From bd11dabf899e3b3623e33673dea4727a7234a5ae Mon Sep 17 00:00:00 2001
From: jaina heartles <me@heartles.xyz>
Date: Sun, 3 Mar 2024 21:09:39 -0800
Subject: [PATCH] Reject DMs where recipients don't match mentions

---
 packages/backend/src/core/NoteCreateService.ts         | 10 ++++++++++
 .../backend/src/server/api/endpoints/notes/create.ts   |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/packages/backend/src/core/NoteCreateService.ts b/packages/backend/src/core/NoteCreateService.ts
index b985846f1..ad4e76616 100644
--- a/packages/backend/src/core/NoteCreateService.ts
+++ b/packages/backend/src/core/NoteCreateService.ts
@@ -367,6 +367,16 @@ export class NoteCreateService implements OnApplicationShutdown {
 		if (data.visibility === 'specified') {
 			if (data.visibleUsers == null) throw new Error('invalid param');
 
+			// Check that mentions and recipients are the same set if note originates locally
+			if (user.host == null) {
+				if (mentionedUsers.length !== data.visibleUsers.length) {
+					throw new IdentifiableError('9d311820-f927-463c-ae38-b7435c6a9f4f', 'Note recipients and mentions must match');
+				}
+				if (!mentionedUsers.every((mention) => data.visibleUsers.some((visible) => mention.id === visible.id))) {
+					throw new IdentifiableError('9d311820-f927-463c-ae38-b7435c6a9f4f', 'Note recipients and mentions must match');
+				}
+			}
+
 			for (const u of data.visibleUsers) {
 				if (!mentionedUsers.some(x => x.id === u.id)) {
 					mentionedUsers.push(u);
diff --git a/packages/backend/src/server/api/endpoints/notes/create.ts b/packages/backend/src/server/api/endpoints/notes/create.ts
index 8dec6c747..31c41e0e7 100644
--- a/packages/backend/src/server/api/endpoints/notes/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/create.ts
@@ -139,6 +139,12 @@ export const meta = {
 			code: 'CONTAINS_TOO_MANY_MENTIONS',
 			id: '4de0363a-3046-481b-9b0f-feff3e211025',
 		},
+
+		visibleUsersAndMentionsMustMatch: {
+			message: 'Cannot send message because message recipients and mentioned users must match',
+			code: 'RECIPIENTS_MUST_MATCH_MENTIONED_USERS',
+			id: 'ba675fa7-e993-4267-a20e-c611141742af',
+		},
 	},
 } as const;
 
@@ -408,6 +414,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 						throw new ApiError(meta.errors.containsProhibitedWords);
 					} else if (e.id === '9f466dab-c856-48cd-9e65-ff90ff750580') {
 						throw new ApiError(meta.errors.containsTooManyMentions);
+					} else if (e.id === '9d311820-f927-463c-ae38-b7435c6a9f4f') {
+						throw new ApiError(meta.errors.visibleUsersAndMentionsMustMatch);
 					}
 				}
 				throw e;