Skip to main content

What You’ll Learn

  • Creating a sandbox with network={"deny_out": ["169.254.169.254/32"]} to block the metadata endpoint
  • Verifying the metadata endpoint is unreachable (SSRF protection)
  • Verifying normal internet access still works in the same sandbox
  • Understanding why blocking the metadata service matters

Why This Matters

In cloud environments (AWS, GCP, Azure), the instance metadata service at 169.254.169.254 can expose:
  • IAM credentials and access tokens
  • Instance identity documents
  • User data scripts (which may contain secrets)
  • Network configuration details
An SSRF vulnerability could allow untrusted code inside a sandbox to reach this endpoint and steal credentials. By adding 169.254.169.254/32 to deny_out, you block metadata access while allowing all other outbound traffic.

Prerequisites

This example is available in Python. TypeScript version coming soon.

Code Walkthrough

Create a sandbox that selectively blocks only the metadata IP: 
from declaw import Sandbox

sbx = Sandbox.create(
    template="python",
    timeout=300,
    network={"deny_out": ["169.254.169.254/32"]},
)
The metadata test script tries to open a TCP connection to port 80 on the metadata IP: 
METADATA_TEST = """
import socket
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    s.connect(("169.254.169.254", 80))
    s.close()
    print("CONNECTED")
except Exception as e:
    print(f"BLOCKED: {e}")
"""
Test 1 — metadata endpoint should be blocked: 
sbx.files.write("/tmp/meta_test.py", METADATA_TEST)
result = sbx.commands.run("python3 /tmp/meta_test.py", timeout=15)
print(f"  Output: {result.stdout.strip()}")

if "BLOCKED" in result.stdout:
    print("  [PASS] Cloud metadata endpoint blocked (SSRF mitigated).")
else:
    print("  [INFO] Metadata endpoint may not exist in this environment,")
    print("         but the deny rule is still applied.")
Test 2 — normal internet should still work (only metadata is denied): 
INTERNET_TEST = """
import socket
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    s.connect(("1.1.1.1", 80))
    s.close()
    print("CONNECTED")
except Exception as e:
    print(f"BLOCKED: {e}")
"""

sbx.files.write("/tmp/inet_test.py", INTERNET_TEST)
result = sbx.commands.run("python3 /tmp/inet_test.py", timeout=15)

if "CONNECTED" in result.stdout:
    print("  [PASS] Normal internet access works (only metadata blocked).")

Expected Output

============================================================
Network Metadata Blocking Example (SSRF Protection)
============================================================

--- Creating sandbox with deny_out=[169.254.169.254/32] ---
Sandbox created: sbx_abc123

--- Test 1: Connect to metadata endpoint (should FAIL) ---
  Output: BLOCKED: timed out
  [PASS] Cloud metadata endpoint blocked (SSRF mitigated).

--- Test 2: Connect to normal internet (should SUCCEED) ---
  Output: CONNECTED
  [PASS] Normal internet access works (only metadata blocked).

--- Why Metadata Blocking Matters ---
  Cloud metadata services (169.254.169.254) expose:
    - IAM credentials and access tokens
    - Instance identity documents
    - Network configuration
  SSRF attacks trick apps into querying this endpoint.
  Blocking it prevents credential theft from compromised sandboxes.

--- Cleaning Up ---
  Sandbox sbx_abc123 killed.

============================================================
Done!
============================================================