[Security Review] Daily Security Review — 2026-04-13

[github-actions[bot]]

📊 Executive Summary

Review date: 2026-04-13
Reviewer: Automated security agent (Claude Sonnet 4.6)
Scope: Full codebase — network controls, container hardening, input validation, credential handling, supply-chain, dependency health
Security posture: Good — defence-in-depth is well-implemented. No critical vulnerabilities found. Several medium/low items warrant attention.

Category	Rating
Network egress control	✅ Strong
Container isolation	✅ Strong
Credential protection	✅ Strong
Domain/input validation	✅ Strong
Dependency health	✅ Clean (0 CVEs)
Optional-feature risk surface	⚠️ Medium
SSL Bump key handling	⚠️ Low

---

🔍 Findings from Prior Firewall Escape Test (Secret Digger — Copilot)

Workflow run: secret-digger-copilot @ 2026-04-11T03:25
Conclusion: success — agent produced only noop safe outputs
Secret verification result: success

The Secret Digger agent was unable to exfiltrate secrets or find exposed credentials, confirming that:

• Token protection (one-shot-token LD_PRELOAD + unset_sensitive_tokens) is functioning
• Domain allow-listing is blocking exfiltration channels
• The firewall passed an adversarial escape attempt with no leakage detected

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered from: src/host-iptables.ts (703 lines), containers/agent/setup-iptables.sh (460 lines), src/squid-config.ts (855 lines)

Host-level (DOCKER-USER chain / FW_WRAPPER):

Evidence: src/host-iptables.ts:301-416
- Creates FW_WRAPPER chain inserted into DOCKER-USER
- Allows only 172.30.0.0/24 (awf-net) traffic outbound
- Drops all other Docker container traffic by default

Container-level DNAT (setup-iptables.sh):

# Key rules observed:
iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN      # Skip DNAT for Squid itself
iptables -t nat -A OUTPUT -o lo -j RETURN                # Loopback allowed
iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN      # Localhost allowed
# Docker embedded DNS preserved (127.0.0.11 DNAT rules restored after flush)
# DNS restricted to AWF_DNS_SERVERS only
# DNAT port 80/443 → Squid:3128 as defence-in-depth fallback
```

**IPv6 handling:**

```
Evidence: src/host-iptables.ts:348, setup-iptables.sh grep "disable_ipv6"
- If ip6tables available: FW_WRAPPER_V6 chain created, IPv6 egress filtered
- If ip6tables unavailable: IPv6 disabled via sysctl (net.ipv6.conf.all.disable_ipv6=1)
- Both paths prevent unfiltered IPv6 bypass — defence-in-depth applied

Dangerous ports blocked in Squid config:

// src/squid-config.ts:14-31
const DANGEROUS_PORTS = [22,23,25,110,143,445,1433,1521,3306,3389,5432,5984,
                          6379,6984,8086,8088,9200,9300,27017,27018,28017];
```

**Raw IP access blocked:**

```
// src/squid-config.ts:590,707,716
# Prevents bypassing domain-based filtering via direct IP connections
# Denies requests to raw IPv4/IPv6 addresses

Assessment: Network architecture is layered (L3 iptables + L7 Squid) and covers known bypass vectors including raw IP access, IPv6 tunneling, and DNS exfiltration.

---

Container Security Assessment

Evidence gathered from: src/docker-manager.ts (2934 lines), containers/agent/entrypoint.sh (911 lines), containers/agent/seccomp-profile.json

Capability model:

Container	cap_add	cap_drop	Notes
iptables-init	NET_ADMIN, NET_RAW	ALL	Short-lived; exits after iptables setup
agent (startup)	SYS_CHROOT, SYS_ADMIN	—	Needed for procfs mount and chroot
agent (user code)	—	SYS_CHROOT, SYS_ADMIN	Dropped via capsh before user code runs
squid, api-proxy, cli-proxy	—	ALL	No extra capabilities

// Evidence: src/docker-manager.ts:1385-1393
// SECURITY: NET_ADMIN is NOT granted to the agent container.
// SYS_ADMIN is required to mount procfs at /host/proc
// Security: SYS_CHROOT and SYS_ADMIN are dropped before running user commands
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
```

**Seccomp profile:**

```
Evidence: containers/agent/seccomp-profile.json
Default action: SCMP_ACT_ERRNO (deny-by-default)
Total syscall rules: 371
  SCMP_ACT_ALLOW:  343 (explicit allowlist)
  SCMP_ACT_ERRNO:  28  (explicit blocks — defence-in-depth)

