Fix review and CodeQL comments

2026-05-13 04:06:31 +01:00 · 2026-05-04 21:33:10 +02:00
parent 57c0fcd674
commit 6be96100c7
2 changed files with 15 additions and 7 deletions
--- a/src/Jellyfin.LiveTv/Listings/ListingsManager.cs
+++ b/src/Jellyfin.LiveTv/Listings/ListingsManager.cs
@@ -337,11 +337,18 @@ public class ListingsManager : IListingsManager
        // Clear in-memory EPG channel cache for this provider
        _epgChannels.TryRemove(providerId, out _);

+        // Provider IDs are generated as Guid.NewGuid().ToString("N")
+        // reject anything else so we never use untrusted input in a path or log entry.
+        if (!Guid.TryParseExact(providerId, "N", out var providerGuid))
+        {
+            return;
+        }
+
        // Delete the cached XMLTV file so a fresh copy is downloaded
        var cachePath = _config.CommonApplicationPaths?.CachePath;
        if (!string.IsNullOrEmpty(cachePath))
        {
-            var safeId = Path.GetFileName(providerId);
+            var safeId = providerGuid.ToString("N", CultureInfo.InvariantCulture);
            var xmltvCacheFile = Path.Combine(cachePath, "xmltv", safeId + ".xml");
            try
            {
@@ -349,7 +356,7 @@ public class ListingsManager : IListingsManager
            }
            catch (IOException ex)
            {
-                _logger.LogWarning(ex, "Error deleting XMLTV cache file for provider {ProviderId}", providerId);
+                _logger.LogWarning(ex, "Error deleting XMLTV cache file for provider {ProviderId}", safeId);
            }
        }
    }
--- a/src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs
+++ b/src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs
@@ -107,11 +107,12 @@ public class TunerHostManager : ITunerHostManager
        config.TunerHosts = config.TunerHosts.Where(i => !string.Equals(id, i.Id, StringComparison.OrdinalIgnoreCase)).ToArray();
        _config.SaveConfiguration("livetv", config);

-        // Clean up the disk cache file for this tuner
-        if (!string.IsNullOrEmpty(id))
+        // Clean up the disk cache file for this tuner.
+        // Tuner IDs are generated as Guid.NewGuid().ToString("N")
+        // reject anything else so we never use untrusted input in a path or log entry
+        if (Guid.TryParseExact(id, "N", out var tunerGuid))
        {
-            // Sanitize to prevent path traversal — tuner IDs are GUIDs but come from config.
-            var safeId = Path.GetFileName(id);
+            var safeId = tunerGuid.ToString("N", CultureInfo.InvariantCulture);
            var channelCacheFile = Path.Combine(_config.CommonApplicationPaths.CachePath, safeId + "_channels");
            try
            {
@@ -119,7 +120,7 @@ public class TunerHostManager : ITunerHostManager
            }
            catch (IOException ex)
            {
-                _logger.LogWarning(ex, "Error deleting channel cache file for tuner {TunerId}", id);
+                _logger.LogWarning(ex, "Error deleting channel cache file for tuner {TunerId}", safeId);
            }
        }