Merge pull request #255 from dodok8/dodok8-fix-issue-247

dahlia · dahlia · commit c682c965a207 · 2025-10-07T22:22:48.000+09:00
Fix direct message visibility filtering in status queries
diff --git a/CHANGES.md b/CHANGES.md
@@ -6,6 +6,16 @@ Version 0.6.14
 
 To be released.
 
+ -  Fixed a critical security vulnerability where direct messages (DMs) were
+    visible to all authenticated users regardless of whether they were
+    participants in the conversation. The visibility filter now correctly
+    restricts direct messages to only the sender and mentioned recipients,
+    preventing unauthorized access to private conversations.
+    [[#247], [#255] by Hyeonseo Kim]
+
+[#247]: https://github.com/fedify-dev/hollo/issues/247
+[#255]: https://github.com/fedify-dev/hollo/pull/255
+
 
 Version 0.6.13
 --------------
@@ -957,3 +967,5 @@ Version 0.1.0
 -------------
 
 Released on October 22, 2024.  Initial release.
+
+<!-- cSpell: ignore Hyeonseo -->
diff --git a/src/api/v1/statuses.ts b/src/api/v1/statuses.ts
@@ -80,17 +80,18 @@ const app = new Hono<{ Variables: Variables }>();
 /**
  * Builds visibility conditions for post queries based on viewer's permissions.
  * For unauthenticated users, only public/unlisted posts are visible.
- * For authenticated users, includes private posts from accounts they follow.
+ * For authenticated users, includes private posts from accounts they follow,
+ * and direct posts where they are mentioned or are the author.
  */
 function buildVisibilityConditions(viewerAccountId: Uuid | null | undefined) {
   if (viewerAccountId == null) {
     // Unauthenticated: only public and unlisted posts
     return inArray(posts.visibility, ["public", "unlisted"]);
   }
 
-  // Authenticated: include private posts based on follower relationships
+  // Authenticated: include private and direct posts based on relationships
   return or(
-    inArray(posts.visibility, ["public", "unlisted", "direct"]),
+    inArray(posts.visibility, ["public", "unlisted"]),
     and(
       eq(posts.visibility, "private"),
       or(
@@ -111,12 +112,24 @@ function buildVisibilityConditions(viewerAccountId: Uuid | null | undefined) {
         ),
       ),
     ),
-    // Also include posts that mention the viewer
-    exists(
-      db
-        .select({ id: mentions.postId })
-        .from(mentions)
-        .where(eq(mentions.accountId, viewerAccountId)),
+    and(
+      inArray(posts.visibility, ["private", "direct"]),
+      or(
+        // User's own direct posts
+        eq(posts.accountId, viewerAccountId),
+        // Direct posts where the user is mentioned
+        exists(
+          db
+            .select({ postId: mentions.postId })
+            .from(mentions)
+            .where(
+              and(
+                eq(mentions.postId, posts.id),
+                eq(mentions.accountId, viewerAccountId),
+              ),
+            ),
+        ),
+      ),
     ),
   );
 }
