[Security Review] Daily Security Review and Threat Modeling – 2026-03-15

[github-actions[bot]]

📊 Executive Summary

This report presents a comprehensive security review of the gh-aw-firewall (AWF) codebase conducted on 2026-03-15. The review covered network security architecture, container hardening, domain pattern validation, input handling, environment variable management, and dependency security.

Overall posture: Strongly designed with multiple defence-in-depth layers. The architecture demonstrates intentional security engineering. Three findings warrant attention: one High (overly-broad wildcard domain patterns), one High (broad --env-all passthrough), and one Medium (AppArmor unconfined + mount syscall enabled). The remaining findings are informational.

Category	Critical	High	Medium	Low
Network Filtering	0	0	1	0
Container Security	0	0	2	1
Domain Validation	0	1	0	0
Environment Variables	0	1	0	1
Dependencies	0	0	1	0
Total	0	2	4	2

---

🔍 Findings from Firewall Escape Test

The "Firewall Escape Test" workflow was not found in the configured workflow list. The complementary escape-test workflow appears not to exist in this repository. The security review below is therefore based solely on static analysis of the codebase.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered:

# Command run:
cat containers/agent/setup-iptables.sh
cat src/host-iptables.ts

Two-layer iptables architecture:

Layer 1 — Host (DOCKER-USER chain, src/host-iptables.ts):

• Dedicated FW_WRAPPER chain inserted into DOCKER-USER
• Squid proxy IP is unconditionally allowed outbound (required for proxy function)
• ESTABLISHED/RELATED connections allowed via conntrack
• DNS forwarding only to explicitly configured upstream servers
• IPv6 disabled via sysctl if ip6tables unavailable (prevents unfiltered bypass)

Layer 2 — Container NAT (containers/agent/setup-iptables.sh):

• OUTPUT chain DNAT rules redirect TCP 80/443 to Squid
• Dangerous port list (22, 23, 25, 445, 1433, 3306, 3389, 5432, 6379, 27017, etc.) receives NAT RETURN then falls to DROP
• Localhost and agent self-directed traffic bypass Squid via RETURN
• DNS restricted to Docker embedded DNS (127.0.0.11) and explicitly configured upstream
• Default deny for TCP and UDP: iptables -A OUTPUT -p tcp -j DROP; iptables -A OUTPUT -p udp -j DROP

Assessment: Firewall rule ordering is correct (specific allows before general deny). No obvious NAT bypass opportunities. IPv4 and IPv6 both addressed. UDP is blocked by default (prevents non-DNS exfiltration). DNS exfiltration is well-mitigated.

Squid Configuration (src/squid-config.ts):

• Direct IPv4/IPv6 connections blocked: acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
• Dangerous ports are blocked at the Safe_ports ACL level
• Default deny: http_access deny all as final rule
• Custom log format captures full connection metadata for forensics

---

Container Security Assessment

Evidence gathered:

# Command run:
grep -n "NET_ADMIN|cap_drop|capabilities|seccomp|apparmor" src/docker-manager.ts
python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); ..."
```

**Positive findings:**

- `no-new-privileges:true` applied to agent container  
- `NET_ADMIN` is **never** granted to the agent container; it is held exclusively by the separate `awf-iptables-init` init container, which shares the network namespace  
- `SYS_CHROOT` and `SYS_ADMIN` are explicitly dropped via `capsh --drop=cap_sys_chroot,cap_sys_admin` in `entrypoint.sh` before any user code executes  
- `NET_RAW`, `SYS_PTRACE`, `SYS_MODULE`, `SYS_RAWIO`, `MKNOD` are all dropped  
- Resource limits enforced: 2 GB memory, 1000 PIDs, default CPU shares  
- Seccomp profile applied (343 ALLOW, 28 ERRNO rules; default action: `SCMP_ACT_ERRNO`)

**Finding — Medium: AppArmor set to `unconfined`**

```
# File: src/docker-manager.ts:1028
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',  ← <-- explicitly disabled
]

AppArmor is disabled to allow mount -t proc in entrypoint.sh. The stated justification is that SYS_ADMIN is dropped before user code runs. This is architecturally sound but removes an entire mandatory access control layer. AppArmor could restrict file paths, mount operations, and syscalls even for root. Alternatives: create a custom AppArmor profile that allows only proc mounting and restricts everything else.

