Mitigate pull_request_target privilege escalation

Hotfix — replaces pull_request_target with pull_request to stop granting write permissions and secrets to fork PRs. Some workflows will break; can be fixed properly later.
perf
2026-03-07 10:46:19 +00:00 · 2026-02-20 19:10:39 -05:00 · 2025-12-14 11:32:19 -07:00 · 2025-12-14 10:55:39 -07:00
6 changed files with 58 additions and 18 deletions
--- a/.github/workflows/ci-compat.yml
+++ b/.github/workflows/ci-compat.yml
@@ -1,6 +1,6 @@
 name: ABI Compatibility
 on:
-  pull_request_target:
+  pull_request:

 permissions: {}

@@ -77,7 +77,7 @@ jobs:
      pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)

    name: ABI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    needs:
      - abi-head
--- a/.github/workflows/ci-openapi.yml
+++ b/.github/workflows/ci-openapi.yml
@@ -5,7 +5,7 @@ on:
      - master
    tags:
      - 'v*'
-  pull_request_target:
+  pull_request:

 permissions: {}

@@ -73,7 +73,7 @@ jobs:
      pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)

    name: OpenAPI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    needs:
      - openapi-head
@@ -148,7 +148,7 @@ jobs:

  publish-unstable:
    name: OpenAPI - Publish Unstable Spec
-    if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
+    if: ${{ github.event_name != 'pull_request' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
    runs-on: ubuntu-latest
    needs:
      - openapi-head
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -4,7 +4,7 @@ on:
    types:
      - created
      - edited
-  pull_request_target:
+  pull_request:
    types:
      - labeled
      - synchronize
--- a/.github/workflows/project-automation.yml
+++ b/.github/workflows/project-automation.yml
@@ -4,7 +4,7 @@ on:
  push:
    branches:
      - master
-  pull_request_target:
+  pull_request:
  issue_comment:

 permissions: {}
--- a/.github/workflows/pull-request-conflict.yml
+++ b/.github/workflows/pull-request-conflict.yml
@@ -4,7 +4,7 @@ on:
  push:
    branches:
      - master
-  pull_request_target:
+  pull_request:
  issue_comment:

 permissions: {}
@@ -16,7 +16,7 @@ jobs:
    steps:
      - name: Apply label
        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
-        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request_target'}}
+        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request'}}
        with:
          dirtyLabel: 'merge conflict'
          commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'
--- a/Jellyfin.Server.Implementations/Item/BaseItemRepository.cs
+++ b/Jellyfin.Server.Implementations/Item/BaseItemRepository.cs
@@ -434,7 +434,7 @@ public sealed class BaseItemRepository

    private IQueryable<BaseItemEntity> PrepareItemQuery(JellyfinDbContext context, InternalItemsQuery filter)
    {
-        IQueryable<BaseItemEntity> dbQuery = context.BaseItems;
+        IQueryable<BaseItemEntity> dbQuery = context.BaseItems.AsNoTracking();
        dbQuery = dbQuery.AsSingleQuery();

        return dbQuery;
@@ -442,35 +442,75 @@ public sealed class BaseItemRepository

    private IReadOnlyList<BaseItemEntity> GetEntities(IQueryable<BaseItemEntity> dbQuery, JellyfinDbContext context, InternalItemsQuery filter)
    {
-        var items = dbQuery.AsEnumerable().Where(e => e is not null).ToArray();
-        var itemIds = items.Select(e => e.Id).ToArray();
+        var items = dbQuery.Where(e => e != null).ToDictionary(e => e.Id, e => e);
+        var itemIds = items.Keys.ToArray();
+
+        if (itemIds.Length == 0)
+        {
+            return [];
+        }

        if (filter.TrailerTypes.Length > 0 || filter.IncludeItemTypes.Contains(BaseItemKind.Trailer))
        {
-            context.BaseItemTrailerTypes.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+            var values = context.BaseItemTrailerTypes.WhereOneOrMany(itemIds, e => e.ItemId).GroupBy(x => x.ItemId).ToArray();
+            foreach (var value in values)
+            {
+                if (items.TryGetValue(value.Key, out var item))
+                {
+                    item.TrailerTypes = value.ToArray();
+                }
+            }
        }

        if (filter.DtoOptions.ContainsField(ItemFields.ProviderIds))
        {
-            context.BaseItemProviders.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+            var values = context.BaseItemProviders.WhereOneOrMany(itemIds, e => e.ItemId).GroupBy(x => x.ItemId).ToArray();
+            foreach (var value in values)
+            {
+                if (items.TryGetValue(value.Key, out var item))
+                {
+                    item.Provider = value.ToArray();
+                }
+            }
        }

        if (filter.DtoOptions.ContainsField(ItemFields.Settings))
        {
-            context.BaseItemMetadataFields.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+            var values = context.BaseItemMetadataFields.WhereOneOrMany(itemIds, e => e.ItemId).GroupBy(x => x.ItemId).ToArray();
+            foreach (var value in values)
+            {
+                if (items.TryGetValue(value.Key, out var item))
+                {
+                    item.LockedFields = value.ToArray();
+                }
+            }
        }

        if (filter.DtoOptions.EnableImages)
        {
-            context.BaseItemImageInfos.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+            var values = context.BaseItemImageInfos.WhereOneOrMany(itemIds, e => e.ItemId).GroupBy(x => x.ItemId).ToArray();
+            foreach (var value in values)
+            {
+                if (items.TryGetValue(value.Key, out var item))
+                {
+                    item.Images = value.ToArray();
+                }
+            }
        }

        if (filter.DtoOptions.EnableUserData)
        {
-            context.UserData.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+            var values = context.UserData.WhereOneOrMany(itemIds, e => e.ItemId).GroupBy(x => x.ItemId).ToArray();
+            foreach (var value in values)
+            {
+                if (items.TryGetValue(value.Key, out var item))
+                {
+                    item.UserData = value.ToArray();
+                }
+            }
        }

-        return items;
+        return items.Values.ToArray();
    }

    /// <inheritdoc/>
Author	SHA1	Message	Date
Andrew Rabert	851fe12ee9	Mitigate pull_request_target privilege escalation Hotfix — replaces pull_request_target with pull_request to stop granting write permissions and secrets to fork PRs. Some workflows will break; can be fixed properly later.	2026-02-20 19:10:39 -05:00
Cody Robibero	45d51568e7	perf	2025-12-14 11:32:19 -07:00
Cody Robibero	c370de77de	Manually map instead of relying on changetracker	2025-12-14 10:55:39 -07:00