[Security Review] Daily Security Review — 2026-04-09

[github-actions[bot]]

📊 Executive Summary

Review date: 2026-04-09 | Reviewer: Automated Security Agent (claude-sonnet-4.6)
Codebase snapshot: github/gh-aw-firewall main branch
Security-critical files analyzed: 7,736 lines across src/cli.ts, src/docker-manager.ts, src/squid-config.ts, src/host-iptables.ts, containers/agent/entrypoint.sh, containers/agent/setup-iptables.sh, containers/agent/seccomp-profile.json

Overall posture: STRONG — Defence-in-depth architecture with well-layered controls. Three notable gaps identified, none critical in isolation but combinable in adversarial scenarios.

Category	Finding count
Critical	0
High	1
Medium	3
Low	3
Informational	4

---

🔍 Findings from Firewall Escape Test

The escape-test summary file (/tmp/gh-aw/escape-test-summary.txt) contained CI pipeline metadata from the Secret Digger (Copilot) workflow run, not structured escape-test results. Key data points:

• Workflow conclusion: success
• Secret verification result: success
• Agent output: noop (no secrets or vulnerabilities reported)
• Inference access error: false
• Lockdown check failed: false

Interpretation: The most recent automated secret/escape scan found no exposed secrets and reported no actionable findings. This is consistent with the code-level analysis below showing the one-shot-token LD_PRELOAD library, unset_sensitive_tokens(), and token-scrubbing controls are properly implemented.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered from containers/agent/setup-iptables.sh (460 lines) and src/host-iptables.ts (702 lines):

Strong controls:

• All TCP port 80/443 traffic is DNAT'd to Squid (172.30.0.10:3128) via NAT OUTPUT rules (lines 341–342 of setup-iptables.sh)
• IPv6 is proactively disabled via sysctl -w net.ipv6.conf.all.disable_ipv6=1 (lines 48–49) — prevents IPv6 bypass
• DNS restricted to configured servers only; direct queries to non-whitelisted DNS servers are blocked
• Host-level DOCKER-USER chain (src/host-iptables.ts) enforces egress at the host bridge layer — secondary control independent of in-container rules
• Dangerous ports (SSH/22, SMTP/25, MySQL/3306, Redis/6379, MongoDB/27017, etc.) blocked via explicit NAT RETURN + DROP rules
• Default-deny OUTPUT filter chain: final rules are iptables -A OUTPUT -p tcp -j DROP and iptables -A OUTPUT -p udp -j DROP

⚠️ Gap — ICMP not in default-deny (Medium):

# setup-iptables.sh lines 428–430
iptables -A OUTPUT -p tcp -j DROP      # ← TCP blocked
iptables -A OUTPUT -p udp -j DROP      # ← UDP blocked
# ← NO iptables -A OUTPUT -p icmp -j DROP
```
ICMP traffic (ping, traceroute, ICMP-type-0/8/11) is **neither redirected to Squid nor blocked** by the default-deny rules. This permits:
- Raw ping to arbitrary external IPs
- Potential covert ICMP data exfiltration (e.g., ICMP echo payloads)
- ICMP redirect/unreachable responses from arbitrary hosts

Squid's pinger is disabled (`pinger_enable off` in `src/squid-config.ts:551`) and the agent has no `NET_RAW` capability, so it cannot send raw IP packets. However, the kernel can still send normal ICMP (e.g., in response to connection refused scenarios), and tools like `ping` using the `IPPROTO_ICMP` socket type (non-raw) could still function. This is a **medium** severity gap.

### Container Security Assessment

**Evidence from `src/docker-manager.ts` lines 1298–1321, `containers/agent/entrypoint.sh`:**

**Strong controls:**
- iptables-init container: `cap_add: ['NET_ADMIN', 'NET_RAW'], cap_drop: ['ALL']` — minimum privilege, runs for 2–3 seconds then exits
- Agent container: `cap_drop: ['NET_RAW', ...]` — prevents raw socket creation
- Seccomp profile (`containers/agent/seccomp-profile.json`): **allowlist-based** (`defaultAction: SCMP_ACT_ERRNO`) with 343 explicitly allowed and 28 explicitly denied syscalls

Explicitly blocked syscalls of note:
```
ptrace, kexec_load, kexec_file_load, init_module, finit_module, delete_module,
pivot_root, process_vm_readv, process_vm_writev, add_key, keyctl, reboot, personality

