Mitigate pull_request_target privilege escalation

Hotfix — replaces pull_request_target with pull_request to stop
granting write permissions and secrets to fork PRs. Some workflows
will break; can be fixed properly later.

.github/workflows/ci-compat.yml

@@ -1,6 +1,6 @@
 name: ABI Compatibility
 on:
-  pull_request_target:
+  pull_request:
 
 permissions: {}
 
@@ -77,7 +77,7 @@ jobs:
       pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
 
     name: ABI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     needs:
       - abi-head

.github/workflows/ci-openapi.yml

@@ -5,7 +5,7 @@ on:
       - master
     tags:
       - 'v*'
-  pull_request_target:
+  pull_request:
 
 permissions: {}
 
@@ -73,7 +73,7 @@ jobs:
       pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
 
     name: OpenAPI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     needs:
       - openapi-head
@@ -148,7 +148,7 @@ jobs:
 
   publish-unstable:
     name: OpenAPI - Publish Unstable Spec
-    if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
+    if: ${{ github.event_name != 'pull_request' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
     runs-on: ubuntu-latest
     needs:
       - openapi-head

.github/workflows/commands.yml

@@ -4,7 +4,7 @@ on:
     types:
       - created
       - edited
-  pull_request_target:
+  pull_request:
     types:
       - labeled
       - synchronize

.github/workflows/project-automation.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-  pull_request_target:
+  pull_request:
   issue_comment:
 
 permissions: {}

.github/workflows/pull-request-conflict.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-  pull_request_target:
+  pull_request:
   issue_comment:
 
 permissions: {}
@@ -16,7 +16,7 @@ jobs:
     steps:
       - name: Apply label
         uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
-        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request_target'}}
+        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request'}}
         with:
           dirtyLabel: 'merge conflict'
           commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'

Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs

@@ -33,9 +33,11 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.OpenApi.Any;
 using Microsoft.OpenApi.Interfaces;
 using Microsoft.OpenApi.Models;
+using Swashbuckle.AspNetCore.Swagger;
 using Swashbuckle.AspNetCore.SwaggerGen;
 using AuthenticationSchemes = Jellyfin.Api.Constants.AuthenticationSchemes;
 
@@ -259,7 +261,8 @@ namespace Jellyfin.Server.Extensions
                 c.OperationFilter<FileRequestFilter>();
                 c.OperationFilter<ParameterObsoleteFilter>();
                 c.DocumentFilter<AdditionalModelFilter>();
-            });
+            })
+            .Replace(ServiceDescriptor.Transient<ISwaggerProvider, CachingOpenApiProvider>());
         }
 
         private static void AddPolicy(this AuthorizationOptions authorizationOptions, string policyName, IAuthorizationRequirement authorizationRequirement)

Jellyfin.Server/Filters/CachingOpenApiProvider.cs

@@ -0,0 +1,89 @@
+using System;
+using System.Threading;
+using Microsoft.AspNetCore.Mvc.ApiExplorer;
+using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.Options;
+using Microsoft.OpenApi.Models;
+using Swashbuckle.AspNetCore.Swagger;
+using Swashbuckle.AspNetCore.SwaggerGen;
+
+namespace Jellyfin.Server.Filters;
+
+/// <summary>
+/// OpenApi provider with caching.
+/// </summary>
+internal sealed class CachingOpenApiProvider : ISwaggerProvider
+{
+    private const string CacheKey = "openapi.json";
+
+    private static readonly MemoryCacheEntryOptions _cacheOptions = new() { SlidingExpiration = TimeSpan.FromMinutes(5) };
+    private static readonly SemaphoreSlim _lock = new(1, 1);
+    private static readonly TimeSpan _lockTimeout = TimeSpan.FromSeconds(1);
+
+    private readonly IMemoryCache _memoryCache;
+    private readonly SwaggerGenerator _swaggerGenerator;
+    private readonly SwaggerGeneratorOptions _swaggerGeneratorOptions;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="CachingOpenApiProvider"/> class.
+    /// </summary>
+    /// <param name="optionsAccessor">The options accessor.</param>
+    /// <param name="apiDescriptionsProvider">The api descriptions provider.</param>
+    /// <param name="schemaGenerator">The schema generator.</param>
+    /// <param name="memoryCache">The memory cache.</param>
+    public CachingOpenApiProvider(
+        IOptions<SwaggerGeneratorOptions> optionsAccessor,
+        IApiDescriptionGroupCollectionProvider apiDescriptionsProvider,
+        ISchemaGenerator schemaGenerator,
+        IMemoryCache memoryCache)
+    {
+        _swaggerGeneratorOptions = optionsAccessor.Value;
+        _swaggerGenerator = new SwaggerGenerator(_swaggerGeneratorOptions, apiDescriptionsProvider, schemaGenerator);
+        _memoryCache = memoryCache;
+    }
+
+    /// <inheritdoc />
+    public OpenApiDocument GetSwagger(string documentName, string? host = null, string? basePath = null)
+    {
+        if (_memoryCache.TryGetValue(CacheKey, out OpenApiDocument? openApiDocument) && openApiDocument is not null)
+        {
+            return AdjustDocument(openApiDocument, host, basePath);
+        }
+
+        var acquired = _lock.Wait(_lockTimeout);
+        try
+        {
+            if (_memoryCache.TryGetValue(CacheKey, out openApiDocument) && openApiDocument is not null)
+            {
+                return AdjustDocument(openApiDocument, host, basePath);
+            }
+
+            if (!acquired)
+            {
+                throw new InvalidOperationException("OpenApi document is generating");
+            }
+
+            openApiDocument = _swaggerGenerator.GetSwagger(documentName);
+            _memoryCache.Set(CacheKey, openApiDocument, _cacheOptions);
+            return AdjustDocument(openApiDocument, host, basePath);
+        }
+        finally
+        {
+            if (acquired)
+            {
+                _lock.Release();
+            }
+        }
+    }
+
+    private OpenApiDocument AdjustDocument(OpenApiDocument document, string? host, string? basePath)
+    {
+        document.Servers = _swaggerGeneratorOptions.Servers.Count != 0
+            ? _swaggerGeneratorOptions.Servers
+            : string.IsNullOrEmpty(host) && string.IsNullOrEmpty(basePath)
+                ? []
+                : [new OpenApiServer { Url = $"{host}{basePath}" }];
+
+        return document;
+    }
+}