[PR #578] [MERGED] protect AWS CF deployments by automatically blocking metadata URL #3407

Closed
opened 2026-02-22 18:33:43 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/578
Author: @timothycarambat
Created: 1/11/2024
Status: Merged
Merged: 1/11/2024
Merged by: @timothycarambat

Base: masterHead: security/harder-aws-template-prevent-ssrf-metadata


📝 Commits (1)

  • 3c452aa protect AWS CF deployments by automatically blocking metadata URL

📊 Changes

1 file changed (+2 additions, -1 deletions)

View changed files

📝 cloud-deployments/aws/cloudformation/cloudformation_create_anythingllm.json (+2 -1)

📄 Description

Pull Request Type

  • feat
  • 🐛 fix
  • ♻️ refactor
  • 💄 style
  • 🔨 chore
  • 📝 docs

What is in this change?

Improve AWS CF template to use iptables to prevent an introspective query when deployed on an AWS EC2 instance using the special 169.254.169.254 IP and /latest/meta-data/* path to get metadata about the instance or otherwise.

This prevents the user from executing a "fetch website" on this domain by DROPing the request at the firewall level.

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/578 **Author:** [@timothycarambat](https://github.com/timothycarambat) **Created:** 1/11/2024 **Status:** ✅ Merged **Merged:** 1/11/2024 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `security/harder-aws-template-prevent-ssrf-metadata` --- ### 📝 Commits (1) - [`3c452aa`](https://github.com/Mintplex-Labs/anything-llm/commit/3c452aa7494f3fd4c2849a708ea518ee46b6d2d6) protect AWS CF deployments by automatically blocking metadata URL ### 📊 Changes **1 file changed** (+2 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `cloud-deployments/aws/cloudformation/cloudformation_create_anythingllm.json` (+2 -1) </details> ### 📄 Description ### Pull Request Type <!-- For change type, change [ ] to [x]. --> - [ ] ✨ feat - [x] 🐛 fix - [ ] ♻️ refactor - [ ] 💄 style - [ ] 🔨 chore - [ ] 📝 docs ### What is in this change? Improve AWS CF template to use `iptables` to prevent an introspective query when deployed on an AWS EC2 instance using the special `169.254.169.254` IP and `/latest/meta-data/*` path to get metadata about the instance or otherwise. This prevents the user from executing a "fetch website" on this domain by `DROP`ing the request at the firewall level. ### Developer Validations <!-- All of the applicable items should be checked. --> - [x] I ran `yarn lint` from the root of the repo & committed changes - [x] Relevant documentation has been updated - [x] I have tested my code functionality - [x] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:33:43 -05:00
yindo closed this issue 2026-02-22 18:33:43 -05:00
yindo changed title from [PR #578] protect AWS CF deployments by automatically blocking metadata URL to [PR #578] [MERGED] protect AWS CF deployments by automatically blocking metadata URL 2026-06-05 15:13:15 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#3407