[Security Review] Daily Security Review and Threat Modeling — 2026-04-06

[github-actions[bot]]

📊 Executive Summary

This review covers the gh-aw-firewall codebase at version 0.23.1. The architecture demonstrates strong security-first design: layered network controls (host-level DOCKER-USER chain + container-level iptables + Squid L7 ACLs), meaningful capability dropping, one-shot token protection, and DLP scanning. No critical vulnerabilities were found. Two medium-severity findings deserve attention — Squid port binding scope and incomplete container-level ICMP filtering.

No prior "Firewall Escape Test Agent" workflow was found in the workflow registry (no matching workflow name). The security review is based entirely on source analysis.

Category	Finding	Severity
Network	Squid port 3128 bound to all host interfaces	Medium
Network	Container OUTPUT chain doesn't block ICMP	Medium
Container	mount/unshare/setns allowed in seccomp while AppArmor is unconfined	Low-Medium
Secrets	5-second token exposure window before unset	Low
Feature flag	--enable-dind grants Docker socket / firewall bypass	High (opt-in)
DLP	URL-only credential scanning; body/header content opaque	Informational
DNS	DNS tunneling to upstream servers is possible (data rate limited)	Informational

---

🛡️ Architecture Security Analysis

Network Security Assessment

The network stack uses a defense-in-depth model:

1. Host-level DOCKER-USER chain (src/host-iptables.ts) — all container egress hits FW_WRAPPER, which allows only: Squid IP, DNS to configured upstreams, established/related, localhost, and explicitly allowed host gateway IPs. All other traffic is REJECTed at line 528-530:

   // src/host-iptables.ts:522-530
   // 8. Default deny all other traffic
   await execa('iptables', ['-t', 'filter', '-A', CHAIN_NAME, '-j', 'LOG', ...]);
   await execa('iptables', ['-t', 'filter', '-A', CHAIN_NAME, '-j', 'REJECT', '--reject-with', 'icmp-port-unreachable']);

2. Container-level iptables (containers/agent/setup-iptables.sh) — DNAT redirects HTTP/HTTPS to Squid, blocks dangerous ports (22/25/3306/6379 etc.), default-drops TCP and UDP.

3. Squid L7 ACL (src/squid-config.ts) — domain allowlist enforced before http_access allow localnet, direct-IP CONNECT denied, safe-port enforcement.

Finding 1 — Medium: Squid port 3128 bound to all host interfaces

// src/docker-manager.ts:453
ports: [`\$\{SQUID_PORT}:\$\{SQUID_PORT}`],  // "3128:3128" — binds to 0.0.0.0
```

This means any process that can reach the runner's port 3128 from a private network (10/8, 172.16/12, 192.168/16) matches `acl localnet` in Squid:

```
// src/squid-config.ts:581-585
acl localnet src 172.16.0.0/12
acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

Followed by http_access allow localnet (line 601) after domain deny rules. This means a co-located process or another container on the host's Docker bridge could use this Squid instance as a forward proxy for the whitelisted domains. The domain whitelist still limits blast radius, but unintended proxy access is possible.

Recommendation: Bind Squid only to the AWF bridge IP: change ports: ["3128:3128"] to ports: ["172.30.0.10:3128:3128"]. Alternatively, restrict acl localnet to only 172.30.0.0/24.

---

Finding 2 — Medium: Container OUTPUT chain does not block ICMP

setup-iptables.sh only adds explicit DROP rules for TCP and UDP:

# containers/agent/setup-iptables.sh:415-418
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# ICMP is not handled here

The container's default OUTPUT policy is ACCEPT (Docker default), so ICMP egress (including ICMP tunnel tools like icmptunnel, ptunnel) is not blocked at the container firewall level. ICMP data exfiltration is blocked by the host-level FW_WRAPPER default REJECT (src/host-iptables.ts:528-530), but the container's own defense-in-depth is incomplete.

