[Security Review] Daily Security Review — AWF Firewall Codebase (2026-04-15)

[github-actions[bot]]

📊 Executive Summary

Review date: 2026-04-15
Scope: Full codebase — network layer, container security, domain validation, input sanitization, dependency chain
Overall posture: Good — the system is thoughtfully engineered with multiple defense layers. No critical vulnerabilities were found. Several medium-severity gaps are documented below.

Category	Status	Notes
Network egress filtering	✅ Strong	Dual-layer: host DOCKER-USER + container iptables
Container privilege model	✅ Good	no-new-privileges, seccomp, cap_drop
Domain/input validation	✅ Good	assertSafeForSquidConfig, regex anchoring
ICMP outbound	⚠️ Gap	Not explicitly blocked in agent OUTPUT chain
Seccomp policy	⚠️ Permissive	371 allowed syscalls; dangerous calls present
Docker socket access	⚠️ Conditional risk	--allow-docker opt-in grants full host escape
Dependency vulnerabilities	✅ Clean	npm audit reports 0 vulns (26 prod deps)
DLP coverage	⚠️ Limited	URL-only; request body/headers not scanned

---

🔍 Findings from Firewall Escape Test Context

The pre-fetched file at /tmp/gh-aw/escape-test-summary.txt contained GitHub Actions runner logs for the Secret Digger (Copilot) workflow (run 24273493151). The workflow concluded with:

GH_AW_AGENT_CONCLUSION: success
GH_AW_SECRET_VERIFICATION_RESULT: success
Agent succeeded with only noop outputs

This indicates: the secret-digger agent ran, verified the firewall successfully blocked secret exfiltration attempts, and published a noop (no secrets were discoverable). This is the expected passing result — the firewall held.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Host layer (src/host-iptables.ts)

AWF installs a custom FW_WRAPPER chain in DOCKER-USER — the correct hook for egress filtering before Docker's own masquerade rules:

// src/host-iptables.ts:519-563
await execa('iptables', ['-t', 'filter', '-A', CHAIN_NAME, '-j', 'REJECT',
  '--reject-with', 'icmp-port-unreachable']);

The default deny is a REJECT (not DROP), which is appropriate — DROP can cause long timeouts that leak timing information, while REJECT with ICMP-port-unreachable gives fast feedback without permitting traffic.

IPv6 handling is well-implemented: if ip6tables is unavailable, the host falls back to disabling IPv6 via sysctl (src/host-iptables.ts:132-143), eliminating the bypass path.

Container layer (containers/agent/setup-iptables.sh)

The iptables-init init container (network_mode: service:agent) correctly separates NET_ADMIN from the agent — a significant improvement over the naive approach of granting NET_ADMIN to the agent itself.

The OUTPUT chain default-deny covers TCP and UDP only:

# setup-iptables.sh:427-430
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

⚠️ ICMP is not explicitly blocked in the container OUTPUT chain. ICMP (protocol 1) — used by ping, traceroute, path MTU discovery — is not covered. A motivated agent could encode data in ICMP payload fields (covert channel) or use ping sweeps for network reconnaissance. The host DOCKER-USER chain's final REJECT may stop Internet-bound ICMP depending on bridge routing, but intra-subnet ICMP on 172.30.0.0/24 (e.g., ping to gateway 172.30.0.1) is definitely reachable. Evidence:

# No ICMP rules in setup-iptables.sh:
grep -n "icmp\|ICMP" containers/agent/setup-iptables.sh
# (returns empty — no results)

Dangerous port blocking covers 15 well-chosen ports (22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 5432, 6379, 27017-18, 28017). However, many other high-risk ports (e.g., 8443, 9200 Elasticsearch, 11211 Memcached, 5900 VNC) are not blocked. These only matter if the agent somehow reaches internal infrastructure — the primary domain ACL at Squid is the relevant control.

