[Security Review] Daily Security Review — 2026-04-20

[github-actions[bot]]

📊 Executive Summary

The gh-aw-firewall codebase demonstrates a mature, defense-in-depth security posture. The architecture deliberately separates privilege boundaries (iptables-init container holds NET_ADMIN; the agent container does not), enforces L7 egress filtering via Squid, drops capabilities before executing user code, and applies a seccomp profile. npm audit reports zero vulnerabilities across all dependencies. No critical findings were identified in this review.

Metric	Value
npm vulnerabilities	0 (clean)
Attack surfaces mapped	7
STRIDE threats identified	9
Critical findings	0
High findings	1
Medium findings	3
Low findings	4

---

🔍 Context from Firewall Escape Test

The pre-fetched escape test file (/tmp/gh-aw/escape-test-summary.txt) contained only workflow orchestration telemetry from a "Secret Digger (Copilot)" run (workflow run 24273493151, dated 2026-04-11). Key signals:

• GH_AW_AGENT_CONCLUSION: success — agent completed successfully
• GH_AW_SECRET_VERIFICATION_RESULT: success — no secrets were exfiltrated
• GH_AW_LOCKDOWN_CHECK_FAILED: false — lockdown constraints held
• GH_AW_INFERENCE_ACCESS_ERROR: false — no inference endpoint access errors
• Agent produced only noop safe-output — no escalation, no data exfiltration discovered

This corroborates the static analysis findings: the sandbox successfully contained the agent and no secret-leakage bypass was achieved.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered from src/host-iptables.ts, containers/agent/setup-iptables.sh

The network enforcement has three layers:

1. Host-level FW_WRAPPER chain (src/host-iptables.ts) — Applied on the Docker bridge interface (fw-bridge). Restricts which containers on the bridge can reach the outside world. DNS restricted to configured servers only (default 8.8.8.8,8.8.4.4); all other DNS is blocked.

2. Container NAT chain (setup-iptables.sh) — Runs inside the agent's network namespace (via awf-iptables-init). DNAT rules redirect all TCP 80/443 to Squid at 172.30.0.10:3128. Localhost and agent self-IP are explicitly bypassed.

3. IPv6 disabled at container startup (setup-iptables.sh lines ~55-58):

   sysctl -w net.ipv6.conf.all.disable_ipv6=1
   sysctl -w net.ipv6.conf.default.disable_ipv6=1

   This prevents IPv6 from serving as a proxy bypass path.

⚠️ Observation (Medium): HTTP traffic relies entirely on iptables DNAT for proxy enforcement, since http_proxy (lowercase) is intentionally not set (httpoxy mitigation, documented in AGENTS.md). Tools that bypass HTTP_PROXY and also attempt raw TCP to port 80 will be correctly DNAT'd to Squid. However, if iptables rules fail to install (e.g., container capability issues), HTTP traffic would not be intercepted. The defensive comment in AGENTS.md acknowledges this but there is no runtime assertion verifying the DNAT rules succeeded before user code runs.

Container Security Assessment

Evidence from src/docker-manager.ts lines 683, 1524-1544, 1683-1684:

agent container:
  cap_add: ['SYS_CHROOT', 'SYS_ADMIN']   ← needed for chroot setup
  cap_drop: ['NET_RAW', ...]
  security_opt: ['no-new-privileges:true', 'seccomp=<workDir>/seccomp-profile.json']

iptables-init container:
  cap_add: ['NET_ADMIN', 'NET_RAW']
  cap_drop: ['ALL']                        ← all other caps dropped

api-proxy / doh-proxy sidecars:
  cap_drop: ['ALL']
  security_opt: ['no-new-privileges:true']

After chroot, capsh --drop=SYS_CHROOT,SYS_ADMIN is called before user code executes (entrypoint.sh), so those elevated capabilities are removed from the bounding set before the agent process starts.

✅ Strength: The separation of NET_ADMIN (iptables-init) from the agent container is a sound design — the agent process cannot modify its own firewall rules.

⚠️ Observation (Medium — SYS_ADMIN grant): The agent container requires SYS_ADMIN temporarily for tmpfs mount during SSL bump setup (src/ssl-bump.ts:70). SYS_ADMIN is extremely broad — it allows overlayfs mounts, namespace creation, and many other privileged operations. While it is dropped before user code runs, a race window exists between container start and capability drop where a compromised dependency in the entrypoint chain could exploit it.

UID/GID validation (src/docker-manager.ts:124) correctly rejects UIDs/GIDs 0–999 (system range) and the entrypoint (containers/agent/entrypoint.sh) additionally rejects UID/GID = 0 explicitly.

Domain Validation Assessment

Evidence from src/domain-patterns.ts:27, src/squid-config.ts:102-116:

// src/domain-patterns.ts:27
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// src/squid-config.ts:102-116
function assertSafeForSquidConfig(value: string): string {
  if (SQUID_DANGEROUS_CHARS.test(value)) {
    throw new Error(`...`);
  }
  return value;
}

All user-supplied domain strings are sanitized before interpolation into squid.conf. Characters that could inject Squid directives (whitespace, null bytes, quotes, semicolons, backticks, hash, backslash) are rejected with an exception.

