Merge pull request from GHSA-7pxq-6xx9-xpgm

* fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-GHSA-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina <[email protected]>
foggy-llc · Feb 15, 2024 · 1f7677c · 1f7677c
1 parent 718564d
commit 1f7677c
Show file tree

Hide file tree

Showing 148 changed files with 797 additions and 581 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -132,7 +132,6 @@
 - Fix: モデレーションログがモデレーターは閲覧できないように修正
 - Fix: ハッシュタグのトレンド除外設定が即時に効果を持つように修正
 - Fix: HTTP Digestヘッダのアルゴリズム部分に大文字の"SHA-256"しか使えない
-- Fix: 管理者用APIのアクセス権限が適切に設定されていない問題を修正
 
 ## 2023.11.1
 

diff --git a/locales/index.d.ts b/locales/index.d.ts
@@ -2066,6 +2066,55 @@ export interface Locale {
         "write:flash": string;
         "read:flash-likes": string;
         "write:flash-likes": string;
+        "read:admin:abuse-user-reports": string;
+        "write:admin:delete-account": string;
+        "write:admin:delete-all-files-of-a-user": string;
+        "read:admin:index-stats": string;
+        "read:admin:table-stats": string;
+        "read:admin:user-ips": string;
+        "read:admin:meta": string;
+        "write:admin:reset-password": string;
+        "write:admin:resolve-abuse-user-report": string;
+        "write:admin:send-email": string;
+        "read:admin:server-info": string;
+        "read:admin:show-moderation-log": string;
+        "read:admin:show-user": string;
+        "read:admin:show-users": string;
+        "write:admin:suspend-user": string;
+        "write:admin:unset-user-avatar": string;
+        "write:admin:unset-user-banner": string;
+        "write:admin:unsuspend-user": string;
+        "write:admin:meta": string;
+        "write:admin:user-note": string;
+        "write:admin:roles": string;
+        "read:admin:roles": string;
+        "write:admin:relays": string;
+        "read:admin:relays": string;
+        "write:admin:invite-codes": string;
+        "read:admin:invite-codes": string;
+        "write:admin:announcements": string;
+        "read:admin:announcements": string;
+        "write:admin:avatar-decorations": string;
+        "read:admin:avatar-decorations": string;
+        "write:admin:federation": string;
+        "write:admin:account": string;
+        "read:admin:account": string;
+        "write:admin:emoji": string;
+        "read:admin:emoji": string;
+        "write:admin:queue": string;
+        "read:admin:queue": string;
+        "write:admin:promo": string;
+        "write:admin:drive": string;
+        "read:admin:drive": string;
+        "read:admin:stream": string;
+        "write:admin:ad": string;
+        "read:admin:ad": string;
+        "write:invite-codes": string;
+        "read:invite-codes": string;
+        "write:clip-favorite": string;
+        "read:clip-favorite": string;
+        "read:federation": string;
+        "write:report-abuse": string;
     };
     "_auth": {
         "shareAccessTitle": string;

diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
@@ -1971,6 +1971,55 @@ _permissions:
   "write:flash": "Playを操作する"
   "read:flash-likes": "Playのいいねを見る"
   "write:flash-likes": "Playのいいねを操作する"
+  "read:admin:abuse-user-reports": "ユーザーからの通報を見る"
+  "write:admin:delete-account": "ユーザーアカウントを削除する"
+  "write:admin:delete-all-files-of-a-user": "ユーザーのすべてのファイルを削除する"
+  "read:admin:index-stats": "データベースインデックスに関する情報を見る"
+  "read:admin:table-stats": "データベーステーブルに関する情報を見る"
+  "read:admin:user-ips": "ユーザーのIPアドレスを見る"
+  "read:admin:meta": "インスタンスのメタデータを見る"
+  "write:admin:reset-password": "ユーザーのパスワードをリセットする"
+  "write:admin:resolve-abuse-user-report": "ユーザーからの通報を解決する"
+  "write:admin:send-email": "メールを送る"
+  "read:admin:server-info": "サーバーの情報を見る"
+  "read:admin:show-moderation-log": "モデレーションログを見る"
+  "read:admin:show-user": "ユーザーのプライベートな情報を見る"
+  "read:admin:show-users": "ユーザーのプライベートな情報を見る"
+  "write:admin:suspend-user": "ユーザーを凍結する"
+  "write:admin:unset-user-avatar": "ユーザーのアバターを削除する"
+  "write:admin:unset-user-banner": "ユーザーのバーナーを削除する"
+  "write:admin:unsuspend-user": "ユーザーの凍結を解除する"
+  "write:admin:meta": "インスタンスのメタデータを操作する"
+  "write:admin:user-note": "モデレーションノートを操作する"
+  "write:admin:roles": "ロールを操作する"
+  "read:admin:roles": "ロールを見る"
+  "write:admin:relays": "リレーを操作する"
+  "read:admin:relays": "リレーを見る"
+  "write:admin:invite-codes": "招待コードを操作する"
+  "read:admin:invite-codes": "招待コードを見る"
+  "write:admin:announcements": "お知らせを操作する"
+  "read:admin:announcements": "お知らせを見る"
+  "write:admin:avatar-decorations": "アバターデコレーションを操作する"
+  "read:admin:avatar-decorations": "アバターデコレーションを見る"
+  "write:admin:federation": "連合に関する情報を操作する"
+  "write:admin:account": "ユーザーアカウントを操作する"
+  "read:admin:account": "ユーザーに関する情報を見る"
+  "write:admin:emoji": "絵文字を操作する"
+  "read:admin:emoji": "絵文字を見る"
+  "write:admin:queue": "ジョブキューを操作する"
+  "read:admin:queue": "ジョブキューに関する情報を見る"
+  "write:admin:promo": "プロモーションノートを操作する"
+  "write:admin:drive": "ユーザーのドライブを操作する"
+  "read:admin:drive": "ユーザーのドライブの関する情報を見る"
+  "read:admin:stream": "管理者用のWebsocket APIを使う"
+  "write:admin:ad": "広告を操作する"
+  "read:admin:ad": "広告を見る"
+  "write:invite-codes": "招待コードを作成する"
+  "read:invite-codes": "招待コードを取得する"
+  "write:clip-favorite": "クリップのいいねを操作する"
+  "read:clip-favorite": "クリップのいいねを見る"
+  "read:federation": "連合に関する情報を取得する"
+  "write:report-abuse": "違反を報告する"
 
 _auth:
   shareAccessTitle: "アプリへのアクセス許可"

diff --git a/packages/backend/src/misc/api-permissions.ts b/packages/backend/src/misc/api-permissions.ts
diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
@@ -330,7 +330,8 @@ export class ApiCallService implements OnApplicationShutdown {
 			}
 		}
 
-		if (token && ep.meta.kind && !token.permission.some(p => p === ep.meta.kind)) {
+		if (token && ((ep.meta.kind && !token.permission.some(p => p === ep.meta.kind))
+			|| (!ep.meta.kind && (ep.meta.requireCredential || ep.meta.requireModerator || ep.meta.requireAdmin)))) {
 			throw new ApiError({
 				message: 'Your app does not have the necessary permissions to use this endpoint.',
 				code: 'PERMISSION_DENIED',

diff --git a/packages/backend/src/server/api/StreamingApiServerService.ts b/packages/backend/src/server/api/StreamingApiServerService.ts
@@ -71,6 +71,10 @@ export class StreamingApiServerService {
 
 			try {
 				[user, app] = await this.authenticateService.authenticate(token);
+
+				if (app !== null && !app.permission.some(p => p === 'read:account')) {
+					throw new AuthenticationError('Your app does not have necessary permissions to use websocket API.');
+				}
 			} catch (e) {
 				if (e instanceof AuthenticationError) {
 					socket.write([

diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts
@@ -4,6 +4,7 @@
  */
 
 import type { Schema } from '@/misc/json-schema.js';
+import { permissions } from 'misskey-js';
 import { RolePolicies } from '@/core/RoleService.js';
 
 import * as ep___admin_meta from './endpoints/admin/meta.js';
@@ -724,7 +725,7 @@ const eps = [
 	['retention', ep___retention],
 ];
 
-export interface IEndpointMeta {
+interface IEndpointMetaBase {
 	readonly stability?: 'deprecated' | 'experimental' | 'stable';
 
 	readonly tags?: ReadonlyArray<string>;
@@ -823,6 +824,23 @@ export interface IEndpointMeta {
 	readonly cacheSec?: number;
 }
 
