From 42d9da161b56d38a04fb4f25c7d063bdea880ff0 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Tue, 14 May 2024 16:58:06 +0100
Subject: [PATCH] first basic protection - #524

---
 packages/backend/src/core/NoteCreateService.ts | 8 ++++++++
 packages/backend/src/core/NoteEditService.ts   | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/packages/backend/src/core/NoteCreateService.ts b/packages/backend/src/core/NoteCreateService.ts
index 631d7074bd..d51315f71f 100644
--- a/packages/backend/src/core/NoteCreateService.ts
+++ b/packages/backend/src/core/NoteCreateService.ts
@@ -627,6 +627,14 @@ export class NoteCreateService implements OnApplicationShutdown {
 			userHost: user.host,
 		});
 
+		// should really not happen, but better safe than sorry
+		if (data.reply?.id === insert.id) {
+			throw new Error("A note can't reply to itself");
+		}
+		if (data.renote?.id === insert.id) {
+			throw new Error("A note can't renote itself");
+		}
+
 		if (data.uri != null) insert.uri = data.uri;
 		if (data.url != null) insert.url = data.url;
 
diff --git a/packages/backend/src/core/NoteEditService.ts b/packages/backend/src/core/NoteEditService.ts
index 72fc01ae3b..435f5f017a 100644
--- a/packages/backend/src/core/NoteEditService.ts
+++ b/packages/backend/src/core/NoteEditService.ts
@@ -299,6 +299,10 @@ export class NoteEditService implements OnApplicationShutdown {
 		}
 
 		if (data.renote) {
+			if (data.renote.id === oldnote.id) {
+				throw new Error("A note can't renote itself");
+			}
+
 			switch (data.renote.visibility) {
 				case 'public':
 					// public noteは無条件にrenote可能