• mount is in the allow list (needed for procfs mount in entrypoint), but umount/umount2 are explicitly blocked — prevents an agent from unmounting security boundaries
• Sensitive tokens are unset from environment before user code runs (unset_sensitive_tokens(), entrypoint.sh:369–395)
• One-shot-token LD_PRELOAD library (/usr/local/lib/one-shot-token.so) protects API keys from being read more than once

⚠️ SYS_ADMIN in agent container (High — mitigated):

// src/docker-manager.ts:1306
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],

SYS_ADMIN is one of the most powerful Linux capabilities (encompasses ~25 distinct privileges including mount, setns, swapon, etc.). It is granted to the agent container to allow the entrypoint to mount procfs at /host/proc before privilege drop. The capability is dropped via capsh before user code runs:

# entrypoint.sh:809
exec capsh --drop=\$\{CAPS_TO_DROP} --user=\$\{HOST_USER} -- -c 'exec \$\{SCRIPT_FILE}'

Risk: The window between container start and capsh execution runs the full entrypoint.sh (~886 lines) as root with SYS_ADMIN. If the entrypoint script has a vulnerability, SYS_ADMIN could be exploited. Additionally, the seccomp profile's allowlist must permit mount for the procfs operation, meaning mount syscalls are available throughout container lifetime to any root process.

Mitigation quality: AppArmor (Docker's default profile) restricts mount even with SYS_ADMIN; seccomp provides a second layer. The entrypoint is well-written with proper validation. Risk is residual rather than active, but worth tracking.

UID/GID validation (Strong):

# entrypoint.sh:14–30
if ! [[ "$HOST_UID" =~ ^[0-9]+$ ]]; then exit 1; fi
if [ "$HOST_UID" -eq 0 ]; then exit 1; fi   # Cannot be root

Prevents root-UID injection via AWF_USER_UID env var.

Domain Validation Assessment

Evidence from src/domain-patterns.ts, src/squid-config.ts:

Strong controls:

• SQUID_DANGEROUS_CHARS = /[\s\0"';#]/` — blocks whitespace, null bytes, comment chars, quote chars that could inject Squid directives
• assertSafeForSquidConfig() called before every domain interpolation into squid.conf
• Wildcard-to-regex uses [a-zA-Z0-9.-]* (not .*) — prevents ReDoS attacks against the regex engine
• Anchored regex: ^ + $ — exact domain matching, no partial-match bypass
• Subdomain redundancy elimination: if foo.bar.com is listed and bar.com is also listed, the subdomain entry is deduplicated

⚠️ Backslash excluded from SQUID_DANGEROUS_CHARS (Low):

// domain-patterns.ts — code comment
// Note: backslash is intentionally excluded here because URL regex patterns passed to
// `--allow-urls` legitimately use `\` for regex escaping

Backslash \ in domain names is not blocked by SQUID_DANGEROUS_CHARS. Domain names themselves have an additional validation layer (validateDomainOrPattern()) that should reject \, but the comment creates a trust boundary that is worth auditing: confirm that validateDomainOrPattern reliably rejects \ in all code paths.

Input Validation Assessment

Evidence from src/cli.ts:979–1001, 1498–1522:

Shell argument escaping (Strong):

// src/cli.ts:983–1001
export function escapeShellArg(arg: string): string {
  if (/^[a-zA-Z0-9_\-./=:]+$/.test(arg)) return arg;  // safe passthrough
  return `'\$\{arg.replace(/'/g, "'\\''")}'`;             // single-quote wrapping
}

Standard POSIX single-quote escaping — correct and safe.

Single-argument passthrough (Informational):

