
result = context.run(func, *args)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/mealie/routes/recipe/recipe_crud_routes.py", line 528, in update_recipe_image
data_service.write_image(image, extension)
File "/app/mealie/services/recipe/recipe_data_service.py", line 107, in write_image
self.minifier.minify(image_path)
File "/app/mealie/pkgs/img/minify.py", line 130, in minify
PillowMinifier.to_webp(image_file, org_dest, quality=70)
File "/app/mealie/pkgs/img/minify.py", line 98, in to_webp
return PillowMinifier._convert_image(image_file, WEBP, dest, quality)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/mealie/pkgs/img/minify.py", line 82, in _convert_image
img = Image.open(image_file)
^^^^^^^^^^^^^^^^^^^^^^
File "/opt/pysetup/.venv/lib/python3.12/site-packages/PIL/Image.py", line 3532, in open
raise UnidentifiedImageError(msg)
PIL.UnidentifiedImageError: cannot identify image file '/app/data/recipes/f6a0bce9-7bb7-4067-929b-b971c704eebf/images/original.exe'

Mealie Version

mealie:v2.6.0

Deployment

Docker (Linux)

Additional Deployment Details

No response