Container Security Assessment

Capabilities:

// src/docker-manager.ts:1528-1531
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: ['NET_RAW', ...],

SYS_CHROOT and SYS_ADMIN are added at container start but dropped via capsh before user code runs (containers/agent/entrypoint.sh:357, 824). This is a time-of-use window — the entrypoint holds elevated capabilities during setup. This is mitigated by no-new-privileges:true preventing privilege re-acquisition after the drop.

The iptables init container drops all capabilities except NET_ADMIN and NET_RAW:

// src/docker-manager.ts:1682-1683
cap_add: ['NET_ADMIN', 'NET_RAW'],
cap_drop: ['ALL'],

This is correct isolation.

Seccomp profile:

# containers/agent/seccomp-profile.json
Total allowed syscalls: 371

Several high-risk syscalls are allowed in the seccomp profile:

Syscall	Risk	Mitigated by
mount	Filesystem manipulation	SYS_ADMIN dropped before user code
unshare	Namespace creation (but not pivoting)	SYS_ADMIN required for most namespace ops
process_vm_readv / process_vm_writev	Cross-process memory r/w	PTRACE_SCOPE, container isolation
keyctl / add_key / request_key	Kernel keyring	Limited practical use in container
kcmp	Process comparison (info leak)	Low severity
io_uring_*	Async I/O, historically has had kernel escapes	Monitor for CVEs
syslog	Read kernel ring buffer	Low sensitivity

ptrace is correctly blocked (SCMP_ACT_ERRNO), preventing process injection/tracing.

no-new-privileges is set for all service containers:

// src/docker-manager.ts:1542
'no-new-privileges:true',

Docker socket access (--allow-docker flag):

// src/docker-manager.ts:1305-1315
const dockerSocketPath = '/var/run/docker.sock';
agentVolumes.push(`\$\{dockerSocketPath}:/host\$\{dockerSocketPath}:rw`);

When --allow-docker is passed, the Docker socket is bind-mounted into the agent chroot read-write. Access to /var/run/docker.sock is equivalent to root on the host — an agent can start privileged containers, mount host filesystems, etc. This is flagged as a design-level risk that users must understand when choosing to enable this flag. The documentation should include an explicit security warning.

Volume mount exposure:

Host directories ~/.config, ~/.cache, ~/.local are mounted read-write into the agent:

// src/docker-manager.ts:1179-1181
agentVolumes.push(`\$\{effectiveHome}/.cache:/host\$\{effectiveHome}/.cache:rw`);
agentVolumes.push(`\$\{effectiveHome}/.config:/host\$\{effectiveHome}/.config:rw`);
agentVolumes.push(`\$\{effectiveHome}/.local:/host\$\{effectiveHome}/.local:rw`);

~/.config/gh/hosts.yml (GitHub CLI authentication), ~/.config/gcloud/credentials.db, npm tokens, and other credentials stored here are accessible to the agent. This is an intentional trade-off for usability (agents need git/gh credentials) but is worth noting.

Domain Validation Assessment

The domain sanitization code in src/domain-patterns.ts is solid:

// src/domain-patterns.ts:27
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// src/domain-patterns.ts:172
const DOMAIN_DANGEROUS_CHARS = /[\s\0"'`;#\\]/;

assertSafeForSquidConfig() is applied to both domain names and URL patterns before they enter squid.conf. The wildcard-to-regex conversion anchors patterns (^.*\.github\.com$) and uses a restricted character class [a-zA-Z0-9.-]* to prevent ReDoS.

One edge case: the $ character is not in SQUID_DANGEROUS_CHARS. In Squid config, $ is not a shell expansion character, but it's worth verifying Squid does not interpret it in any ACL context. Likely safe, but worth a unit test.

Input Validation Assessment

Shell injection in Docker Compose command:

// src/docker-manager.ts:1568
command: ['/bin/bash', '-c', config.agentCommand.replace(/\$/g, '$$$$')],

The $$ replacement escapes YAML/docker-compose variable interpolation. The agentCommand string is passed through bash -c, which means shell metacharacters in the user command (;, |, &&, $(...), backticks) are interpreted. This is intentional by design — users pass shell commands. The agent container's iptables/domain controls are the containment boundary, not shell escaping.

