fix: security with notes/show endpoint

This commit is contained in:
Marie 2023-12-31 19:20:52 +01:00
parent 233eff48f3
commit 3ec00398a3
No known key found for this signature in database
GPG Key ID: 56569BBE47D2C828
1 changed files with 22 additions and 7 deletions

View File

@ -3,10 +3,12 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import { Injectable } from '@nestjs/common';
import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js';
import { NoteEntityService } from '@/core/entities/NoteEntityService.js';
import { GetterService } from '@/server/api/GetterService.js';
import { DI } from '@/di-symbols.js';
import type { NotesRepository } from '@/models/_.js';
import { QueryService } from '@/core/QueryService.js';
import { ApiError } from '../../error.js';
export const meta = {
@ -40,14 +42,27 @@ export const paramDef = {
@Injectable()
export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
constructor(
@Inject(DI.notesRepository)
private notesRepository: NotesRepository,
private noteEntityService: NoteEntityService,
private getterService: GetterService,
private queryService: QueryService,
) {
super(meta, paramDef, async (ps, me) => {
const note = await this.getterService.getNote(ps.noteId).catch(err => {
if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote);
throw err;
});
const query = await this.notesRepository.createQueryBuilder('note')
.where('note.id = :noteId', { noteId: ps.noteId });
this.queryService.generateVisibilityQuery(query, me);
if (me) {
this.queryService.generateMutedUserQuery(query, me);
this.queryService.generateBlockedUserQuery(query, me);
}
const note = await query.getOne();
if (note === null) {
throw new ApiError(meta.errors.noSuchNote);
}
return await this.noteEntityService.pack(note, me, {
detail: true,