Commit graph

1633 commits

Author SHA1 Message Date
Oneric
0648d9ebaa Add mix tasks to detect spoofed posts and users
At least as far as we can
2024-03-26 16:05:20 -01:00
Oneric
d441101200 Add mix task to detect uploaded spoof payloads 2024-03-26 16:05:20 -01:00
Oneric
d6d838cbe8 StealEmoji: check remote size before downloading
To save on bandwith and avoid OOMs with large files.
Ofc, this relies on the remote server
 (a) sending a content-length header and
 (b) being honest about the size.

Common fedi servers seem to provide the header and (b) at least raises
the required privilege of an malicious actor to a server infrastructure
admin of an explicitly allowed host.

A more complete defense which still works when faced with
a malicious server requires changes in upstream Finch;
see https://github.com/sneako/finch/issues/224
2024-03-18 22:33:10 -01:00
Oneric
fb54c47f0b Update example nginx config
To account for our subdomain recommendations
2024-03-18 22:33:10 -01:00
Oneric
fc36b04016 Drop media proxy same-domain default for base_url
Even more than with user uploads, a same-domain proxy setup bears
significant security risks due to serving untrusted content under
the main domain space.

A risky setup like that should never be the default.
2024-03-18 22:33:10 -01:00
Oneric
0ec62acb9d Always insert Dedupe upload filter
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.

Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.

While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.

Dedupe was already included in the default list in config.exs
since 28cfb2c37a, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.

Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
Oneric
fef773ca35 Drop media base_url default and recommend different domain
Same-domain setups enabled now at least two exploits,
so they ought to be discouraged and definitely not be the default.
2024-03-18 22:33:10 -01:00
floatingghost
cdf73e0ac8 Merge pull request 'Better document database differences for Pleroma migrations' (#699) from Oneric/akkoma:doc_pleroma-migration-db into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/699
2024-02-24 04:33:43 +00:00
floatingghost
967e6b8ade Merge pull request 'Docs: Add description for mrf_reject_newly_created_account_notes' (#695) from YokaiRick/akkoma:doc_mrf_reject_acc_notes into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/695
2024-02-24 04:31:28 +00:00
Oneric
bff2812a93 More prominently document db migrations in migrations from Pleroma
By now most instance will run a version past 2022-08 but the guide
only documented it for from source installs and Pleroma develop.
2024-02-23 23:54:14 +01:00
Oneric
7964272c98 Document how to avoid data loss on migration from Pleroma 2024-02-23 23:54:09 +01:00
rick
c25cfe9b7a fixed spelling 2024-02-19 23:25:20 +01:00
Oneric
41dd37d796 doc/cheatsheet: add missing MRFs
Or mentions of MRFs in the main list
whose options were already documented.
2024-02-19 23:15:47 +01:00
Oneric
9830d54fa1 doc/cheatsheet: sort main MRF list alphabetically
It is too cumbersome to find a specific policy atm
or to check if all are docuemtned yet.
Trivial placeholder policies are excluded from this.
2024-02-19 23:15:30 +01:00
Oneric
f254e4f530 doc/cheatsheet: add missing MRF config detail docs
And remove “on by default” text from individual entries.
They are now laready in the “on by default” section.
2024-02-19 23:14:44 +01:00
Oneric
da4190c46e doc/cheatsheet: split out always active MRFs
It doesn’t make sense to add/remove them from the policies list
2024-02-19 23:14:24 +01:00
Oneric
7a2d68c3ab doc/cheatsheet: add link to ActivityExpiration config details 2024-02-19 23:14:07 +01:00
Oneric
8e7a89605d doc/cheatsheet: move MRF policies key to end of section
This makes it easier to spot the transparency options
2024-02-19 23:13:48 +01:00
Oneric
1640d19448 doc/cheatsheet: move :activitypub section ahead
Else it is too easy to mistake for another MRF policy.
2024-02-19 23:13:25 +01:00
Oneric
8f1776a8a7 Purge leftovers from FollowBot MRF
It was dropped in 9db4c2429f
2024-02-19 23:13:05 +01:00
Oneric
1ec6e193e6 doc: clarify RejectNewlyCreated uses local account discovery 2024-02-19 23:12:41 +01:00
stefan230
b4c832471c docs/docs/configuration/cheatsheet.md aktualisiert
fixed up some grammer / wording. removed a setence and made wording more in line with what I could find in Admin-FE (especially wording of "rejecting" vs. dropping)
2024-02-17 22:09:47 +00:00
rick
db49daa4a5 make it clearer what it affects 2024-02-17 22:57:56 +01:00
rick
718104117f fix link 2024-02-17 22:34:55 +01:00
rick
12e7d0a25c added doc for mrf_reject_newly_created_account_notes 2024-02-17 22:25:12 +01:00
Erin Shepherd
7a0e27a746 Disable busy waits in the default OTP vm.args configuration.
This vastly reduces idle CPU usage, which should generally be beneficial
for most small-to-medium sized instances.