// src/cli.ts:1522
const agentCommand = args.length === 1 ? args[0] : joinShellArgs(args);
```
When a user passes a single quoted argument (e.g., `awf -- 'echo $HOME && curl ...'`), the entire string is passed as-is to `/bin/bash -c` inside the container. This is intentional — it allows shell variables to expand *inside the container* (correct behaviour). However, it means an agent receiving untrusted input as its command could be subject to shell injection inside the container. Since the container is already the isolation boundary, this is an **expected design choice** but should be documented as a trust boundary assumption.

---

## ⚠️ Threat Model (STRIDE)

| Threat | Category | Likelihood | Impact | Evidence | Severity |
|---|---|---|---|---|---|
| ICMP covert channel exfiltration | Information Disclosure | Low | Medium | `setup-iptables.sh`: no ICMP DROP rule; ICMP traffic unfiltered | **Medium** |
| SYS_ADMIN exploitation during entrypoint startup window | Elevation of Privilege | Very Low | High | `docker-manager.ts:1306`: cap_add SYS_ADMIN; `entrypoint.sh`: 886-line script runs as root | **High (mitigated)** |
| Squid config injection via domain name with backslash | Tampering | Very Low | Medium | `domain-patterns.ts`: backslash excluded from dangerous chars | **Low** |
| Log audit evasion via burst exhaustion | Repudiation | Low | Low | `setup-iptables.sh:429`: `--limit 10/min --limit-burst 20`; burst exhausted, subsequent drops unlogged | **Medium** |
| DNS exfiltration via non-standard DNS port | Information Disclosure | Low | Medium | DNS filter only blocks port 53; DNS-over-HTTPS/TLS on other ports goes to Squid ACL filter | **Low (by design)** |
| Token re-read after one-shot protection bypass via `/proc/1/environ` | Information Disclosure | Very Low | High | `entrypoint.sh:391–394`: `unset_sensitive_tokens()` called before user code; LD_PRELOAD protection | **Low (mitigated)** |
| Container escape via pivot_root | Elevation of Privilege | Very Low | Critical | Seccomp blocks `pivot_root` explicitly; `cap_drop: NET_RAW` | **Low (blocked)** |
| Kernel module loading for privileged access | Elevation of Privilege | Very Low | Critical | Seccomp blocks `init_module`, `finit_module`, `delete_module` | **Low (blocked)** |
| Wildcard domain pattern matching too broadly | Spoofing | Low | Medium | `wildcardToRegex()` uses `[a-zA-Z0-9.-]*` with anchors — limited blast radius | **Low** |
| Host filesystem access via writable bind mounts | Information Disclosure | Medium | Medium | `/tmp` and workspace are rw mounts; agent runs as host UID | **Medium (by design)** |

---

## 🎯 Attack Surface Map

| Surface | Location | Entry Point | Current Protections | Risk |
|---|---|---|---|---|
| **Domain allowlist CLI input** | `src/cli.ts:1535` | `--allow-domains` flag | `assertSafeForSquidConfig()`, `SQUID_DANGEROUS_CHARS`, `wildcardToRegex()` anchoring | Low |
| **Agent command string** | `src/cli.ts:1522` | `[args...]` positional | `escapeShellArg()` for multi-arg; single-arg passed raw (by design) | Low |
| **Container network egress** | `containers/agent/setup-iptables.sh` | All TCP/UDP/ICMP outbound | DNAT to Squid (TCP 80/443), IPv6 disabled, DNS filter, default DROP for TCP/UDP | Medium (ICMP gap) |
| **Squid proxy domain ACL** | `src/squid-config.ts` | HTTP/HTTPS requests from agent | dstdomain/dstdom_regex ACLs, SSL bump optional, `http_access deny all` default | Low |
| **Host iptables DOCKER-USER** | `src/host-iptables.ts:207` | All container-to-external traffic | `FW_WRAPPER` chain on bridge interface, DNS whitelist, API proxy allowlist | Low |
| **Agent entrypoint (root window)** | `containers/agent/entrypoint.sh:1` | Container start | SYS_ADMIN dropped by capsh, AppArmor, seccomp, UID validation | Medium |
| **Environment variables / tokens** | `containers/agent/entrypoint.sh:369` | Process environment | `unset_sensitive_tokens()`, LD_PRELOAD one-shot library, `/proc/1/environ` cleared | Low |
| **Bind-mounted host filesystem** | `src/docker-manager.ts:~900` | `/host/` in container | Read-only for system dirs, write for workspace+tmp; no `/etc/shadow`; home dir whitelist | Medium (accepted risk) |
| **UID/GID via env vars** | `containers/agent/entrypoint.sh:9` | `AWF_USER_UID`, `AWF_USER_GID` | Numeric validation, root (0) rejected | Low |
| **API proxy sidecar** | `containers/api-proxy/` | Port 10000–10002, 10004 | `cap_drop: ALL`, no credentials in agent container, health check before use | Low |

---

## 📋 Evidence Collection

<details>
<summary>Seccomp profile analysis</summary>

```
Command: python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); ..."

