Skip to content

fix(security): guard EPG XML importer against oversized text nodes#602

Closed
Bladestar2105 wants to merge 1 commit into
mainfrom
codex/propose-fix-for-epg-xml-dos-vulnerability
Closed

fix(security): guard EPG XML importer against oversized text nodes#602
Bladestar2105 wants to merge 1 commit into
mainfrom
codex/propose-fix-for-epg-xml-dos-vulnerability

Conversation

@Bladestar2105
Copy link
Copy Markdown
Owner

@Bladestar2105 Bladestar2105 commented May 6, 2026

Motivation

  • The streaming EPG importer parsed untrusted provider XML and accumulated text for display-name, title, and desc without any per-node size limit, enabling a remote provider to cause unbounded memory growth and a DoS.

Description

  • Add a per-node text-size cap MAX_XML_TEXT_NODE_LENGTH = 50 * 1024 to the streaming parser in src/services/epgService.js.
  • Enforce the cap in the shared appendText handler and abort the import by rejecting the parser promise, calling stream.destroy(), and closing the parser when the limit is exceeded.
  • This change bounds text accumulation for display-name, title, and desc while preserving the existing GZIP handling, streaming node-xml-stream flow, and batch DB insertion logic.

Testing

  • Ran npm run lint, which completed successfully and reported only pre-existing warnings.
  • Ran npm test -- epgService, which found no matching tests in the repository.
  • Ran npm run build, which completed successfully.

Codex Task

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 73b804f7ed

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/services/epgService.js

const appendText = (text) => {
if (currentChannel && currentTag === 'display-name') {
if (currentText.length + text.length > MAX_XML_TEXT_NODE_LENGTH) {
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply text-size cap only to tracked XML node content

The new guard runs before checking whether we are inside display-name, title, or desc, so it uses stale currentText from a previous tracked node when handling later text events. This causes false rejections: a title just under 50KB can still fail when a subsequent non-tracked text node (for example <category>) is parsed, because the condition compares that new text against the previous node’s accumulated length. Move the size check inside the same branches that append to currentText (or reset currentText on every text-bearing tag) so the cap is truly per-node.

Useful? React with 👍 / 👎.

@Bladestar2105 Bladestar2105 deleted the codex/propose-fix-for-epg-xml-dos-vulnerability branch May 7, 2026 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Bladestar2105