UID/GID injection via AWF_USER_UID:

# containers/agent/entrypoint.sh:15-32
if ! [[ "$HOST_UID" =~ ^[0-9]+$ ]]; then exit 1; fi
if [ "$HOST_UID" -eq 0 ]; then exit 1; fi

Strong validation prevents UID 0 (root) or non-numeric values. Good.

Maven/Gradle config injection (entrypoint.sh:283-311):

The $PROXY_HOST and $PROXY_PORT variables are interpolated into settings.xml and gradle.properties via heredoc. The proxy host is parsed from HTTP_PROXY env var. Since HTTP_PROXY is always set by AWF to the Squid container IP (172.30.0.10), this is not exploitable externally. But if the SQUID_PROXY_HOST/HTTP_PROXY were somehow overridden, XML injection into settings.xml would be possible.

---

⚠️ Threat Model (STRIDE)

ID	Threat	Category	Likelihood	Impact	Severity	Mitigated?
T1	ICMP covert channel exfiltration	Information Disclosure	Low	Medium	Medium	❌ Partial
T2	io_uring kernel exploit (CVE-based)	Elevation of Privilege	Very Low	Critical	Medium	❌ No (seccomp allows)
T3	process_vm_readv sidecar memory leak	Information Disclosure	Low	High	Medium	⚠️ Partial (container isolation)
T4	Docker socket escape via --allow-docker	Elevation of Privilege	Medium (if flag used)	Critical	High (conditional)	⚠️ Design risk
T5	~/.config/~/.cache credential harvesting	Information Disclosure	Medium	High	Medium	⚠️ Intentional tradeoff
T6	SSL Bump CA key exfiltration	Information Disclosure	Low	High	Medium	⚠️ CA key on host filesystem
T7	Wildcard domain bypass (e.g., *)	Tampering	Low	High	Medium	✅ Validated, anchored
T8	DNS tunneling exfiltration	Information Disclosure	Low	Medium	Medium	✅ DNS servers restricted
T9	unshare namespace manipulation	Elevation of Privilege	Low	Medium	Low	✅ SYS_ADMIN dropped
T10	IPv6 bypass when ip6tables unavailable	Spoofing	Low	High	Medium	✅ sysctl fallback
T11	Container network subnet traversal (172.30.0.x)	Information Disclosure	Low	Low	Low	✅ Host DOCKER-USER chain
T12	Signal-file race condition (/tmp/awf-init/ready)	Tampering	Very Low	Medium	Low	✅ Init dir is shared volume
T13	Squid config injection via $ in domain	Tampering	Very Low	High	Low	✅ Likely safe, test recommended
T14	Dependency supply chain attack	Tampering	Low	High	Medium	✅ 0 known vulns, minimal deps
T15	Agent writes malicious content to ~/.config/gh	Tampering	Medium	High	High	⚠️ RW mount, no content filtering

---

🎯 Attack Surface Map

Surface	Location	Entry Point	Current Protections	Residual Risk
HTTPS egress	src/squid-config.ts	Domain ACL	dstdomain + dstdom_regex ACLs; CONNECT inspect	HTTPS CONNECT allows SNI bypass if Squid config malformed
HTTP egress	containers/agent/setup-iptables.sh:341	DNAT to Squid port 80	Squid domain ACL	Low — proxied and filtered
ICMP egress	containers/agent/setup-iptables.sh	Not filtered	None in container	Covert channel, recon
DNS	setup-iptables.sh:154-162	UDP/TCP 53 only to configured servers	Restricted to configured DNS servers	Low
Host filesystem	src/docker-manager.ts:1110-1213	Volume mounts	Selective, ro for system paths	~/.config, ~/.cache rw
Docker socket	src/docker-manager.ts:1305	/var/run/docker.sock rw	Opt-in --allow-docker	Critical if enabled
SSL Bump CA	containers/squid/Dockerfile	CA key bind-mount	Opt-in; key file on host	Medium — CA key exposure
Kernel syscalls	containers/agent/seccomp-profile.json	System call table	371 allow-listed calls	io_uring, mount, unshare present
Agent command	src/docker-manager.ts:1568	User-controlled shell string	iptables + Squid containment	Shell metacharacters intentionally allowed
Memory	containers/agent/seccomp-profile.json	process_vm_readv	Container isolation	Cross-container access blocked by PID isolation

