)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":29074,"name":"Felix Huettner","email":"felix.huettner@digits.schwarz","username":"felix.huettner"},"change_message_id":"9ea5d9d55431cc8d8b197fb7c81e307d7e2134f6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d5bee255_112a6d27","updated":"2023-07-12 06:23:17.000000000","message":"As the first ip in the X-Forwarded-For should be from the neutron managed haproxy i do not think this will actually create a security risk.\n\nHowever i can think of some configurations where users mess up a proxy config on their VMs and would now allow an attacker to obtain metadata information for that VM.\nWhile that is definately a issue of the user, i don\u0027t think we actually need to support this configuration. I honestly can\u0027t think of why someone would actually want to expose their metadata information to someone else.\n\nI would therefor propose to drop all requests that have an additional proxy set.","commit_id":"20450e90ef28a1ca31e79cfb4dfd9bb2b196205b"},{"author":{"_account_id":13861,"name":"yatin","email":"ykarel@redhat.com","username":"yatinkarel"},"change_message_id":"6bbd1e76b37322f0755bbc7000ce6ff6eb7997e1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e2f3d47c_0eea4e75","updated":"2023-07-11 08:15:01.000000000","message":"I too recently came across this and had found https://bugs.launchpad.net/nova/+bug/1563954 where metadata of other instance could be fetched, which was somehow fixed in the past.\n\nBut with this patch it\u0027s now possible, i think that\u0027s not the intention of this patch, right?\n\nJust for understanding on how these are generated, you noticed this in some CI? or in some local deployment, in the example from where those requests are generated and to what both of these IPs belong?","commit_id":"20450e90ef28a1ca31e79cfb4dfd9bb2b196205b"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"bc405676a2d07e7208675c8f4420fb69fe02c2a2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4eb15a11_3e6bf377","in_reply_to":"e2f3d47c_0eea4e75","updated":"2023-07-11 13:08:20.000000000","message":"I saw this in an actual deployment with OVN. I will do some digging as to the setup but don\u0027t think there was anything special done.\n\nLooking at the logs again, the request is coming from the correct IP, just being proxied, so this isn\u0027t someone injecting an invalid x-forwarded-for header trying to get metadata:\n\n2023-07-10 11:09:39.419 1966194 ERROR neutron.agent.ovn.metadata.server [-] No port found in network b62452f3-ec93-4cd7-af2d-9f9eabb33b12 with IP address 10.246.166.21,10.131.84.23\n2023-07-10 11:09:39.420 1966194 INFO eventlet.wsgi.server [-] 10.246.166.21,\u003clocal\u003e \"GET /latest/user-data/ HTTP/1.1\" status: 404  len: 297 time: 0.0598838\n\nBut since I didn\u0027t deploy it I don\u0027t know why there is a proxy.","commit_id":"20450e90ef28a1ca31e79cfb4dfd9bb2b196205b"}]}