Finding — Medium: mount and unshare allowed in seccomp without argument filtering

# Evidence:
mount: action=SCMP_ACT_ALLOW, args=[]   # No argument restrictions
unshare: action=SCMP_ACT_ALLOW, args=[]
clone: action=SCMP_ACT_ALLOW, args=[]   # clone3 also allowed

The mount, unshare, and clone syscalls are allowed without argument-level filtering. While SYS_ADMIN and SYS_CHROOT are dropped before user code runs, the seccomp policy does not enforce this. If capability dropping fails or is bypassed (e.g., a race condition), unshare + clone with CLONE_NEWNS + mount could be used to create a new mount namespace and remount filesystems. Argument-level seccomp filtering (SCMP_CMP_MASKED_EQ with CLONE_NEWNS bit) would add defence-in-depth.

---

Domain Validation Assessment

Evidence gathered:

# Command run:
node -e "
const { validateDomainOrPattern } = require('./dist/domain-patterns.js');
const tests = ['*.com', '*.io', '*.github.com', '*.*.com', 'a.*.com'];
..."
```

**Output:**
```
ALLOWED: *.com          ← matches ANY .com domain
ALLOWED: *.io           ← matches ANY .io domain
ALLOWED: *.github.com   ← expected
BLOCKED: *.*.com        ← correctly blocked
ALLOWED: a.*.com        ← matches a.(anything).com

Finding — High: Single-segment TLD wildcards (*.com, *.io) are allowed

The validation logic in src/domain-patterns.ts:185-196:

const wildcardSegments = segments.filter(s => s === '*').length;
const totalSegments = segments.length;
if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) {
  throw new Error(...);
}
```

For `*.com`: `wildcardSegments = 1`, `totalSegments = 2` → condition `1 > 1` is **false** → passes.

This generates the Squid ACL:
```
acl allowed_domains_regex dstdom_regex -i ^[a-zA-Z0-9.-]*\.com$

This pattern matches every .com domain, effectively disabling the firewall for any user who passes --allow-domains '*.com'. An attacker who can control the domain allowlist (e.g., via a compromised workflow) could trivially bypass all domain filtering.

Recommendation: Validate that wildcard patterns have a minimum number of non-wildcard labels after the last wildcard. At minimum, patterns like *.com and *.io (wildcard as the most-specific label) should require at least 2 non-wildcard labels: *.github.com (1 wildcard, 2 non-wildcard) is fine; *.com (1 wildcard, 1 non-wildcard) should be blocked.

Positive findings in domain validation:

• * alone blocked
• *.* blocked
• *.*.com blocked
• Double-dots blocked
• ReDoS prevention: wildcards translate to [a-zA-Z0-9.-]* (not .*)
• Domain length capped at 512 chars before regex matching
• Protocol prefixes ((redacted) https://`) correctly parsed

---

Input Validation Assessment

Evidence gathered:

# Command run:
grep -n "escapeShellArg|joinShellArgs|shell|exec|spawn" src/cli.ts
sed -n '490,545p' src/docker-manager.ts  # env-all section

Positive findings:

• escapeShellArg() in src/cli.ts:860 properly wraps arguments in single quotes with internal single-quote escaping
• Multiple-argument mode joins with joinShellArgs(), safely escaping each arg
• User command passed to docker exec as a JSON array (['/bin/bash', '-c', cmd]), not a shell string
• Dollar-sign doubling: config.agentCommand.replace(/\$/g, '$$$$') prevents YAML variable expansion in Docker Compose
• Port sanitization: port.replace(/[^0-9-]/g, '') strips non-numeric chars as defence-in-depth
• Blocked domain config: normalized and validated before injection into Squid config

Finding — High: --env-all passes arbitrary host environment variables

# File: src/docker-manager.ts:491-495
if (config.envAll) {
  for (const [key, value] of Object.entries(process.env)) {
    if (value !== undefined && !EXCLUDED_ENV_VARS.has(key) && !Object.prototype.hasOwnProperty.call(environment, key)) {
      environment[key] = value;
    }
  }
}

EXCLUDED_ENV_VARS only contains: PATH, PWD, OLDPWD, SHLVL, _, SUDO_COMMAND, SUDO_USER, SUDO_UID, SUDO_GID.

