pleroma

hj/pleroma

No description

Find a file

Oneric f8db412af4 fed/fetch: don't serve unsanitised object data for some activities When the object associated with the activity was preloaded (which happens automatically with Activity.normalize used in the controller) Object.normalize’s "id_only" option did not actually work. This option and it’s usage were introduced to fix display of Undo activities in e88f36f72b5317debafcc4209b91eb35ad8f0691. For "Undo"s (and "Delete"s) there is no object preloaded (since it is already gone from the database) thus this appeared to work and for the particular case considered there in fact did. Create activities use different rendering logic and thus remained unaffected too. However, for all other types of Activities (yes, including Update which really _should_ include a properly sanitised, full object) this new attempt at including "just the id", lead to it instead including the full, unsanitised data of the referenced object. This is obviously bad and can get worse due to access restrictions on the activity being solely performed based on the addressing of the activity itself, not of the (unintentionally) embedded object. Starting with the obvious, this leaks all "internal" fields but as already mentioned in 8243fc0ef482a28daf2bcae2c64a9510bdb76489 all current "internal" fields from Constants.object_internal_fields are already publicised via MastoAPI etc anyway. Assuming matching addressing of the referenced object and activity this isn't problematic with regard to confidentiality. Except, the internal "voters" field recording who voted for a poll is currently just omitted from Constants.object_internal_fields and indeed confidential information (fix in subsequent commit). Fortunately this list is for the poll as a whole and there are no inlined lists for individual choices. While this thus leaks _who_ voted for a poll, it at least doesn't directly expose _what_ each voter chose if there are multiple voters. As alluded to before, the access restriction not being aware of the misplaced object data into account makes the issue worse. If the activity addressing is not a subset of the referenced object’s addressing, this will leak private objects to unauthorised users. This begs the question whether such mismatched addressing can occur. For remote activities the answer is ofc a resounding YES, but we only serve local ActivityPub objects and for the latter it currently(!) seems like a "no". For all intended interactions, the user interacting must already have access to the object of interest and our ActivityPub Builder already uses a subset of the original posts addressing for posts not publicly accessible. This addressing creation logic was last touched six years ago predating the introduction of this exposure blunder. The rather big caveat her being, until it was fixed just yesterday in dff532ac723310903e58c5d28f897cc2d116594f it was indeed possible to interact with posts one is not allowed to actually see. Combined, this allowed unauthorised access to private posts. (The API ID of such private posts can be obtained e.g. from replies one _is_ allowed to see) During the time when ActivityPub C2S was supported there might have been more ways to create activities with mismatched addressing and sneak a peek on private posts. (The AP id can be obtained in an analogous way) Replaces and fixes e88f36f72b5317debafcc4209b91eb35ad8f0691. Since there never were any users of the bugged "id_only" option it is removed. This was reported by silverpill <silverpill@firemail.cc> as an ActivityPub interop issue, since this blunder of course also leads to invalid AP documents by adding an additional layer in form of the "data" key and directly exposing the internal Pleroma representation which is not always identical to valid AP. Fixes: https://akkoma.dev/AkkomaGang/akkoma/issues/1017		2025-12-11 23:30:02 +01:00
.gitlab	Update MR template to include the type 'change'	2023-11-08 09:37:08 -05:00
benchmarks	Ensure benchee doesn't run unless we are executing benchmarks	2023-11-08 12:44:57 -05:00
changelog.d	Add changelog	2025-12-10 14:56:06 +01:00
ci	Replace Elixir 1.17 with 1.18 for build unit-testing pipelines	2025-05-24 22:17:38 +02:00
config	Merge branch 'rich-media-user-agent' into 'develop'	2025-11-29 17:25:18 +01:00
docs	Merge branch 'mastodon-quotes-updates' into 'develop'	2025-12-02 14:34:16 +01:00
installation	Merge branch 'openbsd-docs' into 'develop'	2025-06-06 00:59:58 +00:00
lib	fed/fetch: don't serve unsanitised object data for some activities	2025-12-11 23:30:02 +01:00
priv	Merge branch 'hj-develop-patch-37634' into 'develop'	2025-12-08 18:28:55 +00:00
rel	Disable busywaits in releases	2024-10-25 11:34:54 -04:00
restarter	Bump minimum Elixir version to 1.10	2022-09-02 22:53:54 +02:00
supplemental/search/fastembed-api	Fastembed Server: Add health check endpoint	2024-05-27 14:15:04 +04:00
test	api: ensure only visible posts are interactable	2025-12-11 23:30:02 +01:00
tools	Fix changelog checker	2025-11-07 19:47:54 +03:00
.buildpacks	CI: Add auto-deployment via dokku.	2019-05-31 10:55:35 +02:00
.credo.exs	Tell newer Credo it's OK to exit 0 on single with clauses and piping into anonymous functions for now	2022-11-13 18:46:02 -05:00
.dialyzer_ignore.exs	Quiet Dialyzer	2024-07-25 16:36:34 -04:00
.dockerignore	remove docs/ from .dockerignore	2019-11-20 00:09:07 +09:00
.formatter.exs	.formatter.exs: Format optional migrations	2021-01-10 11:28:41 +03:00
.gitattributes	[#3112 ] .gitattributes fix.	2020-12-09 18:43:20 +03:00
.gitignore	Do not allow committing tests with a .ex extension	2024-08-07 13:07:54 -04:00
.gitlab-ci.yml	CI: Use the dotenv report method to capture the spec-build internal job id and pass it through to the spec-deploy job	2025-10-23 21:14:12 -07:00
.mailmap	Add myself to .mailmap	2021-02-15 13:19:44 +03:00
.rgignore	Add .rgignore for easier grepping	2023-12-10 17:06:28 +04:00
AGPL-3	LICENSE → AGPL-3	2019-04-01 00:31:21 +02:00
CC-BY-4.0	Add a copy of CC-BY-4.0 to the repo	2020-09-06 11:38:38 +03:00
CC-BY-SA-4.0	CC-BY-SA-4.0: Add a copy of the CC-BY-SA-4.0 license	2019-04-01 00:30:21 +02:00
CHANGELOG.md	Update changelog	2025-03-11 18:06:43 +04:00
COPYING	Revert "Merge branch 'copyright-bump' into 'develop'"	2023-01-02 20:38:50 +00:00
coveralls.json	exclude file_location check from coveralls	2020-10-13 16:44:01 +03:00
docker-entrypoint.sh	allow custom db port	2022-11-11 12:22:21 -03:00
Dockerfile	Dockerfile: Sync with CI, make more resilient	2025-08-27 14:07:21 +04:00
elixir_buildpack.config	Bump minimum Elixir version to 1.10	2022-09-02 22:53:54 +02:00
mix.exs	Mix: Remove double lazarus	2025-09-04 15:49:57 +04:00
mix.lock	Add Oban.Plugins.Lazarus	2025-08-29 09:16:23 -07:00
Procfile	CI: Add auto-deployment via dokku.	2019-05-31 10:55:35 +02:00
README.md	README.md: Update packaging state (GURU, AUR)	2023-06-27 21:13:02 +02:00
SECURITY.md	SECURITY.md: update supported versions to only 2.2	2020-10-15 21:45:31 +03:00

