From a4e4c9c47c5f84ec7ccd309bde59d4ae5d7e5a98 Mon Sep 17 00:00:00 2001 From: nexryai Date: Wed, 27 Dec 2023 08:05:05 +0900 Subject: [PATCH] =?UTF-8?q?Security:=20App=E3=81=AF=E7=AE=A1=E7=90=86?= =?UTF-8?q?=E8=80=85/=E3=83=A2=E3=83=87=E3=83=AC=E3=83=BC=E3=82=BF?= =?UTF-8?q?=E6=A8=A9=E9=99=90=E3=82=92=E4=BD=BF=E3=81=88=E3=81=AA=E3=81=84?= =?UTF-8?q?=E3=82=88=E3=81=86=E3=81=AB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 1 + packages/backend/src/server/api/call.ts | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4bd2ce04e2..e6a8885371 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ ## 12.23Q4.5 - Security Hotfix: 管理者用APIのアクセス権限が適切に設定されていない問題を修正 - fix: Filter featured collection + - Appは管理者/モデレータ権限を使えないように - 依存関係の更新 ## 12.23Q4.4 diff --git a/packages/backend/src/server/api/call.ts b/packages/backend/src/server/api/call.ts index a85d40643b..b2124f5a0a 100644 --- a/packages/backend/src/server/api/call.ts +++ b/packages/backend/src/server/api/call.ts @@ -93,6 +93,14 @@ export default async (endpoint: string, user: CacheableLocalUser | null | undefi }); } + if (token && ep.meta.requireAdmin) { + throw new ApiError(accessDenied, { reason: "Apps cannot use admin privileges." }); + } + + if (token && ep.meta.requireModerator) { + throw new ApiError(accessDenied, { reason: "Apps cannot use moderator privileges." }); + } + // Cast non JSON input if ((ep.meta.requireFile || ctx?.method === "GET") && ep.params.properties) { for (const k of Object.keys(ep.params.properties)) {