Mitigate pull_request_target privilege escalation

Hotfix — replaces pull_request_target with pull_request to stop
granting write permissions and secrets to fork PRs. Some workflows
will break; can be fixed properly later.

.github/workflows/ci-compat.yml

@@ -1,6 +1,6 @@
 name: ABI Compatibility
 on:
-  pull_request_target:
+  pull_request:
 
 permissions: {}
 
@@ -77,7 +77,7 @@ jobs:
       pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
 
     name: ABI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     needs:
       - abi-head

.github/workflows/ci-openapi.yml

@@ -5,7 +5,7 @@ on:
       - master
     tags:
       - 'v*'
-  pull_request_target:
+  pull_request:
 
 permissions: {}
 
@@ -73,7 +73,7 @@ jobs:
       pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
 
     name: OpenAPI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     needs:
       - openapi-head
@@ -148,7 +148,7 @@ jobs:
 
   publish-unstable:
     name: OpenAPI - Publish Unstable Spec
-    if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
+    if: ${{ github.event_name != 'pull_request' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
     runs-on: ubuntu-latest
     needs:
       - openapi-head

.github/workflows/commands.yml

@@ -4,7 +4,7 @@ on:
     types:
       - created
       - edited
-  pull_request_target:
+  pull_request:
     types:
       - labeled
       - synchronize

.github/workflows/project-automation.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-  pull_request_target:
+  pull_request:
   issue_comment:
 
 permissions: {}

.github/workflows/pull-request-conflict.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - master
-  pull_request_target:
+  pull_request:
   issue_comment:
 
 permissions: {}
@@ -16,7 +16,7 @@ jobs:
     steps:
       - name: Apply label
         uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
-        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request_target'}}
+        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request'}}
         with:
           dirtyLabel: 'merge conflict'
           commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'

Jellyfin.Server.Implementations/Item/BaseItemRepository.cs

@@ -275,9 +275,8 @@ public sealed class BaseItemRepository
         }
 
         dbQuery = ApplyQueryPaging(dbQuery, filter);
-        dbQuery = ApplyNavigations(dbQuery, filter);
 
-        result.Items = dbQuery.AsEnumerable().Where(e => e is not null).Select(w => DeserializeBaseItem(w, filter.SkipDeserialization)).ToArray();
+        result.Items = GetEntities(dbQuery, context, filter).Select(w => DeserializeBaseItem(w, filter.SkipDeserialization)).ToArray();
         result.StartIndex = filter.StartIndex ?? 0;
         return result;
     }
@@ -295,9 +294,8 @@ public sealed class BaseItemRepository
 
         dbQuery = ApplyGroupingFilter(context, dbQuery, filter);
         dbQuery = ApplyQueryPaging(dbQuery, filter);
-        dbQuery = ApplyNavigations(dbQuery, filter);
 
-        return dbQuery.AsEnumerable().Where(e => e is not null).Select(w => DeserializeBaseItem(w, filter.SkipDeserialization)).ToArray();
+        return GetEntities(dbQuery, context, filter).Select(w => DeserializeBaseItem(w, filter.SkipDeserialization)).ToArray();
     }
 
     /// <inheritdoc/>
@@ -339,9 +337,7 @@ public sealed class BaseItemRepository
         mainquery = ApplyGroupingFilter(context, mainquery, filter);
         mainquery = ApplyQueryPaging(mainquery, filter);
 
-        mainquery = ApplyNavigations(mainquery, filter);
+        return GetEntities(mainquery, context, filter).Select(w => DeserializeBaseItem(w, filter.SkipDeserialization)).ToArray();
-
-        return mainquery.AsEnumerable().Where(e => e is not null).Select(w => DeserializeBaseItem(w, filter.SkipDeserialization)).ToArray();
     }
 
     /// <inheritdoc />
@@ -408,36 +404,6 @@ public sealed class BaseItemRepository
         return dbQuery;
     }
 
-    private static IQueryable<BaseItemEntity> ApplyNavigations(IQueryable<BaseItemEntity> dbQuery, InternalItemsQuery filter)
-    {
-        if (filter.TrailerTypes.Length > 0 || filter.IncludeItemTypes.Contains(BaseItemKind.Trailer))
-        {
-            dbQuery = dbQuery.Include(e => e.TrailerTypes);
-        }
-
-        if (filter.DtoOptions.ContainsField(ItemFields.ProviderIds))
-        {
-            dbQuery = dbQuery.Include(e => e.Provider);
-        }
-
-        if (filter.DtoOptions.ContainsField(ItemFields.Settings))
-        {
-            dbQuery = dbQuery.Include(e => e.LockedFields);
-        }
-
-        if (filter.DtoOptions.EnableUserData)
-        {
-            dbQuery = dbQuery.Include(e => e.UserData);
-        }
-
-        if (filter.DtoOptions.EnableImages)
-        {
-            dbQuery = dbQuery.Include(e => e.Images);
-        }
-
-        return dbQuery;
-    }
-
     private IQueryable<BaseItemEntity> ApplyQueryPaging(IQueryable<BaseItemEntity> dbQuery, InternalItemsQuery filter)
     {
         if (filter.Limit.HasValue || filter.StartIndex.HasValue)
@@ -463,18 +429,50 @@ public sealed class BaseItemRepository
         dbQuery = TranslateQuery(dbQuery, context, filter);
         dbQuery = ApplyGroupingFilter(context, dbQuery, filter);
         dbQuery = ApplyQueryPaging(dbQuery, filter);
-        dbQuery = ApplyNavigations(dbQuery, filter);
         return dbQuery;
     }
 
     private IQueryable<BaseItemEntity> PrepareItemQuery(JellyfinDbContext context, InternalItemsQuery filter)
     {
-        IQueryable<BaseItemEntity> dbQuery = context.BaseItems.AsNoTracking();
+        IQueryable<BaseItemEntity> dbQuery = context.BaseItems;
         dbQuery = dbQuery.AsSingleQuery();
 
         return dbQuery;
     }
 
+    private IReadOnlyList<BaseItemEntity> GetEntities(IQueryable<BaseItemEntity> dbQuery, JellyfinDbContext context, InternalItemsQuery filter)
+    {
+        var items = dbQuery.AsEnumerable().Where(e => e is not null).ToArray();
+        var itemIds = items.Select(e => e.Id).ToArray();
+
+        if (filter.TrailerTypes.Length > 0 || filter.IncludeItemTypes.Contains(BaseItemKind.Trailer))
+        {
+            context.BaseItemTrailerTypes.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+        }
+
+        if (filter.DtoOptions.ContainsField(ItemFields.ProviderIds))
+        {
+            context.BaseItemProviders.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+        }
+
+        if (filter.DtoOptions.ContainsField(ItemFields.Settings))
+        {
+            context.BaseItemMetadataFields.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+        }
+
+        if (filter.DtoOptions.EnableImages)
+        {
+            context.BaseItemImageInfos.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+        }
+
+        if (filter.DtoOptions.EnableUserData)
+        {
+            context.UserData.WhereOneOrMany(itemIds, e => e.ItemId).Load();
+        }
+
+        return items;
+    }
+
     /// <inheritdoc/>
     public int GetCount(InternalItemsQuery filter)
     {