+export type IEndpointMeta = (Omit<IEndpointMetaBase, 'requireCrential' | 'requireModerator' | 'requireAdmin'> & {
+	requireCredential?: false,
+	requireAdmin?: false,
+	requireModerator?: false,
+}) | (Omit<IEndpointMetaBase, 'secure'> & {
+	secure: true,
+}) | (Omit<IEndpointMetaBase, 'requireCredential' | 'kind'> & {
+	requireCredential: true,
+	kind: (typeof permissions)[number],
+}) | (Omit<IEndpointMetaBase, 'requireModerator' | 'kind'> & {
+	requireModerator: true,
+	kind: (typeof permissions)[number],
+}) | (Omit<IEndpointMetaBase, 'requireAdmin' | 'kind'> & {
+	requireAdmin: true,
+	kind: (typeof permissions)[number],
+})
+
 export interface IEndpoint {
 	name: string;
 	meta: IEndpointMeta;

diff --git a/packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts b/packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts
@@ -13,10 +13,9 @@ import { AbuseUserReportEntityService } from '@/core/entities/AbuseUserReportEnt
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'read:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'read:admin:abuse-user-reports',
 
 	res: {
 		type: 'array',

diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -15,7 +15,7 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
+	secure: true,
 
 	res: {
 		type: 'object',

diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/delete.ts b/packages/backend/src/server/api/endpoints/admin/accounts/delete.ts
@@ -14,10 +14,9 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireAdmin: true,
+	kind: 'write:admin:account',
 } as const;
 
 export const paramDef = {

diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/find-by-email.ts b/packages/backend/src/server/api/endpoints/admin/accounts/find-by-email.ts
@@ -13,10 +13,9 @@ import { ApiError } from '@/server/api/error.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'read:admin',
-
 	requireCredential: true,
 	requireAdmin: true,
+	kind: 'read:admin:account',
 
 	errors: {
 		userNotFound: {

diff --git a/packages/backend/src/server/api/endpoints/admin/ad/create.ts b/packages/backend/src/server/api/endpoints/admin/ad/create.ts
@@ -13,10 +13,9 @@ import { ModerationLogService } from '@/core/ModerationLogService.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'write:admin:ad',
 	res: {
 		type: 'object',
 		optional: false,

diff --git a/packages/backend/src/server/api/endpoints/admin/ad/delete.ts b/packages/backend/src/server/api/endpoints/admin/ad/delete.ts
@@ -13,10 +13,9 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'write:admin:ad',
 
 	errors: {
 		noSuchAd: {

diff --git a/packages/backend/src/server/api/endpoints/admin/ad/list.ts b/packages/backend/src/server/api/endpoints/admin/ad/list.ts
@@ -12,10 +12,9 @@ import { DI } from '@/di-symbols.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'read:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'read:admin:ad',
 	res: {
 		type: 'array',
 		optional: false,

diff --git a/packages/backend/src/server/api/endpoints/admin/ad/update.ts b/packages/backend/src/server/api/endpoints/admin/ad/update.ts
@@ -13,10 +13,9 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'write:admin:ad',
 
 	errors: {
 		noSuchAd: {

diff --git a/packages/backend/src/server/api/endpoints/admin/announcements/create.ts b/packages/backend/src/server/api/endpoints/admin/announcements/create.ts
@@ -10,10 +10,9 @@ import { AnnouncementService } from '@/core/AnnouncementService.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'write:admin:announcements',
 
 	res: {
 		type: 'object',

diff --git a/packages/backend/src/server/api/endpoints/admin/announcements/delete.ts b/packages/backend/src/server/api/endpoints/admin/announcements/delete.ts
@@ -13,10 +13,9 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'write:admin:announcements',
 
 	errors: {
 		noSuchAnnouncement: {

diff --git a/packages/backend/src/server/api/endpoints/admin/announcements/list.ts b/packages/backend/src/server/api/endpoints/admin/announcements/list.ts
@@ -14,10 +14,9 @@ import { IdService } from '@/core/IdService.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'read:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'read:admin:announcements',
 
 	res: {
 		type: 'array',

diff --git a/packages/backend/src/server/api/endpoints/admin/announcements/update.ts b/packages/backend/src/server/api/endpoints/admin/announcements/update.ts
@@ -13,10 +13,9 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireModerator: true,
+	kind: 'write:admin:announcements',
 
 	errors: {
 		noSuchAnnouncement: {

diff --git a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts
@@ -10,10 +10,9 @@ import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
+	kind: 'write:admin:avatar-decorations',
 } as const;
 
 export const paramDef = {

diff --git a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/delete.ts b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/delete.ts
@@ -12,10 +12,9 @@ import { ApiError } from '../../../error.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'write:admin',
-
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
+	kind: 'write:admin:avatar-decorations',
 	errors: {
 	},
 } as const;

diff --git a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts
@@ -15,10 +15,9 @@ import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
 export const meta = {
 	tags: ['admin'],
 
-	kind: 'read:admin',
-
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
+	kind: 'read:admin:avatar-decorations',
 
 	res: {
 		type: 'array',