Explicitly blocked:
  ptrace, process_vm_readv, process_vm_writev  (process inspection)
  kexec_load, kexec_file_load, reboot, init_module, finit_module (kernel tampering)
  pivot_root, umount, umount2  (namespace/mount manipulation)
  add_key, request_key, keyctl (kernel keyring)

no-new-privileges:

// Evidence: src/docker-manager.ts (confirmed in tests at lines 1252-1253, 2249, 2907, 3089)
security_opt: ['no-new-privileges:true', 'seccomp=<profile>']

Docker socket access:

// Evidence: src/docker-manager.ts:1176-1180
// Hide Docker socket to prevent firewall bypass via 'docker run'
agentVolumes.push('/dev/null:/host/var/run/docker.sock:ro');
agentVolumes.push('/dev/null:/host/run/docker.sock:ro');
// Both paths masked — covers both canonical path and symlink

UID/GID validation:

// Evidence: containers/agent/entrypoint.sh, src/docker-manager.ts:109
// Prevent setting UID/GID to 0 (root) which defeats the privilege drop
if UID == 0: reject with error

Assessment: Container hardening is rigorous. The separation of NET_ADMIN into a dedicated short-lived init container is a strong design decision that eliminates the window during which the agent holds network admin privileges.

---

Domain Validation Assessment

Evidence gathered from: src/domain-patterns.ts (343 lines), src/squid-config.ts

Injection prevention:

// Evidence: src/domain-patterns.ts:27
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// Evidence: src/squid-config.ts (assertSafeForSquidConfig function)
function assertSafeForSquidConfig(value: string): string {
  if (SQUID_DANGEROUS_CHARS.test(value)) {
    throw new Error(`SECURITY: Domain or pattern contains characters unsafe for Squid config...`);
  }
  return value;
}
```

**Wildcard restrictions (from tests at src/domain-patterns.test.ts:212-231):**

```
'*.'      → throws "too broad"
'.*'      → throws "too broad"
'*'       → throws "matches all domains"
'*.*'     → throws "too broad"
'*.*.*'   → throws "too broad"
'*.*.com' → throws "too many wildcard segments"
```

**Config injection tests:**

```
'evil.com\nhttp_access allow all'  → throws "contains invalid character"
'evil.com\rhttp_access allow all'  → throws "contains invalid character"

Observation: Backslash (\) is not included in SQUID_DANGEROUS_CHARS but is checked separately in validateDomainOrPattern() per the comment at domain-patterns.ts:25. Defense is applied at two independent validation layers.

---

Input Validation Assessment

Shell argument escaping:

// Evidence: src/cli.ts:1050-1068
export function escapeShellArg(arg: string): string {
  if (/^[a-zA-Z0-9_\-./=:]+$/.test(arg)) {
    return arg;
  }
  return `'\$\{arg.replace(/'/g, "'\\''")}'`;
}
```

This is a correct implementation of POSIX single-quote escaping (CERT-C MSC41-C compliant).

**execa usage — no shell: true:**

```
Evidence: grep -rn "shell.*true" src/ → 0 results

All execa calls use array-form arguments (not string-form), so no shell metacharacter injection is possible via exec arguments.

no-unsafe-execa suppression (ssl-bump.ts:216):

