fix(server): improve security of admin/drive/show-file

author: syuilo <Syuilotan@yahoo.co.jp> 2023-02-21 14:47:11 +0900
committer: syuilo <Syuilotan@yahoo.co.jp> 2023-02-21 14:47:11 +0900
commit: b161f38710ef725528d7e221995d506dfcf0ba24 (patch)
tree: 7dd7f0d0eaad0fd37a81ec0238ab728c3f9e86df /packages/backend/src/server/api/endpoints
parent: enhance(client): MFMのx3, x4が含まれていたらノートをたたむよ... (diff)
download: sharkey-b161f38710ef725528d7e221995d506dfcf0ba24.tar.gz
sharkey-b161f38710ef725528d7e221995d506dfcf0ba24.tar.bz2
sharkey-b161f38710ef725528d7e221995d506dfcf0ba24.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/packages/backend/src/server/api/endpoints/admin/drive/show-file.ts b/packages/backend/src/server/api/endpoints/admin/drive/show-file.ts
index 6376cb153c..85b566aabe 100644
--- a/packages/backend/src/server/api/endpoints/admin/drive/show-file.ts
+++ b/packages/backend/src/server/api/endpoints/admin/drive/show-file.ts
@@ -1,5 +1,5 @@
 import { Inject, Injectable } from '@nestjs/common';
-import type { DriveFilesRepository } from '@/models/index.js';
+import type { DriveFilesRepository, UsersRepository } from '@/models/index.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { DI } from '@/di-symbols.js';
 import { RoleService } from '@/core/RoleService.js';
@@ -161,6 +161,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 		@Inject(DI.driveFilesRepository)
 		private driveFilesRepository: DriveFilesRepository,
 
+		@Inject(DI.usersRepository)
+		private usersRepository: UsersRepository,
+
 		private roleService: RoleService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
@@ -178,7 +181,12 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				throw new ApiError(meta.errors.noSuchFile);
 			}
 
-			const isModerator = await this.roleService.isModerator(me);
+			const owner = file.userId ? await this.usersRepository.findOneByOrFail({
+				id: file.userId,
+			}) : null;
+
+			const iAmModerator = await this.roleService.isModerator(me);
+			const ownerIsModerator = owner ? await this.roleService.isModerator(owner) : false;
 
 			return {
 				id: file.id,
@@ -207,8 +215,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				name: file.name,
 				md5: file.md5,
 				createdAt: file.createdAt.toISOString(),
-				requestIp: isModerator ? file.requestIp : null,
-				requestHeaders: isModerator ? file.requestHeaders : null,
+				requestIp: iAmModerator ? file.requestIp : null,
+				requestHeaders: iAmModerator && !ownerIsModerator ? file.requestHeaders : null,
 			};
 		});
 	}
author	syuilo <Syuilotan@yahoo.co.jp>	2023-02-21 14:47:11 +0900
committer	syuilo <Syuilotan@yahoo.co.jp>	2023-02-21 14:47:11 +0900
commit	b161f38710ef725528d7e221995d506dfcf0ba24 (patch)
tree	7dd7f0d0eaad0fd37a81ec0238ab728c3f9e86df /packages/backend/src/server/api/endpoints
parent	enhance(client): MFMのx3, x4が含まれていたらノートをたたむよ... (diff)
download	sharkey-b161f38710ef725528d7e221995d506dfcf0ba24.tar.gz sharkey-b161f38710ef725528d7e221995d506dfcf0ba24.tar.bz2 sharkey-b161f38710ef725528d7e221995d506dfcf0ba24.zip