[Security Review] Daily Security Review and Threat Modeling — 2026-03-22

[github-actions[bot]]

Note: No "Firewall Escape Test Agent" workflow was found in this repository (available workflows include security-review, secret-digger-*, security-guard, etc.). The prior-run log download also failed (no git in PATH within the runner). This review is based on direct codebase analysis with all commands documented below.

---

📊 Executive Summary

The gh-aw-firewall codebase demonstrates strong layered security with defense-in-depth across all major threat surfaces. The architecture correctly implements: privilege separation via separate iptables-init container, capability dropping before user code execution, domain-level L7 egress control via Squid, IPv6 bypass prevention, DNS exfiltration mitigations, and a strict default-deny seccomp profile.

No critical vulnerabilities were found. Three medium-severity observations and several low/informational items are documented below with evidence.

Severity	Count
Critical	0
High	0
Medium	3
Low	4
Informational	3

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered:

# Command: cat containers/agent/setup-iptables.sh
# Key findings documented below

Firewall rule ordering (✅ Correct): NAT RETURN rules for dangerous ports are placed before the DNAT redirect rules for ports 80/443. This ensures dangerous ports (22, 25, 3306, 5432, etc.) are blocked even if they somehow map to web ports.

# From setup-iptables.sh line ~241-245 (correct order):
# 1. Allow localhost → RETURN
# 2. Allow self-directed → RETURN  
# 3. Allow DNS to configured servers → RETURN
# 4. Allow Squid traffic → RETURN
# 5. Block dangerous ports → RETURN (then dropped by OUTPUT filter)
# 6. DNAT port 80 → Squid
# 7. DNAT port 443 → Squid

Default deny policy (✅): Both TCP and UDP are dropped at the OUTPUT filter chain:

# setup-iptables.sh lines 319-320:
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

Host-level DOCKER-USER chain (✅): src/host-iptables.ts creates a dedicated FW_WRAPPER chain with final REJECT-all. UDP and "other" traffic are both logged and rejected.

IPv6 handling (✅): Both src/host-iptables.ts (host level) and containers/agent/setup-iptables.sh (container level) check for ip6tables availability. If unavailable, IPv6 is disabled via sysctl -w net.ipv6.conf.all.disable_ipv6=1 as a fallback to prevent unfiltered bypass.

⚠️ MEDIUM-1 — ICMP not blocked at container OUTPUT level:

# Command: grep -n "icmp\|ICMP\|p icmp" containers/agent/setup-iptables.sh
# Output: (no matches)

The container's OUTPUT filter chain only drops TCP and UDP (setup-iptables.sh lines 319–320). ICMP traffic from within the agent container is not explicitly blocked. ICMP is caught by the host-level FW_WRAPPER chain's final REJECT rule, but this is a single layer of protection (the host-level DOCKER-USER chain). If the host-level chain is bypassed or not installed, agents could use ICMP for covert out-of-band communication (e.g., ICMP tunneling/exfiltration).

Recommendation: Add an explicit DROP rule for ICMP at the container level:

iptables -A OUTPUT -p icmp -j DROP
```

**DNS exfiltration prevention** (✅ Strong): `entrypoint.sh` writes `/etc/resolv.conf` with only `nameserver 127.0.0.11` (Docker embedded DNS). Direct DNS to non-configured upstream servers is blocked by the OUTPUT filter chain. The AWF_DNS_SERVERS-based allow-rules only permit DNS to explicitly configured upstream servers.

---

### Container Security Assessment

**Capability dropping** (✅): The init container (`awf-iptables-init`) holds `NET_ADMIN` and `NET_RAW` for iptables setup, then the agent container **never receives `NET_ADMIN`**. Before user code runs, `capsh` drops `CAP_SYS_CHROOT` and `CAP_SYS_ADMIN` from the bounding set.