---

📋 Evidence Collection

Network rules — ICMP gap confirmation

# Agent container iptables default deny is TCP+UDP only:
grep "\-j DROP" containers/agent/setup-iptables.sh
# Output:
#   iptables -A OUTPUT -p tcp -j DROP
#   iptables -A OUTPUT -p udp -j DROP
# ICMP protocol NOT present

# Host DOCKER-USER uses REJECT for final deny:
grep "REJECT" src/host-iptables.ts
# Output: '-j', 'REJECT', '--reject-with', 'icmp-port-unreachable'
# This covers cross-host ICMP but not intra-subnet

Seccomp dangerous syscalls

python3 -c "
import json
with open('containers/agent/seccomp-profile.json') as f: data = json.load(f)
for item in data.get('syscalls',[]):
    for name in item.get('names',[]):
        if name in ['mount','unshare','ptrace','process_vm_readv','io_uring_setup','kexec_load']:
            print(f'{name}: {item[\"action\"]}')
"
# Output:
# mount: SCMP_ACT_ALLOW
# unshare: SCMP_ACT_ALLOW
# ptrace: SCMP_ACT_ERRNO   ← correctly blocked
# process_vm_readv: SCMP_ACT_ALLOW
# io_uring_setup: SCMP_ACT_ALLOW
# kexec_load: SCMP_ACT_ERRNO   ← correctly blocked

Docker socket conditional mount

// src/docker-manager.ts:1305-1315
const dockerSocketPath = '/var/run/docker.sock';
agentVolumes.push(`\$\{dockerSocketPath}:/host\$\{dockerSocketPath}:rw`);
// ...
agentVolumes.push('/dev/null:/host/var/run/docker.sock:ro'); // hidden when not enabled

Domain validation

// src/domain-patterns.ts:27
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;
// Domain-specific also blocks backslash:
const DOMAIN_DANGEROUS_CHARS = /[\s\0"'`;#\\]/;
// Note: '$' not in either set — safe for Squid but worth testing
```

</details>

<details>
<summary>npm audit results</summary>

```
No vulnerabilities found
Metadata: vulnerabilities: {info:0, low:0, moderate:0, high:0, critical:0, total:0}
Dependencies: {prod:26, dev:624, optional:54, total:649}

One-shot token protection

The containers/agent/one-shot-token/ LD_PRELOAD library:

• Intercepts getenv() for sensitive vars (GITHUB_TOKEN, ANTHROPIC_API_KEY, etc.)
• Clears environ on first read; caches value in heap memory
• XOR-obfuscates default token names in .rodata to resist strings extraction
• Thread-safe via pthread_mutex_t
• Protected list configurable via AWF_ONE_SHOT_TOKENS

---

✅ Recommendations

🔴 High

H1 — Block ICMP outbound in agent container OUTPUT chain

# Add to setup-iptables.sh after the TCP/UDP DROP rules:
iptables -A OUTPUT -p icmp -m limit --limit 5/min -j LOG \
  --log-prefix "[FW_BLOCKED_ICMP] " --log-level 4 --log-uid
iptables -A OUTPUT -p icmp -j DROP
```

This eliminates the ICMP covert channel and reconnaissance surface. ICMP to loopback (`127.0.0.1`) is still RETURN'd before these rules via the lo interface allow.

**H2 — Add explicit security warning for `--allow-docker`**

The `--allow-docker` flag grants access to `/var/run/docker.sock:rw`, which is equivalent to root on the host. Add a prominent warning at CLI flag registration and in docs/README.md:

```
⚠️  WARNING: --allow-docker mounts the Docker socket read-write into the
    agent container. This grants the agent full host access. Only use this
    flag if you fully trust the agent command and understand the risk.