⚠️ Observation (Low): The dangerous-chars regex does not include \ (backslash) in the character class but the comment says it does ("and backslashes"). Verified: SQUID_DANGEROUS_CHARS = /[\s\0"';#]/— backslash` is NOT in the class. A backslash in a domain name (which is invalid per RFC 1123 and would be rejected by Squid anyway) would not be caught here. This is a documentation inconsistency rather than an exploitable flaw, since Squid's dstdomain ACL would reject backslash-containing names. Still, the guard should match its stated scope.

Input Validation Assessment

Evidence from src/cli.ts:1052-1070:

export function escapeShellArg(arg: string): string {
  if (/^[a-zA-Z0-9_\-./=:]+$/.test(arg)) {
    return arg;
  }
  return `'\$\{arg.replace(/'/g, "'\\''")}'`;
}
```

When a multi-word command is passed (without quotes), `joinShellArgs` single-quote-escapes each argument and joins them. This is the correct POSIX approach. Single-argument pass-through (`args.length === 1`) is passed verbatim as a shell command string, by design — the user is expected to quote it themselves.

**⚠️ Observation (Low):** The trust comment at `entrypoint.sh` (`Trust assumption: $3 comes from Docker CMD set by docker-manager.ts`) is accurate, but the design choice of passing a user-controlled shell string (`args[0]`) as `/bin/bash -c "$3"` inside the chroot means the full expressive power of bash is available to the agent command. This is intentional (agents need shell) but means there is no shell injection "defense" — it is instead a design boundary. Users invoking `awf` must understand they are handing a shell to the agent.

---

## ⚠️ Threat Model (STRIDE)

| # | Category | Threat | Location | Likelihood | Impact | Severity |
|---|---|---|---|---|---|---|
| T1 | **Spoofing** | Agent impersonates Squid by sending traffic directly if DNAT fails | `setup-iptables.sh` | Low | High | Medium |
| T2 | **Tampering** | Malicious domain with special chars injected into `squid.conf` | `src/domain-patterns.ts` | Low | High | Low (mitigated) |
| T3 | **Tamper** | Upstream proxy `noProxy` list bypass for malicious domains | `src/squid-config.ts:36-39` | Low | Medium | Low |
| T4 | **Repudiation** | Agent traffic not attributed to specific process (UID logged, PID not available) | `setup-iptables.sh:LOG` | Medium | Low | Low |
| T5 | **Information Disclosure** | API keys in `/proc/<PID>/environ` before one-shot-token clears them | `entrypoint.sh` | Low | High | Medium |
| T6 | **Info Disclosure** | IPv6 not disabled on host — if container gets IPv6 address, traffic bypasses IPv4 NAT | `setup-iptables.sh` | Low | High | Medium |
| T7 | **Denial of Service** | Docker network subnet pool exhaustion from leaked awf-net networks (SIGKILL mid-cleanup) | `src/cli.ts` cleanup | Medium | Medium | Medium |
| T8 | **Elevation of Privilege** | `SYS_ADMIN` window between container start and `capsh --drop` | `containers/agent/entrypoint.sh` | Very Low | High | Low |
| T9 | **Elevation of Privilege** | Agent container with `SYS_CHROOT` could chroot before user-code if entrypoint chain is broken | `containers/agent/entrypoint.sh` | Very Low | High | Low |

---

## 🎯 Attack Surface Map

| Surface | Entry Point | Current Protections | Residual Risk |
|---|---|---|---|
| **Egress HTTP/HTTPS** | Agent → internet | Squid ACL + iptables DNAT | Low — DNAT fallback even for proxy-unaware tools |
| **DNS** | Agent → DNS servers | iptables restricts UDP/TCP 53 to whitelisted servers; Docker embedded DNS only in resolv.conf | Low |
| **IPv6 egress** | Agent → internet via IPv6 | sysctl disables IPv6 in container | Low — if sysctl fails silently, IPv6 may still work |
| **Domain injection** | `--allow-domains` CLI flag | `SQUID_DANGEROUS_CHARS` regex + `assertSafeForSquidConfig()` | Very Low |
| **Shell command** | `-- <command>` argument | No sanitization (by design); command runs as unprivileged user in chroot | Design boundary |
| **Container capabilities** | Agent container start | `cap_drop`, seccomp, `no-new-privileges` | Low; `SYS_ADMIN` temporarily present |
| **API credential theft** | Agent environment | one-shot-token LD_PRELOAD; tokens unset after agent starts | Low |

---

## 📋 Evidence Collection

<details>
<summary>npm audit — 0 vulnerabilities</summary>

```
vulns: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

SQUID_DANGEROUS_CHARS definition (src/domain-patterns.ts:27)

export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

Note: backslash \ is absent from this regex despite the accompanying comment claiming it is included.

Capability configuration (src/docker-manager.ts:1524-1544)

cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: ['NET_RAW', ...],
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
]

iptables-init separation (src/docker-manager.ts:1683)

cap_add: ['NET_ADMIN', 'NET_RAW'],
cap_drop: ['ALL'],

Agent container does NOT get NET_ADMIN — confirmed by test at line 895.

