harden search parsing and qobuz refresh validation

2026-06-17 15:05:39 +02:00 · 2026-04-21 19:04:33 +02:00
parent de4e561377
commit c67be72869
5 changed files with 86 additions and 2 deletions
--- a/internal/download/downloader.go
+++ b/internal/download/downloader.go
@@ -147,6 +147,9 @@ func (d *Downloader) FileDeezerEncrypted(ctx context.Context, sourceURL, outputP
 	if resp.ContentLength > 0 && totalRead != resp.ContentLength {
 		return io.ErrUnexpectedEOF
 	}
+	if err = out.Sync(); err != nil {
+		return err
+	}
 	success = true
 	return nil
 }
@@ -229,6 +232,9 @@ func (d *Downloader) file(ctx context.Context, sourceURL, outputPath string, all
 		if resp.ContentLength > 0 && totalWritten != resp.ContentLength {
 			return io.ErrUnexpectedEOF
 		}
+		if err = out.Sync(); err != nil {
+			return err
+		}
 	} else {
 		written, copyErr := io.Copy(out, reader)
 		if copyErr != nil {
--- a/internal/provider/qobuz/client.go
+++ b/internal/provider/qobuz/client.go
@@ -146,9 +146,21 @@ func (c *Client) refreshAppCredentials(ctx context.Context, q *config.QobuzConfi
 		return err
 	}
 	q.AppID = strings.TrimSpace(appID)
-	q.Secrets = append([]string(nil), secrets...)
+	if q.AppID == "" {
+		return errors.New("qobuz app credential refresh returned empty app_id")
+	}
+	clean := make([]string, 0, len(secrets))
+	for _, s := range secrets {
+		if v := strings.TrimSpace(s); v != "" {
+			clean = append(clean, v)
+		}
+	}
+	if len(clean) == 0 {
+		return errors.New("qobuz app credential refresh returned no secrets")
+	}
+	q.Secrets = append([]string(nil), clean...)
 	c.cfg.File.Qobuz.AppID = q.AppID
-	c.cfg.File.Qobuz.Secrets = append([]string(nil), secrets...)
+	c.cfg.File.Qobuz.Secrets = append([]string(nil), clean...)
 	_ = c.cfg.SaveFile()
 	return nil
 }
--- a/internal/provider/qobuz/client_test.go
+++ b/internal/provider/qobuz/client_test.go
@@ -373,3 +373,15 @@ func qobuzSecretSig(requestTS, secret string) string {
 	hash := md5.Sum([]byte(raw))
 	return hex.EncodeToString(hash[:])
 }
+
+func TestRefreshAppCredentialsRejectsEmptyData(t *testing.T) {
+	d := config.DefaultConfigData()
+	c := New(&config.Config{File: d, Session: d})
+	c.fetchCfg = func(context.Context) (string, []string, error) {
+		return "", []string{" "}, nil
+	}
+	err := c.refreshAppCredentials(context.Background(), &c.cfg.Session.Qobuz)
+	if err == nil {
+		t.Fatalf("expected error for empty refreshed app credentials")
+	}
+}