fix: security with notes/show endpoint

author: Marie <marie@kaifa.ch> 2023-12-31 19:20:52 +0100
committer: Marie <marie@kaifa.ch> 2023-12-31 19:21:59 +0100
commit: 3ec00398a3302100648d9b8819e095391a8683f9 (patch)
tree: ad91a284998a3050e00d7af36614eb41bea2d0be /packages/backend/src/server/api/endpoints
parent: merge: pleroma note import - Use hashed filename for exists check (#283) (diff)
download: sharkey-3ec00398a3302100648d9b8819e095391a8683f9.tar.gz
sharkey-3ec00398a3302100648d9b8819e095391a8683f9.tar.bz2
sharkey-3ec00398a3302100648d9b8819e095391a8683f9.zip
1 files changed, 22 insertions, 7 deletions
diff --git a/packages/backend/src/server/api/endpoints/notes/show.ts b/packages/backend/src/server/api/endpoints/notes/show.ts
index 5bb8196543..b3107f6754 100644
--- a/packages/backend/src/server/api/endpoints/notes/show.ts
+++ b/packages/backend/src/server/api/endpoints/notes/show.ts
@@ -3,10 +3,12 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { NoteEntityService } from '@/core/entities/NoteEntityService.js';
-import { GetterService } from '@/server/api/GetterService.js';
+import { DI } from '@/di-symbols.js';
+import type { NotesRepository } from '@/models/_.js';
+import { QueryService } from '@/core/QueryService.js';
 import { ApiError } from '../../error.js';
 
 export const meta = {
@@ -40,14 +42,27 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
+		@Inject(DI.notesRepository)
+		private notesRepository: NotesRepository,
+		
 		private noteEntityService: NoteEntityService,
-		private getterService: GetterService,
+		private queryService: QueryService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const note = await this.getterService.getNote(ps.noteId).catch(err => {
-				if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote);
-				throw err;
-			});
+			const query = await this.notesRepository.createQueryBuilder('note')
+				.where('note.id = :noteId', { noteId: ps.noteId });
+
+			this.queryService.generateVisibilityQuery(query, me);
+			if (me) {
+				this.queryService.generateMutedUserQuery(query, me);
+				this.queryService.generateBlockedUserQuery(query, me);
+			}
+			
+			const note = await query.getOne();
+
+			if (note === null) {
+				throw new ApiError(meta.errors.noSuchNote);
+			}
 
 			return await this.noteEntityService.pack(note, me, {
 				detail: true,
author	Marie <marie@kaifa.ch>	2023-12-31 19:20:52 +0100
committer	Marie <marie@kaifa.ch>	2023-12-31 19:21:59 +0100
commit	3ec00398a3302100648d9b8819e095391a8683f9 (patch)
tree	ad91a284998a3050e00d7af36614eb41bea2d0be /packages/backend/src/server/api/endpoints
parent	merge: pleroma note import - Use hashed filename for exists check (#283) (diff)
download	sharkey-3ec00398a3302100648d9b8819e095391a8683f9.tar.gz sharkey-3ec00398a3302100648d9b8819e095391a8683f9.tar.bz2 sharkey-3ec00398a3302100648d9b8819e095391a8683f9.zip