```
# docker-manager.ts line 1005: "SECURITY: NET_ADMIN is NOT granted to the agent container."
# docker-manager.ts lines 1015-1016: cap_drop: ['NET_RAW', 'SYS_PTRACE']
# entrypoint.sh lines 307, 637: capsh --drop=cap_sys_chroot,cap_sys_admin --user=...
```

**`no-new-privileges`** (✅): Applied to agent container and init containers:
```
# docker-manager.ts lines 1026-1027, 1234-1235, 1337
security_opt: ['no-new-privileges:true']
```

**Resource limits** (✅): Memory and CPU limits are set:
```
# docker-manager.ts lines 1032-1035:
mem_limit: config.memoryLimit || '2g'
memswap_limit: config.memoryLimit || '2g'  # No swap
cpu_shares: 1024

⚠️ MEDIUM-2 — mount and unshare in seccomp ALLOW list:

# Command: cat containers/agent/seccomp-profile.json | python3 -c "..."
# Output: defaultAction: SCMP_ACT_ERRNO
# SCMP_ACT_ALLOW includes: 'mount', 'unshare', 'setns'

The seccomp profile explicitly allows mount, unshare, and setns syscalls. While these are mitigated by capability dropping (SYS_ADMIN required for most mount operations), their presence in the ALLOW list widens the attack surface if capabilities are inadvertently granted or if a capability-bypassing kernel vulnerability is exploited. In particular:

• unshare with CLONE_NEWUSER (user namespaces) may work without privileges on many kernels, potentially enabling privilege escalation within the container.
• setns allows joining existing namespaces (e.g., PID namespace of another container's process).

Recommendation: Add these to the SCMP_ACT_ERRNO block unless specifically needed:

{"names": ["unshare", "setns", "mount", "umount"], "action": "SCMP_ACT_ERRNO"}
```
Note: `umount`/`umount2` are already blocked separately.

**Seccomp default action** (✅ Excellent): `defaultAction: SCMP_ACT_ERRNO` — all unrecognized syscalls are denied by default. Only the large explicit ALLOW list is permitted.

**Blocked critical syscalls** (✅):
```
# SCMP_ACT_ERRNO applied to:
# ptrace, process_vm_readv, process_vm_writev (anti-inspection)
# kexec_load, reboot, init_module, delete_module, pivot_root (kernel/system protection)
# acct, swapon, swapoff, syslog, add_key, request_key, keyctl (system integrity)

Privileged mode (✅): No containers use privileged: true.

UID/GID validation (✅): System UIDs/GIDs (0–999) are rejected in docker-manager.ts:

// Lines 26-33: validateIdNotInSystemRange()
if (id < MIN_REGULAR_UID) { return MIN_REGULAR_UID.toString(); }
// entrypoint.sh lines 25-31: explicit check prevents root (UID=0) mapping

---

Domain Validation Assessment

ReDoS protection (✅): Wildcard patterns use [a-zA-Z0-9.-]* character class instead of .*:

// domain-patterns.ts: DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*'

Overly broad pattern rejection (✅): Patterns *, *.*, and patterns with only wildcards/dots are rejected with clear error messages.

Multi-wildcard segment check (✅): Patterns like *.*.com are blocked (>1 pure wildcard segment when wildcards ≥ total_segments - 1).

Input length limit (✅): isDomainMatchedByPattern() limits domain length to 512 characters before regex matching.

Protocol prefix handling (✅): (redacted) and https://` prefixes are stripped correctly; protocol-specific ACLs are generated in Squid config.

---

Input Validation Assessment

Port injection prevention (✅): --allow-host-ports values go through numeric parsing with range validation and a dangerous-ports blocklist check. A final replace(/[^0-9-]/g, '') sanitization is applied before use in Squid config (squid-config.ts lines ~480-510).

Shell injection via command arguments (✅): The CLI uses execa with array arguments (not shell interpolation) for all Docker commands. User-provided command strings are passed as arguments to the container shell, not interpolated into host shell commands.

⚠️ MEDIUM-3 — Predictable workDir path creates TOCTOU window:

# Command: sed -n '1315,1325p' src/cli.ts
# Output: path.join(os.tmpdir(), `awf-\$\{Date.now()}`)

The working directory is awf-(timestamp) based on Date.now() (millisecond precision). In a shared-user environment, a local attacker who can observe process creation timing could pre-create /tmp/awf-(N) as a symlink before mkdirSync runs, potentially redirecting config file writes (Squid config, Docker Compose config) to an attacker-controlled location.