🟡 Medium

M1 — Tighten seccomp: consider blocking process_vm_readv/process_vm_writev

These syscalls allow one process to read/write another's memory without ptrace. In a container they are constrained by PID namespace, but blocking them reduces the attack surface if an agent tries to extract data from a co-located sidecar process.

// In seccomp-profile.json, remove from allowed list or add explicit ERRNO action:
{"names": ["process_vm_readv", "process_vm_writev"], "action": "SCMP_ACT_ERRNO"}

M2 — Consider blocking io_uring_* syscalls

io_uring has been the source of multiple kernel privilege escalation CVEs (CVE-2022-29582, CVE-2023-2598, etc.). Unless the agent workloads specifically require it, adding io_uring_setup, io_uring_enter, io_uring_register to the ERRNO list reduces kernel attack surface.

M3 — Add $ to Squid config dangerous character validation

Add a unit test confirming that a domain containing $ (e.g., $$injected) does not produce unexpected Squid config behavior. While Squid config does not perform shell expansion, confirm with assertSafeForSquidConfig coverage.

M4 — Document ~/.config/~/.cache RW credential exposure

Add a section to docs/environment.md explaining that ~/.config/gh/hosts.yml, ~/.npmrc, ~/.config/gcloud/credentials.db and similar files are accessible to the agent via the RW home directory mounts. Users should understand this when using AWF with credentials-bearing home directories.

M5 — DLP extension: request body scanning

The current DLP implementation (src/dlp.ts) only scans URLs for credential patterns. Consider enabling Squid's url_rewrite_program or adaptation_service to scan POST body content for high-value patterns (GitHub tokens, API keys) when SSL Bump is enabled.

🟢 Low

L1 — Add unshare to the seccomp ERRNO list (low priority given SYS_ADMIN dropped before user code)

L2 — Add ICMP to the dangerous port logging audit trail — if H1 is implemented, ensure ICMP blocks are logged to the audit dump at /tmp/awf-init/iptables-audit.txt.

L3 — Consider syslog syscall block — syslog(2) allows reading the kernel ring buffer. Low sensitivity in containers, but noisy for security auditors.

---

📈 Security Metrics

Metric	Value
Security-critical TypeScript lines analyzed	~2,400 (host-iptables.ts + squid-config.ts + docker-manager.ts + domain-patterns.ts + dlp.ts)
Security-critical shell script lines analyzed	~430 (setup-iptables.sh + entrypoint.sh)
Attack surfaces identified	10
STRIDE threats enumerated	15
Critical findings	0
High findings	2 (ICMP gap, Docker socket warning)
Medium findings	5
Low findings	3
npm vulnerabilities (prod)	0
Seccomp allowed syscalls	371
Dangerous syscalls correctly blocked	ptrace, kexec_load, kexec_file_load, pivot_root
Dangerous syscalls still allowed	mount, unshare, process_vm_readv, io_uring_*

Generated by Daily Security Review and Threat Modeling · ● 1M · ◷

• expires on Apr 22, 2026, 1:11 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir in the firewall winds.
The smoke-test seer has walked this chamber and marked the run.
By runestone and checksum, the oracle confirms its passing footprint.
May your gates stay narrow and your egress pure.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the oracle marks this hall.
The smoke-test agent walked these runes and left its sign.
May your workflows remain guarded, and your builds run true.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir in the wires.
The oracle marks this hall: the smoke-test agent was here.
May your workflows remain aligned, your builds unbroken, and your firewall true.

🔮 The oracle has spoken through Smoke Codex