With --env-all, variables such as AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET, DATABASE_URL, POSTGRES_PASSWORD, any .npmrc auth tokens in the environment, CI provider tokens, etc. are forwarded to the container. The AWF_ONE_SHOT_TOKENS protection only covers a hardcoded list: COPILOT_GITHUB_TOKEN, GITHUB_TOKEN, GH_TOKEN, GITHUB_API_TOKEN, GITHUB_PAT, GH_ACCESS_TOKEN, OPENAI_API_KEY, OPENAI_KEY, ANTHROPIC_API_KEY, CLAUDE_API_KEY, CODEX_API_KEY.

Arbitrary secrets not in this list (e.g., AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET) remain readable via /proc/self/environ for the entire process lifetime when --env-all is used.

Recommendation: Add common cloud credential env vars to EXCLUDED_ENV_VARS when --env-all is used. Alternatively, implement an opt-in pattern (--env KEY=VALUE) or warn users clearly when --env-all is used that it forwards all secrets.

Finding — Low: ~/.config mounted read-write broadly

// src/docker-manager.ts:680
agentVolumes.push(`\$\{effectiveHome}/.config:/host\$\{effectiveHome}/.config:rw`);

The entire ~/.config is mounted read-write. Credential files inside are hidden via /dev/null overlays, but only for explicitly known paths (e.g., ~/.config/gh/hosts.yml). New credential files added to ~/.config in the future (or unknown tools' credential files) would be exposed. The comment acknowledges this: "Specific credential files within ~/.config (like ~/.config/gh/hosts.yml) are still blocked via /dev/null overlays applied later in the code."

---

⚠️ Threat Model (STRIDE)

#	Threat	Category	Severity	Likelihood	Evidence Location
T1	Overly broad wildcard domain (*.com) bypasses firewall	Information Disclosure	High	Medium	src/domain-patterns.ts:185-196
T2	--env-all exposes cloud/DB credentials in container	Information Disclosure	High	Medium (opt-in)	src/docker-manager.ts:491-495
T3	AppArmor disabled; mount/unshare/clone allowed in seccomp	Elevation of Privilege	Medium	Low	src/docker-manager.ts:1028, seccomp-profile.json
T4	~/.config RW mount exposes unknown credential files	Information Disclosure	Medium	Low	src/docker-manager.ts:680
T5	js-yaml prototype pollution (moderate CVE)	Tampering	Medium	Very Low	npm audit output
T6	DNS exfiltration via allowed DNS servers	Information Disclosure	Low	Very Low	Architecture by design
T7	5-second token unset window: /proc/1/environ readable	Information Disclosure	Low	Very Low	entrypoint.sh:680-690
T8	Prompt injection via malicious domain name in --allow-domains	Tampering	Mitigated	—	src/domain-patterns.ts validation
T9	Container escape via NAT rule modification	Elevation of Privilege	Mitigated	—	init container; NET_ADMIN never granted to agent
T10	Direct IP connection bypassing domain filter	Information Disclosure	Mitigated	—	squid-config.ts:549-554 dst_ipv4/dst_ipv6 ACLs