Additionally update the documentation to specify how to override the vm.args
file for OTP installs
2024-02-17 13:21:56 +01:00
Oneric
e99e2407f3 Add background_removal to SimplePolicy MRF 2024-02-16 16:36:45 +01:00
FloatingGhost
0ed815b8a1 Merge branch 'followback' into develop 2024-02-16 13:27:40 +00:00
Oneric
cda597a05c doc: fix Akkoma identification name
Akkoma stopped pretending to be Pleroma here when the mix project name
was changed in c07fcdbf2b.
2024-02-15 16:25:59 +01:00
Oneric
711043f57d Document bubble timeline API
It was added in cb6e7359af.
2024-02-15 16:04:33 +01:00
Oneric
6bb455702d Document Akkoma API 2024-02-15 16:04:33 +01:00
Oneric
7493d8f49d Document live dashboard 2024-02-15 16:04:33 +01:00
Oneric
376f6b15ca Add ability to auto-approve followbacks
Resolves: https://akkoma.dev/AkkomaGang/akkoma/issues/148
2024-02-13 15:42:37 +01:00
Oneric
13e62b4e51 Fix schema and docs for status_ttl_days and instance
Fixes misspelling and omission of and example in commit
0cfd5b4e89 which added the
status_ttl_property. This was the only place this commit
referred to the property as note_ttl_days.

Partially fixes the omitted schema update of the instance metadata addition
from commit b7e8ce2350. A proper full schema
for nodeinfo is still missing.
2024-02-13 15:39:52 +01:00
floatingghost
e97d08ee98 Merge pull request 'MRF transparency: don’t forget to obfuscate short domains' (#676) from Oneric/akkoma:mrf-obfuscation into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/676
2024-02-05 08:43:43 +00:00
Oneric
3cd882528e More prominently document MRF transparency and obfuscation
And point to the cheat sheet for all other MRF policies
and their configuration details.
2024-02-02 14:50:21 +00:00
Aria
a074be24ca add bit about frontend configuration to oauth consumer docs 2023-12-17 19:36:27 +00:00
FloatingGhost
74d5e22fc5 fix robotstxt on OTP 2023-12-15 16:23:20 +00:00
floatingghost
bc22ea50ab Merge pull request 'docs: Fixed wrong command for robots_txt CLI task' (#632) from yukijoou/akkoma:docs-robotstxt-fix into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/632
2023-12-15 16:21:17 +00:00
FloatingGhost
fb700a956a correct link 2023-11-02 11:40:19 +00:00
yuki joou
32422a7a04 docs: Fixed wrong command for robots_txt CLI task
This is according to the error message displayed when trying to run the
command in the current version of the docs
2023-08-18 13:25:52 +00:00
y0nei
0617090743
Note about Docker installations in backup section 2023-08-17 16:51:53 +02:00
FloatingGhost
f7ea0a1248 bump OTP required 2023-08-16 23:01:02 +01:00
FloatingGhost
6139c3346d Add extra rollbacks to pleroma develop 2023-08-16 22:49:23 +01:00
YokaiRick
76ba400c6d nginx subdir is missing in otp builds 2023-08-12 22:09:32 +00:00
YokaiRick
655c282de3 update docs nginx subdir in akkoma/installation is gone 2023-08-12 21:59:30 +00:00
Norm
9a7c30fc90
Update OTP docs to mention arm64 in prerequisites 2023-08-05 10:39:03 -04:00
Sandra Snan
2556f44219 Fix typo in frontend management docs 2023-08-04 22:34:39 +01:00
FloatingGhost
8fd74548ff Combine ubuntu and debian builds 2023-08-04 20:37:17 +01:00
FloatingGhost
6e293b9280 Bump versions in use in the docs 2023-08-04 14:19:18 +01:00