fix: security with notes/show endpoint

packages/backend/src/server/api/endpoints/notes/show.ts

@@ -3,10 +3,12 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { NoteEntityService } from '@/core/entities/NoteEntityService.js';
-import { GetterService } from '@/server/api/GetterService.js';
+import { DI } from '@/di-symbols.js';
+import type { NotesRepository } from '@/models/_.js';
+import { QueryService } from '@/core/QueryService.js';
 import { ApiError } from '../../error.js';
 
 export const meta = {
@@ -40,14 +42,27 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
+		@Inject(DI.notesRepository)
+		private notesRepository: NotesRepository,
+		
 		private noteEntityService: NoteEntityService,
-		private getterService: GetterService,
+		private queryService: QueryService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const note = await this.getterService.getNote(ps.noteId).catch(err => {
-				if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote);
-				throw err;
-			});
+			const query = await this.notesRepository.createQueryBuilder('note')
+				.where('note.id = :noteId', { noteId: ps.noteId });
+
+			this.queryService.generateVisibilityQuery(query, me);
+			if (me) {
+				this.queryService.generateMutedUserQuery(query, me);
+				this.queryService.generateBlockedUserQuery(query, me);
+			}
+			
+			const note = await query.getOne();
+
+			if (note === null) {
+				throw new ApiError(meta.errors.noSuchNote);
+			}
 
 			return await this.noteEntityService.pack(note, me, {
 				detail: true,