// Evidence: src/ssl-bump.ts:210-220
await execa('openssl', [
  'req', '-new', '-newkey', 'rsa:2048', ...
  // eslint-disable-next-line local/no-unsafe-execa
  '-subj', `/CN=\$\{commonName}`,
```

The `commonName` value is the SSL Bump CA common name (defaults to `'AWF Session CA'`). This suppresses the local lint rule but the value is not user-controlled — it is hardcoded in `ssl-bump.ts:42`. The risk is **Low**.

---

## ⚠️ Threat Model (STRIDE)

| # | Category | Threat | Likelihood | Impact | Evidence |
|---|---|---|---|---|---|
| T1 | Spoofing | Agent spoofs Squid proxy via HTTPS CONNECT to unauthorized domain | Low | High | Squid ACL enforces domain allow-list; raw IP blocked |
| T2 | Tampering | Agent modifies iptables rules inside container | Very Low | Critical | iptables-init is separate container; agent never holds NET_ADMIN |
| T3 | Tampering | Agent modifies /etc/resolv.conf to use rogue DNS | Low | High | /etc written by entrypoint before cap drop; noexec procfs |
| T4 | Repudiation | Agent actions not attributable (no per-PID audit trail) | Medium | Medium | iptables LOG rules with `--log-uid`; Squid logs client IP; no per-PID correlation |
| T5 | Info Disclosure | Token exfiltration via /proc/1/environ | Low | Critical | `unset_sensitive_tokens()` clears env post-startup; one-shot-token LD_PRELOAD |
| T6 | Info Disclosure | Token re-read by malicious subprocess before unset | Low | Critical | one-shot-token LD_PRELOAD caches and zeroes token on first read (~100ms window) |
| T7 | Info Disclosure | LD_PRELOAD bypass via statically-linked binary | Low | High | Seccomp blocks dangerous syscalls; capability drop limits what can be exec'd |
| T8 | Info Disclosure | SSL Bump CA key exposed in workDir | Low | Medium | Key chmod 0o600 (ssl-bump.ts); workDir on host requires root or awfuser access |
| T9 | DoS | Subnet pool exhaustion from leaked Docker networks | Medium | Medium | Pre-test cleanup + `if: always()` CI cleanup guards; scripts/ci/cleanup.sh |
| T10 | DoS | Memory exhaustion via agent container | Low | Medium | Memory limits configurable via `--memory`; default depends on Docker daemon |
| T11 | Elevation | Docker socket access for container escape | Very Low | Critical | Socket masked with /dev/null by default; `--enable-dind` explicitly warned |
| T12 | Elevation | Pivot via DinD to spawn unrestricted container | Low | Critical | `--enable-dind` documented as firewall bypass; user must opt in |
| T13 | Elevation | chroot escape via SYS_CHROOT before cap drop | Very Low | High | SYS_CHROOT dropped immediately after chroot(); seccomp blocks pivot_root |
| T14 | Elevation | IPv6 egress bypass when ip6tables unavailable | Very Low | High | Mitigated: IPv6 disabled via sysctl when ip6tables absent |
| T15 | Elevation | Custom agent base image supply chain attack | Low | Critical | `validateAgentImage()` allowlist: ubuntu:*, catthehacker/* with optional `@sha256` |

---

## 🎯 Attack Surface Map

| Surface | Entry Point | Current Protection | Risk |
|---|---|---|---|
| Squid domain ACL | `--allow-domains` CLI arg | `validateDomainOrPattern()` + `assertSafeForSquidConfig()` + two-layer injection prevention | Low |
| Host iptables | `src/host-iptables.ts` DOCKER-USER chain | FW_WRAPPER chain; IPv6 fallback to sysctl | Low |
| Container iptables | `setup-iptables.sh` | Separate init container; agent never has NET_ADMIN | Low |
| Docker socket | `/var/run/docker.sock` | Masked to /dev/null by default; DinD requires explicit opt-in with warning | Low |
| Agent base image | `--agent-image` CLI arg | `SAFE_BASE_IMAGE_PATTERNS` regex allowlist in cli.ts | Low |
| Credential env vars | Agent environment | `unset_sensitive_tokens()` + one-shot-token LD_PRELOAD | Low |
| Shell arg injection | User command string | `escapeShellArg()` + execa array-form | Low |
| DinD / `--enable-dind` | Explicit flag | Warning logged; documented firewall bypass | **Medium** |
| `--allow-host-service-ports` | Explicit flag | Bypasses dangerous port restrictions; host-gateway-only | **Medium** |
| `--enable-host-access` default ports | Implicit when localhost used | Broad default port list (12 ports auto-added) | **Medium** |
| SSL Bump CA | `--ssl-bump` flag | Per-session CA; key chmod 0o600; user warned | Low |
| `no-unsafe-execa` suppression | `src/ssl-bump.ts:216` | commonName is hardcoded, not user-controlled | Low |
| DIFC proxy external TLS | `--difc-proxy-host` | CA cert validated; TCP tunnel for SAN matching | Low |

---

## 📋 Evidence Collection

<details>
<summary>Command: npm audit</summary>

```
$ npm audit --json | python3 -c "..."
No vulnerabilities found
Total: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}
```

</details>

<details>
<summary>Command: seccomp profile analysis</summary>

```
$ python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); ..."
Total syscall rules: 371
  SCMP_ACT_ALLOW:  343
  SCMP_ACT_ERRNO:  28
Default action: SCMP_ACT_ERRNO

Explicitly blocked: ptrace, process_vm_readv, process_vm_writev,
  kexec_load, kexec_file_load, reboot, init_module, finit_module,
  delete_module, acct, swapon, swapoff, pivot_root, syslog,
  add_key, request_key, keyctl, uselib, personality, umount, umount2
```

</details>

<details>
<summary>Command: shell:true usage search</summary>

```
$ grep -rn "shell.*true\|{shell}" src/ --include="*.ts"
(0 results — no shell:true in any execa call)
```

</details>

<details>
<summary>Command: Docker socket handling</summary>