README.md

About

Pleroma is a microblogging server software that can federate (= exchange messages with) other servers that support ActivityPub. What that means is that you can host a server for yourself or your friends and stay in control of your online identity, but still exchange messages with people on larger servers. Pleroma will federate with all servers that implement ActivityPub, like Friendica, GNU Social, Hubzilla, Mastodon, Misskey, Peertube, and Pixelfed.

Pleroma is written in Elixir and uses PostgresSQL for data storage. It's efficient enough to be ran on low-power devices like Raspberry Pi (though we wouldn't recommend storing the database on the internal SD card ;) but can scale well when ran on more powerful hardware (albeit only single-node for now).

For clients it supports the Mastodon client API with Pleroma extensions (see the API section on https://docs-develop.pleroma.social).

Client Applications for Pleroma

Installation

OTP releases (Recommended)

If you are running Linux (glibc or musl) on x86/arm, the recommended way to install Pleroma is by using OTP releases. OTP releases are as close as you can get to binary releases with Erlang/Elixir. The release is self-contained, and provides everything needed to boot it. The installation instructions are available here.

From Source

If your platform is not supported, or you just want to be able to edit the source code easily, you may install Pleroma from source.

OS/Distro packages

Currently Pleroma is packaged for YunoHost, NixOS, Gentoo through GURU and Archlinux through AUR. You may find more at https://repology.org/project/pleroma/versions.
If you want to package Pleroma for any OS/Distros, we can guide you through the process on our community channels. If you want to change default options in your Pleroma package, please discuss it with us first.

Docker

While we don’t provide docker files, other people have written very good ones. Take a look at https://github.com/angristan/docker-pleroma or https://glitch.sh/sn0w/pleroma-docker.

Raspberry Pi

Community maintained Raspberry Pi image that you can flash and run Pleroma on your Raspberry Pi. Available here https://github.com/guysoft/PleromaPi.

Compilation Troubleshooting

If you ever encounter compilation issues during the updating of Pleroma, you can try these commands and see if they fix things:

mix deps.clean --all
mix local.rebar
mix local.hex
rm -r _build

If you are not developing Pleroma, it is better to use the OTP release, which comes with everything precompiled.

Documentation

Latest Released revision: https://docs.pleroma.social
Latest Git revision: https://docs-develop.pleroma.social

Community Channels

IRC: #pleroma and #pleroma-dev on libera.chat, webchat is available at https://irc.pleroma.social
Matrix: #pleroma:libera.chat and #pleroma-dev:libera.chat

README.md Unescape Escape