Recommendation: Use fs.mkdtempSync(path.join(os.tmpdir(), 'awf-')) for cryptographically random suffix:

// Replace: path.join(os.tmpdir(), `awf-\$\{Date.now()}`)
// With:    fs.mkdtempSync(path.join(os.tmpdir(), 'awf-'))
```

---

## ⚠️ Threat Model (STRIDE)

| # | Category | Threat | Evidence | Likelihood | Impact | Severity |
|---|----------|--------|----------|------------|--------|----------|
| T1 | **Info Disclosure** | `GITHUB_TOKEN`/`GH_TOKEN` forwarded to agent by default | `docker-manager.ts:503-504` — explicit passthrough | Medium | Medium | **Medium** |
| T2 | **Info Disclosure** | `--env-all` leaks all non-excluded host env vars | `docker-manager.ts:492-498`; EXCLUDED_ENV_VARS only covers PATH, shell metadata, sudo metadata | Low | High | **Medium** |
| T3 | **Elevation of Privilege** | `unshare(CLONE_NEWUSER)` may succeed without capabilities | `seccomp-profile.json` ALLOW list; kernel-dependent | Low | Medium | **Low** |
| T4 | **Info Disclosure** | ICMP covert channel (tunneling) from agent container | Container OUTPUT chain lacks ICMP DROP; depends on host chain only | Low | Medium | **Low** |
| T5 | **Tampering** | workDir TOCTOU race condition (predictable path) | `cli.ts:1320` uses `Date.now()` not cryptographic random | Very Low | Medium | **Low** |
| T6 | **Denial of Service** | Attacker agent exhausts Squid connection pool | No per-domain connection limits in Squid config | Low | Low | **Low** |
| T7 | **Repudiation** | Squid logs owned by `proxy` user; require sudo to read | AGENTS.md documentation acknowledges this | Low | Low | **Informational** |
| T8 | **Spoofing** | DNS cache poisoning via Docker embedded DNS forwarding | Docker DNS is internal; upstream servers are configurable | Very Low | Low | **Informational** |
| T9 | **Tampering** | Squid config passed via base64 env var (not file) | Architecture decision for Docker-in-Docker compatibility | N/A | N/A | **Design Note** |

---

## 🎯 Attack Surface Map

| Surface | Location | What It Does | Current Protections | Risk |
|---------|----------|--------------|---------------------|------|
| CLI argument parsing | `src/cli.ts:1326` | Parses user command string | `execa` array args; no shell interpolation | Low |
| `--allow-domains` input | `src/cli.ts:1442`, `domain-patterns.ts` | Domain ACL construction | `validateDomainOrPattern()`; ReDoS protection; broad-pattern rejection | Low |
| `--allow-host-ports` | `src/cli.ts:1667`, `squid-config.ts:~480` | Port allowlisting | Numeric parse + range validation + dangerous-port blocklist + sanitize regex | Low |
| Docker Compose generation | `src/docker-manager.ts:262` | Generates container config | All inputs validated; `js-yaml` serialization | Low |
| Container environment | `src/docker-manager.ts:376-560` | Env var passthrough | EXCLUDED_ENV_VARS; API key exclusion with `--enable-api-proxy` | **Medium** |
| Squid proxy config | `src/squid-config.ts` | Domain ACL enforcement | Generated from validated domain list; base64-injected | Low |
| iptables (host) | `src/host-iptables.ts` | Host-level egress control | FW_WRAPPER chain; default REJECT; UDP/other blocked | Low |
| iptables (container) | `containers/agent/setup-iptables.sh` | Container-level NAT + filter | TCP/UDP DROP; ICMP not explicitly blocked | **Medium** |
| Seccomp profile | `containers/agent/seccomp-profile.json` | Syscall filtering | Default deny; but `mount`/`unshare`/`setns` allowed | **Medium** |
| API proxy sidecar | `containers/api-proxy/server.js` | Credential injection | API keys isolated from agent; routes through Squid | Low |
| workDir | `src/cli.ts:1320` | Temp config files | `Date.now()` suffix (predictable) | Low |
| Squid access logs | `workDir/squid-logs/` | Audit trail | proxy user-owned; requires sudo to read | Low |

---

## 📋 Evidence Collection

<details>
<summary>Commands run and relevant outputs</summary>

**Seccomp profile analysis:**
```
cat containers/agent/seccomp-profile.json | python3 analysis
→ defaultAction: SCMP_ACT_ERRNO
→ 3 ERRNO groups (ptrace/process_vm_*, kexec/reboot/pivot_root/etc, umount)
→ ALLOW list includes: mount, unshare, setns
```

**npm audit:**
```
npm audit --audit-level=high --json | ...
→ High/Critical vulns: 0
→ Dependencies: chalk, commander, execa, js-yaml
```

**ICMP filter check:**
```
grep -n "icmp\|ICMP" containers/agent/setup-iptables.sh
→ (no matches)
```

**workDir creation:**
```
sed -n '1315,1325p' src/cli.ts
→ path.join(os.tmpdir(), `awf-\$\{Date.now()}`)
```

**EXCLUDED_ENV_VARS:**
```
sed -n '376,400p' src/docker-manager.ts
→ Only: PATH, PWD, OLDPWD, SHLVL, _, SUDO_* vars
→ GITHUB_TOKEN, GH_TOKEN not excluded by default
```

**Capability dropping:**
```
grep -n "cap_drop\|NET_ADMIN\|capsh" src/docker-manager.ts | head -10
→ NET_ADMIN: NEVER granted to agent container (comment at line 1005)
→ Agent cap_drop: ['NET_RAW', 'SYS_PTRACE']
→ init container: cap_add: ['NET_ADMIN', 'NET_RAW'], cap_drop: ['ALL']
→ entrypoint.sh: capsh --drop=cap_sys_chroot,cap_sys_admin
```

**IPv6 mitigation:**
```
grep -n "IPv6\|ip6tables\|sysctl" src/host-iptables.ts
→ Lines 66-76: disableIpv6ViaSysctl() fallback when ip6tables unavailable
```

**Domain validation:**
```
cat src/domain-patterns.ts
→ DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*' (ReDoS-safe)
→ validateDomainOrPattern: blocks *, *.*, /^[*.]+$/ patterns
→ isDomainMatchedByPattern: MAX_DOMAIN_LENGTH = 512