```
$ grep -n "docker.sock" src/docker-manager.ts
1171: agentVolumes.push('/var/run/docker.sock:/host/var/run/docker.sock:rw');  [DinD only]
1178: agentVolumes.push('/dev/null:/host/var/run/docker.sock:ro');             [default]
1179: agentVolumes.push('/dev/null:/host/run/docker.sock:ro');                 [symlink]
```

</details>

<details>
<summary>Command: Domain injection protection</summary>

```
$ grep -n "SQUID_DANGEROUS_CHARS" src/domain-patterns.ts
27: export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

Newline/CR injection tests all throw — confirmed in domain-patterns.test.ts:237-245
```

</details>

<details>
<summary>Command: Security-critical source file sizes</summary>

```
$ wc -l src/host-iptables.ts src/docker-manager.ts src/cli.ts src/squid-config.ts \
         src/domain-patterns.ts containers/agent/entrypoint.sh containers/agent/setup-iptables.sh
  703 src/host-iptables.ts
 2934 src/docker-manager.ts
 2344 src/cli.ts
  855 src/squid-config.ts
  343 src/domain-patterns.ts
  911 containers/agent/entrypoint.sh
  460 containers/agent/setup-iptables.sh
 8550 total

---

✅ Recommendations

🔴 Critical

None identified.

🟠 High

H1 — Document and gate --enable-dind more aggressively
src/cli.ts:1454 has a comment noting firewall bypass is possible. Consider adding a required confirmation flag (e.g. --enable-dind-i-understand-firewall-bypass) or an explicit --allow-network-bypass acknowledgement to prevent accidental use in CI pipelines where --enable-dind might be passed silently.

H2 — one-shot-token: statically-linked binary gap
The LD_PRELOAD one-shot-token protection cannot intercept execve into statically-linked binaries (e.g., Go binaries, musl-static builds). If an agent spawns a static binary before the unset window completes, that binary can read /proc/1/environ directly. Mitigation: confirm that unset_sensitive_tokens() executes before any subprocess is spawned, and document the remaining risk.

🟡 Medium

M1 — --enable-host-access default port list is broad
When the user specifies localhost in --allow-domains, 12 dev-server ports are automatically added (3000,3001,4000,4200,5000,5173,8000,8080,8081,8888,9000,9090) via src/cli.ts:1041. If the host runs sensitive services on any of these ports, they become reachable from the agent. Recommend logging the auto-added port list at warn level and allowing users to set --allow-host-ports none to suppress defaults.

M2 — --allow-host-service-ports documents dangerous-port bypass without rate-limiting
src/cli.ts:833: "bypasses dangerous port restrictions for host-local traffic." This is intentional but could allow SSH (22) or database ports to be reached on the host gateway if a user explicitly sets them. Confirm the warning is surfaced clearly in --help output and consider a secondary confirmation mechanism.

M3 — Repudiation gap: no per-process attribution in logs
iptables LOG uses --log-uid (UID) but not PID. Squid logs client IP but not process name. For forensic investigations (e.g., "which subprocess made this blocked connection?"), there is no way to correlate network events to specific process trees. Consider adding auditd or eBPF-based process-to-socket attribution as a future enhancement.

🟢 Low

L1 — SSL Bump CA key in workDir on host filesystem
ssl-bump.ts sets chmod 0o600 on the key, but the workDir /tmp/awf-<ts> is owned by the invoking user. On shared systems (multi-user hosts), if the invoking user is root, the key is adequately protected. On systems where awf runs as a non-root user, the key inherits that user's protections. No change required; document this assumption.

L2 — no-unsafe-execa suppressed in ssl-bump.ts:216
The suppressed call passes -subj /CN=\$\{commonName} where commonName is a hardcoded constant ('AWF Session CA'). The suppression is safe. However, if commonName is ever made configurable, ensure it is validated before use. Add an inline comment explaining this constraint.

L3 — Domain file parsing allows comments but no schema validation
parseDomainsFile() (src/cli.ts) strips # comments but does not enforce any maximum domain count or line length. A very large domains file would not fail gracefully. Add a configurable maximum (e.g., 1000 domains) and document the limit.

---

📈 Security Metrics

Metric	Value
Security-critical source lines analyzed	8,550
Attack surfaces identified	14
Threats modeled (STRIDE)	15
Known CVEs in dependencies	0
shell: true exec calls	0
Seccomp-blocked syscalls	28 explicit + default-deny
Prior escape test result	✅ No leakage (noop)
Critical findings	0
High findings	2
Medium findings	3
Low findings	3

Generated by Daily Security Review and Threat Modeling · ● 804.3K · ◷

• expires on Apr 20, 2026, 1:11 PM UTC