From 73b804f7ed373e9365a9975c8236b47b907fa78d Mon Sep 17 00:00:00 2001
From: Bladestar2105 <55372949+Bladestar2105@users.noreply.github.com>
Date: Wed, 6 May 2026 08:31:18 +0200
Subject: [PATCH] fix(security): cap EPG XML text node growth during import

---
 src/services/epgService.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/services/epgService.js b/src/services/epgService.js
index 64f0746..8a2d928 100644
--- a/src/services/epgService.js
+++ b/src/services/epgService.js
@@ -103,6 +103,7 @@ export async function importEpgFromUrl(url, sourceType, sourceId) {
 
         // Implement node-xml-stream for robust streaming XML parsing
         const parser = new XmlStream();
+        const MAX_XML_TEXT_NODE_LENGTH = 50 * 1024; // 50KB safeguard against unbounded text growth
 
         let currentTag = null;
         let currentChannel = null;
@@ -163,7 +164,14 @@ export async function importEpgFromUrl(url, sourceType, sourceId) {
             });
 
             const appendText = (text) => {
-                 if (currentChannel && currentTag === 'display-name') {
+                if (currentText.length + text.length > MAX_XML_TEXT_NODE_LENGTH) {
+                    reject(new Error(`EPG XML text node exceeds ${MAX_XML_TEXT_NODE_LENGTH} bytes limit`));
+                    stream.destroy();
+                    parser.end();
+                    return;
+                }
+
+                if (currentChannel && currentTag === 'display-name') {
                     currentText += text;
                 } else if (currentProgram && (currentTag === 'title' || currentTag === 'desc')) {
                     currentText += text;