---

✅ Recommendations

Medium Priority — Address in Near Term

M1 — Add explicit ICMP DROP to container OUTPUT chain (containers/agent/setup-iptables.sh)

• File: containers/agent/setup-iptables.sh — after the UDP DROP rule (line ~320)
• Fix: iptables -A OUTPUT -p icmp -j DROP
• Rationale: Defense-in-depth; prevents ICMP covert channels independent of host-level rules

M2 — Block unshare/setns/mount in seccomp profile (containers/agent/seccomp-profile.json)

• File: containers/agent/seccomp-profile.json
• Fix: Move mount, unshare, setns from ALLOW list to a new ERRNO group
• Rationale: User namespaces (unshare CLONE_NEWUSER) can be created without privileges; reduces attack surface even with capability dropping

M3 — Use mkdtempSync for workDir (src/cli.ts)

• File: src/cli.ts line 1320
• Fix: fs.mkdtempSync(path.join(os.tmpdir(), 'awf-'))
• Rationale: Eliminates TOCTOU race condition; uses OS-secure random suffix

Low Priority — Consider for Future

L1 — Document GITHUB_TOKEN forwarding in security model

• docker-manager.ts lines 503–504 forward GITHUB_TOKEN/GH_TOKEN by default. This is necessary for agents to function but should be explicitly documented as a known credential delegation in the security model. Consider a --no-github-token flag for untrusted agent scenarios.

L2 — Add Squid connection limits per domain

• Squid config in src/squid-config.ts doesn't set max_connections per ACL. A misbehaving agent could exhaust the connection pool or create a DoS condition.

L3 — Consider --env-all security warning

• Add a visible security warning when --env-all is used, since it bypasses credential isolation for non-excluded environment variables.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	~2,400 (host-iptables.ts, setup-iptables.sh, docker-manager.ts, squid-config.ts, domain-patterns.ts, entrypoint.sh)
Attack surfaces identified	13
npm vulnerabilities (high/critical)	0
Threat model entries	9
Seccomp blocked syscall groups	3 groups (28 syscalls)
Seccomp default action	SCMP_ACT_ERRNO (default deny) ✅
Security layers (defense-in-depth)	4 (Squid ACL, iptables NAT, iptables filter host, iptables filter container)
Capabilities never granted to agent	NET_ADMIN, NET_BROADCAST, SYS_PTRACE, SYS_RAWIO, SETFCAP

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 29, 2026, 1:42 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-29T13:42:50.809Z.

Closed by Workflow