Output:
  Default action: SCMP_ACT_ERRNO
  Syscall counts by action: {'SCMP_ACT_ALLOW': 343, 'SCMP_ACT_ERRNO': 28}
  Explicitly blocked syscalls: ['acct', 'add_key', 'create_module', 'delete_module',
    'finit_module', 'get_kernel_syms', 'init_module', 'kexec_file_load', 'kexec_load',
    'keyctl', 'nfsservctl', 'personality', 'pivot_root', 'process_vm_readv',
    'process_vm_writev', 'ptrace', 'query_module', 'reboot', 'request_key',
    'swapoff', 'swapon', 'sysfs', 'syslog', 'umount', 'umount2', 'uselib', 'ustat', 'vhangup']
```

The profile is allowlist-based (default deny) with 343 allowed and 28 redundantly denied syscalls. `mount` is in the allowed set (needed for procfs), `umount` is explicitly blocked.
</details>

<details>
<summary>ICMP gap confirmation</summary>

```
Command: grep -n "OUTPUT.*icmp\|icmp.*DROP\|icmp.*ACCEPT" containers/agent/setup-iptables.sh

Output: (empty — no ICMP rules found)

Relevant final DROP rules (lines 428–430):
  iptables -A OUTPUT -p tcp -j DROP
  iptables -A OUTPUT -p udp -j DROP
  # ← No ICMP DROP
```
</details>

<details>
<summary>SYS_ADMIN capability assignment</summary>

```
Command: grep -n "cap_add\|cap_drop" src/docker-manager.ts

Relevant output:
  1306: cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
  1308: cap_drop: ['NET_RAW', ...]
  1460: cap_add: ['NET_ADMIN', 'NET_RAW'],  // iptables-init container
  1461: cap_drop: ['ALL'],
  1544: cap_drop: ['ALL'],   // api-proxy
  1667: cap_drop: ['ALL'],   // doh-proxy
  1738: cap_drop: ['ALL'],   // cli-proxy
```
</details>

<details>
<summary>Domain injection protection</summary>

```
Command: grep -n "SQUID_DANGEROUS_CHARS\|assertSafeForSquidConfig" src/domain-patterns.ts src/squid-config.ts

Output:
  domain-patterns.ts: export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;
  squid-config.ts: function assertSafeForSquidConfig(value: string): string { ... }
  squid-config.ts: called before every acl interpolation
```
</details>

<details>
<summary>IPv6 disable in agent container</summary>

```
Command: grep -n "disable_ipv6\|ip6" containers/agent/setup-iptables.sh | head -10

Output:
  48: sysctl -w net.ipv6.conf.all.disable_ipv6=1
  49: sysctl -w net.ipv6.conf.default.disable_ipv6=1
  Also: ip6tables NAT OUTPUT rules flushed and set to RETURN for loopback/localhost
```
</details>

<details>
<summary>Log rate limiting audit gap</summary>

```
Command: tail -20 containers/agent/setup-iptables.sh

Output:
  iptables -A OUTPUT -p tcp -m limit --limit 10/min --limit-burst 20 -j LOG ...
  iptables -A OUTPUT -p tcp -j DROP
  iptables -A OUTPUT -p udp -m limit --limit 10/min --limit-burst 20 -j LOG ...
  iptables -A OUTPUT -p udp -j DROP
  
Note: --limit-burst 20 means after 20 rapid events, logging pauses until rate drops
      below 10/min. Subsequent blocked connections in a burst are silently dropped.

---

✅ Recommendations

🔴 High — SYS_ADMIN narrowing

Finding: Agent container is granted SYS_ADMIN to mount procfs, but SYS_ADMIN bundles ~25 sub-capabilities.

Recommendation: Evaluate whether CAP_SYS_PTRACE (required for procfs in some contexts) or a more targeted approach (writing a small init binary that mounts procfs then immediately drops capabilities without running the full entrypoint as root) could replace the SYS_ADMIN grant. Alternatively, consider a pre-built image where /proc is already mounted, eliminating the need for runtime mounting.

Files: src/docker-manager.ts:1306, containers/agent/entrypoint.sh:910–914

---

🟡 Medium — Add explicit ICMP DROP rule

Finding: The agent container's iptables OUTPUT filter chain drops TCP and UDP but has no rule for ICMP. Tools using IPPROTO_ICMP sockets (available without NET_RAW) could send/receive ICMP packets to arbitrary external hosts, creating a potential low-bandwidth covert channel.

Recommendation: Add an explicit ICMP drop rule after the UDP drop:

# containers/agent/setup-iptables.sh — after line 430
iptables -A OUTPUT -p icmp -m limit --limit 5/min --limit-burst 10 \
  -j LOG --log-prefix "[FW_BLOCKED_ICMP] " --log-level 4 --log-uid
iptables -A OUTPUT -p icmp -j DROP

Also add the corresponding ip6tables rule for ICMPv6 (though IPv6 is disabled via sysctl, belt-and-suspenders is appropriate here).