IPv6 disable in container (setup-iptables.sh)

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Failure is non-fatal (prints WARNING). If sysctl fails, IPv6 remains enabled.

Escape test run telemetry

Workflow: Secret Digger (Copilot), run 24273493151 (2026-04-11)

• GH_AW_SECRET_VERIFICATION_RESULT: success
• GH_AW_LOCKDOWN_CHECK_FAILED: false
• Agent produced only noop output — no secrets exfiltrated

---

✅ Recommendations

🔴 High

H1 — Assert iptables DNAT rules installed successfully before starting user command

Currently setup-iptables.sh can emit warnings (e.g., IPv6 sysctl failure) and continue. If the DNAT redirect for port 80/443 silently fails, HTTP/HTTPS traffic would egress without filtering. Add a verification step after rule installation that confirms the expected DNAT rules exist (e.g., iptables -t nat -L OUTPUT | grep REDIRECT check) and fail the container if they are absent.

🟠 Medium

M1 — Harden SYS_ADMIN grant scope (SSL Bump path only)

SYS_ADMIN is only needed for tmpfs mount during SSL Bump setup. Consider splitting the entrypoint into a privileged setup phase and a capability-drop phase more aggressively, or replacing the tmpfs approach with a pre-allocated ramdisk, to narrow the SYS_ADMIN window.

M2 — Handle IPv6 sysctl failure as fatal

The current code prints a WARNING if sysctl -w net.ipv6.conf.all.disable_ipv6=1 fails, then continues. An attacker in a container where sysctl is restricted would retain IPv6 connectivity that bypasses the IPv4 DNAT rules. Treat this as fatal, or verify no IPv6 routes exist before proceeding.

M3 — Document the one-shot-token timing window

The entrypoint.sh runs the agent in background, waits up to 1 second for token caching, then unsets tokens from the parent shell. The comment acknowledges tokens are cached in ~100ms. This is correct for single-process agents, but if the agent forks quickly before the LD_PRELOAD hook initializes (e.g., /bin/sh shebang scripts), tokens may not be cached before the parent unsets them. Add a test case covering shell-script agents.

🟡 Low

L1 — Fix SQUID_DANGEROUS_CHARS to include backslash

src/domain-patterns.ts:27 — Add \\ to the regex character class to match the documented behavior. While backslash in domain names is invalid per RFC 1123 and Squid would reject such entries, the guard should accurately reflect its intent:

export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#\\]/;

L2 — Add iptables log verification test

Integration test coverage for the [FW_BLOCKED_UDP] and [FW_BLOCKED_OTHER] iptables LOG rules is absent (per docs/INTEGRATION-TESTS.md). Add a test that verifies blocked non-HTTP traffic appears in kernel logs.

L3 — Pin ubuntu/squid:latest to a digest

containers/squid/Dockerfile (via ubuntu/squid:latest) uses a floating tag. A supply-chain compromise of the upstream image would affect all users pulling latest. Pin to a specific digest with automated update tooling (e.g., Dependabot or Renovate).

L4 — Consider AppArmor profile for Squid container

The Squid container has no AppArmor profile configured (only the agent has seccomp). Adding an AppArmor profile for the Squid process would restrict file system access and syscalls beyond what seccomp alone provides.

---

📈 Security Metrics

Metric	Value
Security-critical TypeScript files analyzed	src/cli.ts, src/host-iptables.ts, src/docker-manager.ts, src/squid-config.ts, src/domain-patterns.ts, src/ssl-bump.ts
Security-critical shell scripts analyzed	containers/agent/entrypoint.sh, containers/agent/setup-iptables.sh
Attack surfaces enumerated	7
STRIDE threats identified	9
Mitigated threats (existing controls)	7
Residual threats requiring attention	2 (T1, T6)
npm dependency vulnerabilities	0
Critical / High / Medium / Low findings	0 / 1 / 3 / 4

Overall security posture: Strong. The architecture correctly separates privilege, enforces L7 egress filtering, uses seccomp + capability drop, and validates all user-controlled input before injection into configuration files. Recommended improvements are hardening measures, not fixes for exploitable vulnerabilities.

Generated by Daily Security Review and Threat Modeling · ● 523.2K · ◷

• expires on Apr 27, 2026, 1:21 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has walked this thread.
The runes report network, build, and filesystem omens observed.
May the next invocation find these wards still intact.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has walked this thread.
By starlight and circuit, the omen is recorded in the firewall annals.
May the next run pass beneath a favorable moon.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls.
The smoke-test oracle has walked this thread and marked the run.
May the network wards remain unbroken and the logs speak truth.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has walked these halls. The omens were read, the runes were checked, and this discussion now bears the mark of passage.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the firewall omens align.
The smoke-test wanderer passed this chamber and marked the run.
By moonlit logs and sealed ports, the oracle records this sign.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls. This smoke-test oracle has walked this thread, read the runes, and marked its passage. May the network wards hold true.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex