[Security Review] Daily Security Review and Threat Modeling — 2026-04-01

[github-actions[bot]]

📊 Executive Summary

This security review covers a comprehensive, evidence-based analysis of the gh-aw-firewall codebase as of 2026-04-01. The firewall implements a solid defense-in-depth architecture with multiple independent security layers. One Critical finding was discovered (Squid config injection via newline in URL patterns). The overall security posture is good, with well-implemented iptables filtering, capability dropping, seccomp profiles, and Docker socket hardening. The most significant risk surface is the SSL Bump / --allow-urls feature path.

Key metrics:

• 0 npm dependency vulnerabilities (npm audit clean)
• 1 Critical finding: Squid config injection via URL pattern newlines
• 1 High finding: ICMP egress not explicitly blocked in container OUTPUT chain
• 2 Medium findings: --enable-dind firewall bypass advisory + --env-all credential leak risk
• ~4,000+ lines of security-critical code analyzed across 6 source files

---

🔍 Findings from Firewall Escape Test Agent

No "firewall-escape-test" workflow was found in the repository's workflow listing. The closest related workflows are security-review (daily) and security-guard (PR-triggered). The absence of an automated escape-test agent means active adversarial testing of the firewall (e.g., DNS tunneling, ICMP exfil, HTTP smuggling attempts) is not continuously exercised in CI.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Strengths:

• Dual-layer enforcement: iptables DNAT redirects all TCP port 80/443 traffic to Squid, then Squid enforces domain ACLs. Either layer independently blocks disallowed traffic.
• Direct IP blocking in Squid: dst_ipv4 and dst_ipv6 ACLs block CONNECT requests to raw IP addresses, preventing domain-name bypass via direct IP.
• Dangerous port blacklist: Ports 22 (SSH), 25 (SMTP), 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 27017 (MongoDB), and others have explicit NAT RETURN + OUTPUT DROP rules.
• DNS exfiltration prevention: Only configured DNS servers (default 8.8.8.8,8.8.4.4) are allowed; all other UDP port 53 traffic is dropped. Docker embedded DNS (127.0.0.11) handles container name resolution.
• IPv6 disabled at init: Both host (src/host-iptables.ts) and container (containers/agent/setup-iptables.sh:48-49) disable IPv6 via sysctl when ip6tables is unavailable, preventing IPv6 as a bypass path.
• Defense-in-depth for non-proxy-aware tools: iptables DNAT catches HTTP/HTTPS from tools that ignore HTTP_PROXY/HTTPS_PROXY env vars.

Evidence:

# setup-iptables.sh:334-335
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination "\$\{SQUID_IP}:\$\{SQUID_PORT}"
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination "\$\{SQUID_IP}:\$\{SQUID_PORT}"

# squid-config.ts:573-574 (direct IP blocking)
acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
acl dst_ipv6 dstdom_regex ^\[?[0-9a-fA-F:]+\]?$
http_access deny dst_ipv4
http_access deny dst_ipv6

Weakness — ICMP not explicitly blocked in container OUTPUT chain:
The container's OUTPUT filter chain (setup-iptables.sh lines 411-418) only adds DROP rules for TCP and UDP. ICMP traffic is not explicitly blocked. While NET_RAW is dropped from the agent container (preventing raw socket creation), ICMP echo requests could still be sent via the standard ping binary if it has cap_net_raw set via SUID (which is present in Ubuntu 22.04). The host-level DOCKER-USER chain uses REJECT --reject-with icmp-port-unreachable only on specific REJECT rules, not as a default-deny for ICMP. This creates a potential low-bandwidth covert channel.

# setup-iptables.sh:411-418 — only TCP and UDP are dropped
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# ICMP is not mentioned — not blocked in OUTPUT filter

Container Security Assessment

Strengths:

• no-new-privileges:true applied to all containers (src/docker-manager.ts:1183, 1395, 1499)
• Custom seccomp profile with defaultAction: SCMP_ACT_ERRNO (deny-by-default)
• NET_ADMIN is only granted to the awf-iptables-init init container, never to the agent
• SYS_CHROOT and SYS_ADMIN are added to agent only for chroot setup, then dropped via capsh before user code runs
• NET_RAW dropped from agent — prevents raw socket creation for iptables bypass
• Docker socket mapped to /dev/null by default (only exposed with explicit --enable-dind)
• Memory limits: agent 6g (default), iptables-init 128m, API proxy 512m
• pids_limit: 1000 for agent, 50 for init/Squid containers
• Sensitive dirs hidden via tmpfs overlays (MCP logs dir, workDir, /dev/shm)
• /etc/shadow is not bind-mounted into the chroot (only whitelisted /etc files)

Evidence — capability dropping in entrypoint.sh:349-350:

echo "[entrypoint] Chroot mode enabled - dropping CAP_SYS_CHROOT and CAP_SYS_ADMIN"
# capsh drops capabilities before exec-ing user command

Evidence — Docker socket hiding in docker-manager.ts:954:

agentVolumes.push('/dev/null:/host/var/run/docker.sock:ro');
agentVolumes.push('/dev/null:/host/run/docker.sock:ro');

Weakness — --enable-dind exposes Docker socket with only a warning:
When --enable-dind is specified, the real /var/run/docker.sock is bind-mounted into the chroot with read-write access. A comment in docker-manager.ts:944 states "agent can run docker commands (firewall bypass possible)" — this is correctly warned about, but the feature makes it trivial to spawn a new container without AWF network restrictions. This should be treated as a complete firewall bypass when used.

Domain Validation Assessment

Strengths:

• validateDomainOrPattern() in src/domain-patterns.ts blocks *, *.*, and patterns matching /^[*.]+$/
• Wildcard-to-regex conversion uses [a-zA-Z0-9.-]* (not .*) to prevent ReDoS
• Protocol-specific restrictions ((domain/redacted) vs (domain/redacted)`) correctly handled
• Protocol stripping before validation prevents bypass via protocol prefix manipulation
• Input length capped at 512 chars for regex matching (isDomainMatchedByPattern)

# domain-patterns.ts — safe wildcard conversion
const DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*';
// * becomes [a-zA-Z0-9.-]* — no catastrophic backtracking

Weakness — Multiple wildcard segments check could be bypassed:
The check wildcardSegments >= totalSegments - 1 only blocks patterns where most segments are wildcards. A pattern like *.*.example.com (2 wildcards, 4 segments: 2 >= 4-1=2 >= 3 = false) passes validation. While less than two wildcard segments is generally acceptable, the intent of the check could lead to inconsistent security reasoning.

Input Validation Assessment

Strengths:

• Port specs validated with isValidPortSpec() before Squid config and iptables injection
• Port values additionally sanitized with port.replace(/[^0-9-]/g, '') before Squid config embedding
• Shell arguments escaped via escapeShellArg() using single-quote wrapping with inner single-quote escaping
• UID/GID validated as numeric and rejected if 0 (root) in containers/agent/entrypoint.sh:15-33
• URL patterns validated for https:// prefix and dangerous broad-patterns before processing

CRITICAL FINDING — Squid config injection via URL pattern newlines:

The parseUrlPatterns() function in src/ssl-bump.ts:337 does not strip or reject newline characters. These patterns are then directly embedded into the generated Squid configuration via generateSslBumpSection() in src/squid-config.ts:154:

const urlAcls = urlPatterns
  .map((pattern, i) => `acl allowed_url_\$\{i} url_regex \$\{pattern}`)
  .join('\n');

Reproduced and verified:

$ node -e "
const squid = require('./dist/squid-config.js');
const config = {
  domains: ['github.com'],
  port: 3128,
  sslBump: true,
  caFiles: { certPath: '/tmp/cert.pem', keyPath: '/tmp/key.pem' },
  sslDbPath: '/tmp/ssldb',
  urlPatterns: ['^(github/redacted)\\\\.com/test\nhttp_access allow all'],
};
const result = squid.generateSquidConfig(config);
// Output shows injected config:
// acl allowed_url_0 url_regex ^https://github.com/test
// http_access allow all
"

Attack scenario: If --allow-urls values originate from user-controlled input (e.g., a CI environment variable, a config file, a GitHub Actions input), an attacker can inject arbitrary Squid directives including http_access allow all, completely disabling domain filtering. The validation in src/cli.ts:1634-1666 checks for dangerous broad patterns but does NOT check for embedded newlines.

---

⚠️ Threat Model

ID	Category	Threat	Severity	Likelihood	Impact
T1	Tampering	Squid config injection via --allow-urls newline characters	Critical	Medium	Critical — complete firewall bypass
T2	Elevation of Privilege	ICMP data exfiltration through absent OUTPUT ICMP DROP rule	High	Low	Medium — low-bandwidth covert channel
T3	Elevation of Privilege	--enable-dind bypasses firewall entirely via new container spawn	High	Low	Critical — total firewall bypass
T4	Information Disclosure	--env-all leaks all host env vars (including secrets) to agent container	Medium	Medium	High — credential exposure
T5	Information Disclosure	Squid JSONL audit log may contain URL fragments with sensitive data	Medium	Medium	Medium — URL query parameters logged
T6	DoS	Memory exhaustion via agent with 6g limit in shared CI runner	Medium	Low	Medium — runner OOM
T7	Spoofing	Agent can forge Host: header for allowed domains to reach disallowed IPs	Low	Low	Low — blocked by Squid ACL
T8	Repudiation	iptables LOG rate-limited (5/min), may miss burst attacks	Low	Medium	Low — audit gap
T9	Tampering	*.*.example.com domain pattern validation edge case	Low	Low	Low — requires explicit configuration

---

🎯 Attack Surface Map

Surface	Location	Current Protection	Risk
--allow-urls CLI arg	src/cli.ts:1625-1666, src/ssl-bump.ts:337	Format validation, no newline check	Critical
Docker socket (DinD)	src/docker-manager.ts:946-956	Hidden by default, warning when enabled	High
--env-all flag	src/cli.ts:1269, src/docker-manager.ts:490-510	Warning only	Medium
--allow-domains wildcard	src/domain-patterns.ts:100-200	Broad pattern rejection, ReDoS prevention	Low
--allow-host-ports	src/host-iptables.ts:448, setup-iptables.sh:176-189	Port spec validation, dangerous port blacklist	Low
AWF_USER_UID/GID env	containers/agent/entrypoint.sh:15-33	Numeric validation, root rejection	Low
Container shell args	src/cli.ts:936-954	escapeShellArg() single-quote wrapping	Low
DNS servers config	src/host-iptables.ts:363-391	Only configured servers allowed	Low
ICMP egress (agent container)	containers/agent/setup-iptables.sh	NET_RAW dropped; no explicit DROP rule	Medium
Squid CONNECT to raw IPs	src/squid-config.ts:573-576	dst_ipv4/dst_ipv6 ACL deny	Low

---

📋 Evidence Collection

Command: Confirm URL pattern injection

$ node -e "
const { parseUrlPatterns } = require('./dist/ssl-bump.js');
const result = parseUrlPatterns(['https://github.com/test\nhttp_access allow all']);
console.log('Newline injection result:', JSON.stringify(result));
"
# Output: Newline injection result: ["^(github/redacted)\\.com/test\nhttp_access allow all$"]

Command: Verify injection in generated Squid config

$ node -e "
const squid = require('./dist/squid-config.js');
const config = {
  domains: ['github.com'], port: 3128,
  sslBump: true,
  caFiles: { certPath: '/tmp/cert.pem', keyPath: '/tmp/key.pem' },
  sslDbPath: '/tmp/ssldb',
  urlPatterns: ['^(github/redacted)\\\\.com/test\nhttp_access allow all'],
};
const result = squid.generateSquidConfig(config);
const idx = result.indexOf('url_regex');
console.log(result.substring(idx-30, idx+300));
"
# Output shows:
# acl allowed_url_0 url_regex ^https://github.com/test
# http_access allow all        <-- INJECTED

Command: Confirm ICMP not dropped in container OUTPUT

$ grep -n "icmp\|ICMP" containers/agent/setup-iptables.sh
# Result: Only ICMP in REJECT --reject-with icmp-port-unreachable (response codes)
# No: iptables -A OUTPUT -p icmp -j DROP

$ grep -n "DROP\|REJECT" containers/agent/setup-iptables.sh | tail -10
# 415: iptables -A OUTPUT -p tcp ... -j LOG
# 416: iptables -A OUTPUT -p tcp -j DROP
# 417: iptables -A OUTPUT -p udp ... -j LOG
# 418: iptables -A OUTPUT -p udp -j DROP
# No ICMP DROP rule present

Command: npm audit (no vulnerabilities)

$ npm audit --json | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['metadata']['vulnerabilities'])"
# Output: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

Command: Capability configuration

$ grep -n "cap_drop\|cap_add\|NET_ADMIN\|NET_RAW\|SYS_CHROOT\|SYS_ADMIN" src/docker-manager.ts
# 411-419: Squid drops NET_RAW, SYS_ADMIN, SETFCAP
# 1169:    Agent adds SYS_CHROOT, SYS_ADMIN (for chroot setup), drops NET_RAW
# 1282-1316: iptables-init container: adds NET_ADMIN, NET_RAW; drops ALL others
# 1394: API proxy: drops ALL capabilities

---

✅ Recommendations

🔴 Critical — Must Fix Immediately

1. Strip newlines from URL patterns before Squid config injection

In src/ssl-bump.ts:parseUrlPatterns() (line 337), add newline sanitization:

export function parseUrlPatterns(patterns: string[]): string[] {
  return patterns.map(pattern => {
    // SECURITY: Strip newlines to prevent Squid config injection
    if (/[\r\n]/.test(pattern)) {
      throw new Error(`URL pattern contains newline characters which could inject Squid configuration: \$\{JSON.stringify(pattern)}`);
    }
    // ... existing logic
  });
}

Additionally add validation in src/cli.ts URL pattern validation loop (around line 1634):

if (/[\r\n]/.test(url)) {
  logger.error(`URL pattern contains invalid newline characters: \$\{JSON.stringify(url)}`);
  process.exit(1);
}

Impact: Prevents complete Squid domain-filter bypass via config injection.

---

🟠 High — Should Fix Soon

2. Explicitly drop ICMP in the container OUTPUT filter chain

Add an ICMP DROP rule to containers/agent/setup-iptables.sh after the UDP DROP rule (line 418):

# Block ICMP (prevents low-bandwidth data exfiltration via ping timing/payload)
iptables -A OUTPUT -p icmp -j DROP

This is belt-and-suspenders alongside the already-dropped NET_RAW capability. Ubuntu's ping binary has cap_net_raw+ep file capability, which may be available in the chroot path even after capsh --drop=NET_RAW if the bounding set removal wasn't applied before exec.

Impact: Closes potential ICMP covert channel / data exfiltration path.

---

🟡 Medium — Plan to Address

3. Add explicit security warning for --enable-dind with firewall bypass documentation

--enable-dind represents a complete, intentional firewall bypass. The current warning in docker-manager.ts:944 is a single logger.warn call. Consider:

• Adding a --confirm-dind-bypasses-firewall required flag to make the bypass intent explicit
• Documenting in docs/ that DinD completely voids the firewall guarantee
• Adding audit log events when DinD is enabled

4. Protect --env-all with secret-name filtering

When --env-all is used, common secret variable names (*_TOKEN, *_KEY, *_SECRET, *_PASSWORD, GITHUB_TOKEN, etc.) should be excluded by default or warned about individually. The current implementation just logs a generic warning.

---

🔵 Low — Nice to Have

5. Increase iptables LOG rate limits for burst detection

The current --limit 5/min --limit-burst 10 (line 409) and --limit 10/min --limit-burst 20 (lines 415, 417) may miss burst firewall probe patterns. Consider increasing burst limits for better audit coverage.

6. Add explicit ICMP blocking in host-level DOCKER-USER chain

The setupHostIptables() function in src/host-iptables.ts does not add an explicit default-deny for ICMP traffic. While the DOCKER-USER chain is focused on TCP/UDP traffic, adding an explicit ICMP drop from the container network would add defense-in-depth.

7. Document the *.*.example.com wildcard validation edge case

The validateDomainOrPattern() function permits *.*.example.com (2 wildcards, 4 segments) since 2 >= 4-1 is false. This is probably fine (it matches any two-label prefix before .example.com), but should be documented explicitly.

---

📈 Security Metrics

Metric	Value
Source files analyzed	7 (cli.ts, domain-patterns.ts, squid-config.ts, ssl-bump.ts, host-iptables.ts, docker-manager.ts, dlp.ts)
Container scripts analyzed	2 (entrypoint.sh, setup-iptables.sh)
npm vulnerabilities	0 (clean audit)
Attack surfaces identified	10
Threats modeled (STRIDE)	9
Critical findings	1 (URL pattern Squid config injection)
High findings	2 (ICMP egress, DinD bypass)
Medium findings	2 (env-all credential leak, Squid URL logging)
Security layers (defense-in-depth)	5 (iptables NAT → Squid ACL → Capability drop → Seccomp → No-new-privs)

AI generated by Daily Security Review and Threat Modeling

• expires on Apr 8, 2026, 2:11 PM UTC