Recommendation: Add explicit ICMP blocks in setup-iptables.sh:

# After the UDP DROP rule, block remaining protocols including ICMP:
iptables -A OUTPUT -p icmp -j DROP
iptables -A OUTPUT -j DROP  # catch-all for other protocols

---

Container Security Assessment

Capability Model — Well-designed

The init container (awf-iptables-init) takes NET_ADMIN+NET_RAW and sets up iptables. The agent container never receives NET_ADMIN. Chroot mode grants SYS_CHROOT+SYS_ADMIN (for procfs mount) then drops them via capsh before user code:

# containers/agent/entrypoint.sh:760
exec capsh --drop=\$\{CAPS_TO_DROP} --user=\$\{HOST_USER} -- -c 'exec \$\{SCRIPT_FILE}'

Finding 3 — Low-Medium: mount/unshare/setns in seccomp while AppArmor is unconfined

# Evidence from seccomp-profile.json analysis:
mount: SCMP_ACT_ALLOW
setns: SCMP_ACT_ALLOW
unshare: SCMP_ACT_ALLOW
pivot_root: SCMP_ACT_ERRNO  # blocked ✓

# src/docker-manager.ts:1239-1242
security_opt:
  - 'no-new-privileges:true'
  - 'seccomp=.../seccomp-profile.json'
  - 'apparmor:unconfined'   # <-- necessary for procfs mount but removes AppArmor layer

AppArmor is disabled because Docker's default AppArmor profile blocks mount (needed for /host/proc). With AppArmor unconfined and mount allowed in seccomp, the only enforcement preventing namespace operations post–SYS_ADMIN drop is the Linux capability system. If SYS_ADMIN drop via capsh were to fail (e.g., binary not found on some host configurations, capsh path confusion), the syscall-level guardrail would be absent.

Recommendation: Consider a custom AppArmor profile that permits only the specific proc filesystem mount rather than unconfined. This would re-enable AppArmor defense without blocking the required procfs mount.

Finding 4 — Low: 5-second token exposure window

# containers/agent/entrypoint.sh:761-768
chroot /host /bin/bash -c "... exec capsh ..." &
AGENT_PID=$!

# Wait for agent to initialize and cache tokens (5 seconds)
sleep 5

# Unset all sensitive tokens from parent shell environment
unset_sensitive_tokens

Tokens (ANTHROPIC_API_KEY, GITHUB_TOKEN, etc.) remain in /proc/1/environ for 5 seconds after the agent subprocess starts. A malicious process that reads /proc/1/environ before sleep 5 completes can capture them. This is partially mitigated by the one-shot-token library (LD_PRELOAD=/usr/local/lib/one-shot-token.so), which makes the values unavailable for re-read. However, the parent process (PID 1 in the container) still holds them in its environ for the sleep duration.

Recommendation: Reduce the sleep window or replace it with a synchronization mechanism (e.g., the agent writes a ready signal once tokens are cached).

---

Finding 5 — High (opt-in): --enable-dind grants Docker socket and firewall bypass

// src/docker-manager.ts:999-1006
if (config.enableDind) {
  logger.warn('Docker-in-Docker enabled: agent can run docker commands (firewall bypass possible)');
  const dockerSocketPath = '/var/run/docker.sock';
  agentVolumes.push(`\$\{dockerSocketPath}:/host\$\{dockerSocketPath}:rw`);
  agentVolumes.push('/run/docker.sock:/host/run/docker.sock:rw');
```

The Docker socket provides root-equivalent host access. An agent with `--enable-dind` can spawn new containers without AWF network restrictions, read other containers' environment variables, and escalate to host root. This is deliberate and documented, but deserves clear operator guidance.

**Recommendation:** Emit an error (not warning) when `--enable-dind` is combined with production secrets. Add a `--accept-dind-risk` acknowledgment flag to prevent accidental use.

---

### Domain Validation Assessment — Strong

`src/domain-patterns.ts` implements thorough validation:
- Rejects `*`, `*.*`, and all-wildcard-dot patterns
- Rejects dangerous Squid config characters (`\s`, `"`, `'`, `` ` ``, `;`, `#`, `\0`, `\`)
- Uses character-class based wildcard expansion (`[a-zA-Z0-9.-]*`) instead of `.*` to prevent ReDoS
- Length-caps domain matching at 512 characters
- Double-checks all values at interpolation time with `assertSafeForSquidConfig()`

Direct IP CONNECT is blocked in Squid:
```
// src/squid-config.ts:591-594
acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
acl dst_ipv6 dstdom_regex ^\[?[0-9a-fA-F:]+\]?$
http_access deny dst_ipv4
http_access deny dst_ipv6

---

Input Validation / Injection Assessment — Good

execa is used throughout src/docker-manager.ts with argument arrays (not shell strings), preventing shell injection in Docker commands. Domain parameters are validated before Squid config interpolation. UID/GID values are validated as numeric and non-zero in entrypoint.sh:

# containers/agent/entrypoint.sh:14-32
if ! [[ "$HOST_UID" =~ ^[0-9]+$ ]]; then exit 1; fi
if [ "$HOST_UID" -eq 0 ]; then exit 1; fi  # Cannot be root
```

---

## ⚠️ Threat Model (STRIDE)

| Threat | Attack Vector | Evidence | Likelihood | Impact | Mitigation Status |
|---|---|---|---|---|---|
| **Spoofing** | DNS cache poisoning to redirect allowed domain | DNS forced to configured servers only; Squid re-resolves | Low | Medium | ✅ Mitigated (DNS whitelist, SNI checking) |
| **Tampering** | Agent modifies iptables at runtime | `NET_ADMIN` never granted to agent; init container separate | Very Low | Critical | ✅ Mitigated |
| **Tampering** | Inject Squid config via domain parameter | `assertSafeForSquidConfig()` + char blocklist | Very Low | High | ✅ Mitigated |
| **Repudiation** | Agent claims no network access | Squid access.log + audit.jsonl + iptables LOG | Low | Low | ✅ Good logging coverage |
| **Info Disclosure** | Credentials in HTTP POST body exfiltrated | DLP scans URLs only, not bodies | Medium | High | ⚠️ Partially mitigated (URL DLP only) |
| **Info Disclosure** | ICMP tunnel data exfiltration | No container-level ICMP block; host FW_WRAPPER blocks | Low | Medium | ⚠️ Host-level mitigated only |
| **Info Disclosure** | Token capture via `/proc/1/environ` | 5-second sleep window before unset | Low | High | ⚠️ Partially mitigated (1-shot lib) |
| **Denial of Service** | Resource exhaustion via rapid requests | `pids_limit: 1000`, `mem_limit: 6g` in place | Low | Medium | ✅ Mitigated |
| **Elevation of Privilege** | Container escape via Docker socket | `--enable-dind` mounts socket; default hides it | Low (opt-in) | Critical | ⚠️ Warning-only; no acknowledgment flag |
| **Elevation of Privilege** | capsh bypass → retain SYS_ADMIN → mount namespace escape | capsh binary must exist on host; seccomp allows mount | Very Low | Critical | ✅ Multiple mitigations |

---

## 🎯 Attack Surface Map

| Entry Point | File:Line | Current Protections | Risk |
|---|---|---|---|
| `--allow-domains` input | `src/domain-patterns.ts:validateDomainOrPattern()` | char blocklist, wildcard limits, length cap | Low |
| Docker socket (default) | `src/docker-manager.ts:1011` | Bound to `/dev/null` by default | Low |
| Docker socket (`--enable-dind`) | `src/docker-manager.ts:1003-1006` | Warning only | High |
| Squid port 3128 | `src/docker-manager.ts:453` | `http_access allow localnet` (broad) | Medium |
| DNS upstream servers | `containers/agent/setup-iptables.sh:144-158` | Whitelist only, no rate limit on DNS | Low-Medium |
| `/proc/1/environ` | `containers/agent/entrypoint.sh:764-768` | 5s window; 1-shot lib in agent | Low |
| Filesystem (workspace) | `src/docker-manager.ts:1029+` | Selective mounts; creds hidden via `/dev/null` | Low |
| Host gateway (`--enable-host-access`) | `containers/agent/setup-iptables.sh:196-247` | Port whitelist; IP validation | Low |
| User command string | `src/docker-manager.ts:CMD` | Passed as array via execa (no shell) | Low |

---

## ✅ Recommendations

### Critical
_None identified._

### High
1. **`--enable-dind` acknowledgment requirement** — Add `--accept-dind-risk` flag required alongside `--enable-dind`. Emit an error (not just warning) if used without it. Document clearly that Docker socket ≈ host root.

### Medium
2. **Bind Squid to AWF bridge IP only** — Change `ports: [\`\$\{SQUID_PORT}:\$\{SQUID_PORT}\`]` to `ports: [\`172.30.0.10:\$\{SQUID_PORT}:\$\{SQUID_PORT}\`]`. This prevents the Squid instance from being reachable on any interface outside the AWF Docker network.

3. **Add explicit ICMP block in container OUTPUT chain** — `setup-iptables.sh` should add `iptables -A OUTPUT -p icmp -j DROP` and a catch-all `iptables -A OUTPUT -j DROP` after the UDP drop rule. This makes the container's own firewall complete (not dependent on host-level FW_WRAPPER).

4. **Narrow Squid `localnet` ACL** — Replace the current broad RFC1918 ranges with only `172.30.0.0/24` (the AWF bridge subnet). No other source should need to reach Squid.

### Low
5. **AppArmor custom profile** — Instead of `apparmor:unconfined`, create a minimal AppArmor profile permitting only `mount proc /host/proc`. This re-enables AppArmor defense for user code.

6. **Reduce token exposure window** — Replace `sleep 5` with a signal file or pipe mechanism: the one-shot-token library writes a ready signal once it has cached all tokens, then the parent shell immediately unsets them.

7. **Restrict `setns`/`unshare` in seccomp** — These syscalls enable namespace escape vectors. Consider restricting them to the entrypoint's pre-user-code setup phase if possible (e.g., using seccomp filters with conditional arguments).

---

## 📋 Evidence Collection

<details>
<summary>Squid port binding (docker-manager.ts:453)</summary>

```
ports: [`\$\{SQUID_PORT}:\$\{SQUID_PORT}`],
// SQUID_PORT = 3128
// Binds to 0.0.0.0:3128 → all host interfaces

Container ICMP not blocked (setup-iptables.sh:415-418)

iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# No ICMP rule — default policy is ACCEPT

Seccomp mount/unshare/setns allowed

mount: SCMP_ACT_ALLOW
setns: SCMP_ACT_ALLOW
unshare: SCMP_ACT_ALLOW
pivot_root: SCMP_ACT_ERRNO   ← blocked
umount/umount2: SCMP_ACT_ERRNO  ← blocked
defaultAction: SCMP_ACT_ERRNO  ← good default
```
</details>

<details>
<summary>npm audit — clean</summary>

```
Total vulnerabilities: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

Token unset timing (entrypoint.sh:764-768)

chroot /host /bin/bash -c "... exec capsh ..." &
AGENT_PID=$!
sleep 5   # ← token window
unset_sensitive_tokens
wait $AGENT_PID

---

📈 Security Metrics

• Lines of security-critical code analyzed: ~2,500 (host-iptables.ts, docker-manager.ts, setup-iptables.sh, entrypoint.sh, domain-patterns.ts, squid-config.ts)
• Attack surfaces enumerated: 9
• STRIDE threats evaluated: 10
• npm vulnerabilities found: 0
• Critical findings: 0
• High findings: 1 (opt-in feature, well-documented)
• Medium findings: 2 (actionable improvements)
• Low findings: 3 (hardening improvements)

Generated by Daily Security Review and Threat Modeling · ● 3.2M · ◷

• expires on Apr 13, 2026, 1:15 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-13T13:15:23.894Z.

Closed by Workflow