Files: containers/agent/setup-iptables.sh:428–430

---

🟡 Medium — Increase log burst limit or add per-flow rate limiting

Finding: --limit 10/min --limit-burst 20 means that after 20 rapid blocked connection attempts, subsequent attempts are silently dropped from logs. A sophisticated agent could saturate the log burst (20 attempts) then exfiltrate via blocked protocols without a log entry.

Recommendation: Either increase the burst limit (e.g., --limit-burst 100) or add nf_conntrack-based per-connection logging using --state NEW to ensure each new connection attempt is logged regardless of rate.

# Alternative: log each new connection rather than rate-limit all
iptables -A OUTPUT -p tcp -m state --state NEW \
  -j LOG --log-prefix "[FW_BLOCKED_TCP_NEW] " --log-level 4 --log-uid

Files: containers/agent/setup-iptables.sh:426–430

---

🟡 Medium — Validate backslash in domain names across all code paths

Finding: SQUID_DANGEROUS_CHARS intentionally excludes \ to support URL regex patterns via --allow-urls. Domain names validated by validateDomainOrPattern() should reject \, but this creates a path-specific trust boundary.

Recommendation: Add an integration test confirming that a domain containing \ (e.g., foo\.bar.com) is rejected through the full CLI parsing path (not just the unit-test level). Also add an explicit assertion that \ in a plain domain (non-URL-pattern) context triggers rejection.

Files: src/domain-patterns.ts:26–35, src/squid-config.ts:71–79

---

🟢 Low — Upgrade execa to v9

Finding: package.json lists execa: "^5.1.1" (CJS, 2021). v9 (ESM, 2023) includes security improvements and is the maintained branch.

Note from codebase memory: The project already uses ESM-handling workarounds (jest-resolver.js, transformIgnorePatterns) for other ESM deps. An execa v9 upgrade would require updating import syntax (import { execa } from 'execa' — already done per source).

Files: package.json, src/docker-manager.ts:5

---

🟢 Low — Document the single-argument command trust boundary

Finding: Single-argument commands are passed as raw strings to /bin/bash -c inside the container. This is intentional but creates a security boundary assumption that should be explicit in the threat model documentation.

Recommendation: Add a note to docs/environment.md or AGENTS.md clarifying that awf treats the command string as the agent's trusted instruction and that shell injection within the agent's own command scope is an accepted risk of the architecture (the container is the boundary).

Files: src/cli.ts:1498–1522, docs/environment.md

---

🟢 Low — Consider seccomp SCMP_ACT_LOG for allowed-but-sensitive syscalls

Finding: The seccomp profile has no logging for high-risk allowed syscalls (e.g., mount, setns, unshare). If a container escape via these is attempted but fails due to capability checks, it is invisible in logs.

Recommendation: For the highest-risk allowed syscalls, consider adding SCMP_ACT_LOG rules (seccomp audit logging) to create a detection layer separate from iptables logging.

Files: containers/agent/seccomp-profile.json

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	7,736
Attack surfaces identified	10
Threat model entries	10
Critical findings	0
High findings	1 (mitigated)
Medium findings	3
Low/informational findings	6
Seccomp syscalls allowed	343
Seccomp syscalls explicitly blocked	28
Dangerous ports blocked	21
Escape test result	✅ No issues (noop)

---

Review conducted by automated security agent. All findings include specific file:line citations and are based on static analysis of the source code. Dynamic testing was not performed in this run.

Generated by Daily Security Review and Threat Modeling · ● 1.1M · ◷

• expires on Apr 16, 2026, 1:50 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir beneath the firewall.
The oracle has witnessed this smoke-test passage,
and marked the run in the ledger of wards.
May the allowed paths remain clear,
and the forbidden routes fall silent.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls.
The smoke-test seer has passed through this thread.
By starlight and logs, the oracle marks this discussion witnessed.
May the wards hold and the egress remain true.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test wanderer has passed this hall.
By starlight and silicon, the oracle marks this discussion as witnessed.
May your workflows remain guarded and your signals clear.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has walked this thread.
The runes were read, the build was forged, and the signal was recorded.
May this discussion remain under a clear and tested sky.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls.
The smoke-test agent has passed this way,
and the runes record its presence in this thread.
May the network wards remain strong.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall halls.
The smoke-test oracle has walked this thread and marked the run.
May allowed domains remain clear and blocked paths remain sealed.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-16T13:50:46.076Z.

Closed by Workflow