From 3ec00398a3302100648d9b8819e095391a8683f9 Mon Sep 17 00:00:00 2001 From: Marie Date: Sun, 31 Dec 2023 19:20:52 +0100 Subject: [PATCH] fix: security with notes/show endpoint --- .../src/server/api/endpoints/notes/show.ts | 29 ++++++++++++++----- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/packages/backend/src/server/api/endpoints/notes/show.ts b/packages/backend/src/server/api/endpoints/notes/show.ts index 5bb8196543..b3107f6754 100644 --- a/packages/backend/src/server/api/endpoints/notes/show.ts +++ b/packages/backend/src/server/api/endpoints/notes/show.ts @@ -3,10 +3,12 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Injectable } from '@nestjs/common'; +import { Inject, Injectable } from '@nestjs/common'; import { Endpoint } from '@/server/api/endpoint-base.js'; import { NoteEntityService } from '@/core/entities/NoteEntityService.js'; -import { GetterService } from '@/server/api/GetterService.js'; +import { DI } from '@/di-symbols.js'; +import type { NotesRepository } from '@/models/_.js'; +import { QueryService } from '@/core/QueryService.js'; import { ApiError } from '../../error.js'; export const meta = { @@ -40,14 +42,27 @@ export const paramDef = { @Injectable() export default class extends Endpoint { // eslint-disable-line import/no-default-export constructor( + @Inject(DI.notesRepository) + private notesRepository: NotesRepository, + private noteEntityService: NoteEntityService, - private getterService: GetterService, + private queryService: QueryService, ) { super(meta, paramDef, async (ps, me) => { - const note = await this.getterService.getNote(ps.noteId).catch(err => { - if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote); - throw err; - }); + const query = await this.notesRepository.createQueryBuilder('note') + .where('note.id = :noteId', { noteId: ps.noteId }); + + this.queryService.generateVisibilityQuery(query, me); + if (me) { + this.queryService.generateMutedUserQuery(query, me); + this.queryService.generateBlockedUserQuery(query, me); + } + + const note = await query.getOne(); + + if (note === null) { + throw new ApiError(meta.errors.noSuchNote); + } return await this.noteEntityService.pack(note, me, { detail: true,