fix(server): improve security of admin/drive/show-file

This commit is contained in:
syuilo 2023-02-21 14:47:11 +09:00
parent a7f464147d
commit b161f38710

View file

@ -1,5 +1,5 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import type { DriveFilesRepository } from '@/models/index.js'; import type { DriveFilesRepository, UsersRepository } from '@/models/index.js';
import { Endpoint } from '@/server/api/endpoint-base.js'; import { Endpoint } from '@/server/api/endpoint-base.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { RoleService } from '@/core/RoleService.js'; import { RoleService } from '@/core/RoleService.js';
@ -161,6 +161,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
@Inject(DI.driveFilesRepository) @Inject(DI.driveFilesRepository)
private driveFilesRepository: DriveFilesRepository, private driveFilesRepository: DriveFilesRepository,
@Inject(DI.usersRepository)
private usersRepository: UsersRepository,
private roleService: RoleService, private roleService: RoleService,
) { ) {
super(meta, paramDef, async (ps, me) => { super(meta, paramDef, async (ps, me) => {
@ -178,7 +181,12 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
throw new ApiError(meta.errors.noSuchFile); throw new ApiError(meta.errors.noSuchFile);
} }
const isModerator = await this.roleService.isModerator(me); const owner = file.userId ? await this.usersRepository.findOneByOrFail({
id: file.userId,
}) : null;
const iAmModerator = await this.roleService.isModerator(me);
const ownerIsModerator = owner ? await this.roleService.isModerator(owner) : false;
return { return {
id: file.id, id: file.id,
@ -207,8 +215,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
name: file.name, name: file.name,
md5: file.md5, md5: file.md5,
createdAt: file.createdAt.toISOString(), createdAt: file.createdAt.toISOString(),
requestIp: isModerator ? file.requestIp : null, requestIp: iAmModerator ? file.requestIp : null,
requestHeaders: isModerator ? file.requestHeaders : null, requestHeaders: iAmModerator && !ownerIsModerator ? file.requestHeaders : null,
}; };
}); });
} }