---

🎯 Attack Surface Map

Surface	File:Line	What it does	Protections	Risk
--allow-domains	src/cli.ts:739	User-controlled domain allowlist	validateDomainOrPattern(), ReDoS-safe regex	High (see T1)
--env-all	src/docker-manager.ts:491	Forward all host env vars	EXCLUDED_ENV_VARS set, one-shot-token	High (see T2)
Agent command string	src/cli.ts:1347	Shell command executed in container	escapeShellArg(), JSON array exec	Low
Squid URL patterns	src/ssl-bump.ts:337	Regex ACLs in ssl-bump mode	parseUrlPatterns() escaping	Low
Docker Compose YAML	src/docker-manager.ts:1049	$$ dollar-sign escaping	Dollar doubling, JSON array	Low
Volume mounts	src/docker-manager.ts:592+	File system access control	Selective mounting, /dev/null overlays	Medium
/tmp mount (rw)	src/docker-manager.ts:603	Full host /tmp writable	Shared with host; limited attack surface	Low
iptables NAT rules	containers/agent/setup-iptables.sh	Traffic redirection to Squid	init container isolation, no NET_ADMIN for agent	Low
Squid ACL config	src/squid-config.ts:248	Domain/port access rules	Port sanitization, deny-all default	Low
one-shot-token	containers/agent/one-shot-token/one-shot-token.c	LD_PRELOAD token interception	XOR obfuscation, bounding set drop	Low

---

📋 Evidence Collection

Domain validation testing output

$ node -e "const { validateDomainOrPattern } = require('./dist/domain-patterns.js');
> ['*.com', '*.io', '*.github.com', '*.*.com', '*.*.*', '*.', 'a.*.com'].forEach(t => {
>   try { validateDomainOrPattern(t); console.log('ALLOWED:', t); }
>   catch(e) { console.log('BLOCKED:', t, '->', e.message.slice(0,60)); }
> });"

ALLOWED: *.com
ALLOWED: *.io
ALLOWED: *.github.com
BLOCKED: *.*.com -> Pattern '*.*.com' has too many wildcard segments and is not
BLOCKED: *.*.* -> Pattern '*.*.*' is too broad and is not allowed
BLOCKED: *. -> Pattern '*.' is too broad and is not allowed
ALLOWED: a.*.com

Seccomp profile analysis

$ python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); ..."

Default action: SCMP_ACT_ERRNO
  SCMP_ACT_ALLOW: 343 syscalls
  SCMP_ACT_ERRNO: 28 syscalls

Dangerous syscalls in allow list:
  mount: ALLOWED (no arg filtering)
  unshare: ALLOWED (no arg filtering)
  clone: ALLOWED (no arg filtering)
  nsenter: blocked ✓
  pivot_root: blocked ✓
  chroot: ALLOWED (syscall level; capability restricted)
  ptrace: blocked ✓
  keyctl: blocked ✓
  add_key: blocked ✓
  request_key: blocked ✓

npm audit output

$ npm audit --json | python3 ...
Total vulnerabilities: 4
  js-yaml [moderate]: js-yaml has prototype pollution in merge (<<)
  markdown-it [moderate]: markdown-it has a Regular Expression Denial of Service (ReDoS)
  markdownlint [moderate]: → markdown-it chain
  markdownlint-cli2 [moderate]: → js-yaml + markdownlint chain

EXCLUDED_ENV_VARS set (--env-all)

// src/docker-manager.ts:375-386
const EXCLUDED_ENV_VARS = new Set([
  'PATH',           // Must use container's PATH
  'PWD',            // Container's working directory
  'OLDPWD',         // Not relevant in container
  'SHLVL',          // Shell level not relevant
  '_',              // Last command executed
  'SUDO_COMMAND',   // Sudo metadata
  'SUDO_USER',      // Sudo metadata
  'SUDO_UID',       // Sudo metadata
  'SUDO_GID',       // Sudo metadata
]);
// NOTE: AWS_*, AZURE_*, DATABASE_*, etc. are NOT excluded

AppArmor and capability settings

// src/docker-manager.ts:1012-1028
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: [
  'NET_RAW',
  'SYS_PTRACE',
  'SYS_MODULE',
  'SYS_RAWIO',
  'MKNOD',
],
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   // ← AppArmor disabled
],

