Mitigating the recent Pleroma issues May 26, 2023 on webb's site

Update (23/08/06): There was another vulnerability found, and the fix outlined in this article will help with it. As of writing this there has been no publicly released fixed. The creator of Pleroma recommends to still follow this guide until at the very least that's fixed, but ideally forever to prevent this entire class of vulnerabilities.

Here's a little mini-tutorial on moving media and the media proxy to a separate domain. I'll also briefly go over mitigating the exploit with link previews. This assumes you're running Nginx with Let's Encrypt and configuring via the database. This also assumes use of the example config. For the purposes of this "arachnid.town" will be your main instance domain and "clip.arachnid.town" will be the new domain for media. Keep in mind that it's not just the proxy that's vulnerable, but also media uploaded by local users. Do both.

First, create a subdomain and point it to your server. In this case it's clip.arachnid.town. Let the record propagate. Next go into your nginx config for Pleroma, we aren't going to configure SSL/HTTPS just yet because Let's Encrypt will do that for us.

We're going to create a new server block for the domain before we switch Pleroma over to make sure it works.

server {
	server_name clip.arachnid.town;
	listen 80;
	listen [::]:80;
	location / {
		return 404;
	}
	location ~ ^/(media|proxy) {
		proxy_cache	pleroma_media_cache;
		slice	      1m;
		proxy_cache_key    $host$uri$is_args$args$slice_range;
		proxy_set_header   Range $slice_range;
		proxy_cache_valid  200 206 301 304 1h;
		proxy_cache_lock   on;
		proxy_ignore_client_abort on;
		proxy_buffering    on;
		add_header Content-Security-Policy "script-src 'none';";
		chunked_transfer_encoding on;
		proxy_pass	 http://phoenix;
	}
}

Save and reload/restart. Next we'll want to get the certificate installed.

# certbot --nginx -d clip.arachnid.town

Lets test it. Go into PleromaFE and copy an image's link. Replace the domain with the new media domain. If it works, the image will come through. Next we're going to hop to AdminFE and change a couple of settings.

  1. Scroll down to "Upload", and change "Base URL" and point it to /media on your new domain. In our case this is https://clip.arachnid.town/media
  2. Scroll to Media Proxy and change "Base URL" to the root of your new subdomain. In our case this is https://clip.arachnid.town
  3. Scroll to Metadata, and uncheck "Enabled" under "Rich media." This disables Rich media which is a current vector of vulnerabilities.

Apply the settings, and hard refresh PleromaFE or your frontend of choice with CTRL+SHIFT-R. Make sure images load, and that the URL being used is your new one.

Alright, let's switch back to our NGINX config. We're now going to redirect requests for media to the new domain so that existing statuses aren't broken. Under your main domain's server block (arachnid.town in our case) remove any location blocks with location ~ ^(media|proxy). This includes the hotfix one-liner. We're going to set up the redirection which will prevent those directories from being served. Just add the following to your instance's server block:

location ~ ^/(media|proxy) {
	return 301 https://clip.arachnid.town$request_uri;
}

Save and restart/reload nginx. Now try visiting the media on your instance's main domain. It should redirect to the correct location.

There you go! You're all mitigated and good until the next release.