chroma icon indicating copy to clipboard operation
chroma copied to clipboard

Published 20 hours ago verified publisher icon chroma-core

potential security issue if deploying to a sever[Bug]:

Open grumpyp opened this issue 2 years ago • 1 comments

What happened?

A Discord member reported a security concern. I then investigated and can confirm my findings.

Right now, once the docker-compose file is deployed to an externally accessible machine, there is no password authentication for the database. This needs to be changed.

If we were to add proper authentication for the API, we could just remove this part. However, I can't see any authentication currently. The API is also in debug mode.

ports:
  - '8123:8123'
  - '9000:9000'

from the docker-compose.yaml, so the database won't be accessible from the outside. I would tho suggest a password for the db too!

I highly recommend to at least place a hint or warning about that

Versions

13.04.2023 - release 0.3.21

grumpyp avatar Apr 13 '23 15:04 grumpyp

We currently reference this in the docs: https://docs.trychroma.com/deployment

⚠️ This basic stack doesn't support any kind of authentication; anyone who knows your server IP will be able to add and query for embeddings. To secure this endpoint, you'll need to put it behind AWS API Gateway or add your own authenticating proxy.

Open to suggestions for how we can make this all around better!

jeffchuber avatar Apr 15 '23 05:04 jeffchuber

Closing this because we will handle it, but its not a security issue right now.

jeffchuber avatar Apr 24 '23 19:04 jeffchuber