# entrypoint.sh:306-313 - SYS_ADMIN/SYS_CHROOT dropped before user code:
if [ "\$\{AWF_CHROOT_ENABLED}" = "true" ]; then
  CAPS_TO_DROP="cap_sys_chroot,cap_sys_admin"
  echo "[entrypoint] Chroot mode enabled - dropping CAP_SYS_CHROOT and CAP_SYS_ADMIN"
else
  CAPS_TO_DROP=""
fi

---

✅ Recommendations

🔴 High Priority

H1: Block single-segment TLD wildcard patterns (*.com, *.io)
File: src/domain-patterns.ts:185

Require that wildcard patterns have at least 2 non-wildcard segments following the wildcard. This would allow *.github.com (2 non-wildcard segments after wildcard) but block *.com (only 1).

// Proposed fix:
const nonWildcardSegments = segments.filter(s => s !== '*').length;
if (wildcardSegments > 0 && nonWildcardSegments < 2) {
  throw new Error(`Pattern '\$\{trimmed}' is too broad: requires at least 2 non-wildcard domain labels`);
}

H2: Expand EXCLUDED_ENV_VARS for --env-all mode or add a warning
File: src/docker-manager.ts:375

When --env-all is used, add common cloud/CI credential variables to the exclusion set, or emit a prominent warning listing the classes of variables that will be forwarded. Consider adding: AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AZURE_CLIENT_SECRET, GOOGLE_APPLICATION_CREDENTIALS, DATABASE_URL, *_PASSWORD, *_SECRET (using pattern matching).

---

🟡 Medium Priority

M1: Add AppArmor profile instead of unconfined
File: src/docker-manager.ts:1028

Create a minimal custom AppArmor profile that permits only the required proc mount operation and denies all other mounts. This restores the AppArmor defence layer while preserving the procfs mounting capability.

M2: Add argument-level seccomp filtering for unshare and clone
File: containers/agent/seccomp-profile.json

Add a SCMP_CMP_MASKED_EQ argument filter to block CLONE_NEWNS (0x20000), CLONE_NEWNET (0x40000000), CLONE_NEWUSER (0x10000000) flags in clone/clone3, and restrict unshare to only allow flags needed for development tools. This provides defence-in-depth if capability dropping is bypassed.

M3: Scope ~/.config mount more narrowly
File: src/docker-manager.ts:680

Instead of mounting all of ~/.config, mount only explicitly required subdirectories (e.g., ~/.config/gh is already overlaid with /dev/null). This reduces the blast radius for unknown credential files.

M4: Upgrade or patch js-yaml (prototype pollution)
File: package.json

The moderate js-yaml vulnerability (prototype pollution via YAML merge <<) affects the Docker Compose YAML generation path. While exploitation requires attacker-controlled YAML input (unlikely in this context), upgrading to a patched version eliminates the risk entirely.

---

🟢 Low Priority

L1: Add explicit warning for --env-all in documentation and help text

The current help text should warn that --env-all forwards ALL environment variables including arbitrary secrets, and recommend using specific --env KEY=VALUE flags for individual variables instead.

L2: Consider extending AWF_ONE_SHOT_TOKENS list
File: src/docker-manager.ts:421

Add commonly used cloud credential variable names (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET) to the default one-shot-token protection list, even when --env-all is not used. This adds defence-in-depth for deliberate secrets forwarded via --env.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	~3,500 (src/.ts, containers/agent/.sh, seccomp-profile.json)
Attack surfaces identified	10
Threats in STRIDE model	10 (7 active, 3 mitigated)
High severity findings	2
Medium severity findings	4
Low severity findings	2
Defence-in-depth layers confirmed	6 (iptables host, iptables container, Squid ACL, seccomp, capabilities, one-shot-token)
npm vulnerabilities	4 moderate (tooling chain only)

---

Review conducted via static analysis of source code, shell scripts, seccomp profile, and npm audit output. No dynamic testing was performed. All evidence is verifiable by re-running the commands cited in the Evidence Collection section.

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 22, 2026, 1:46 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-22T13:46:45.976Z.

Closed by Workflow