[Security Review] Daily Security Review – 2026-06-20

[github-actions[bot]]

📊 Executive Summary

Deep evidence-based static security review of gh-aw-firewall at commit 6707484. The firewall implements strong multi-layer controls. Overall posture: GOOD — no critical findings.

Metric	Value
Security-critical lines analysed	~3,027 (8 key files)
High / Medium / Low findings	1 / 3 / 4

---

🔍 Firewall Escape Test Context

Pre-fetched context (/tmp/gh-aw/escape-test-summary.txt) contained GitHub Actions runner metadata from the Secret Digger workflow run 24273493151 (2026-04-11) — not a structured escape-test report. Key signals from that record:

• GH_AW_SECRET_VERIFICATION_RESULT: success — credential isolation validated
• GH_AW_LOCKDOWN_CHECK_FAILED: false — lockdown protections held
• Agent produced only noop outputs — no successful breach

This review fills the static-analysis gap.

---

🛡️ Architecture Security Analysis

Network Security

Strengths (setup-iptables.sh, host-iptables-rules.ts):

• IPv6 disabled via sysctl net.ipv6.conf.all.disable_ipv6=1 — prevents Happy Eyeballs bypass
• HTTP/HTTPS DNAT'd to Squid 172.30.0.10:3128; explicit CONNECT for proxy-aware tools
• 15 dangerous ports (SSH/Telnet/SMTP/RDP/databases/Redis/MongoDB) blocked: NAT RETURN + OUTPUT DROP
• Squid blocks direct IP connections: acl dst_ipv4 dstdom_regex + acl dst_ipv6
• forwarded_for delete + via off prevent container IP leakage
• DNS locked to 127.0.0.11 (Docker embedded); iptables DROP blocks non-configured upstreams

Weakness: http_proxy (lowercase) intentionally absent. HTTP traffic relies solely on iptables DNAT — if the init container NAT rule fails before commit, HTTP egresses unfiltered (very unlikely but not impossible).

Container Security

Strengths (agent-service.ts, entrypoint.sh, seccomp-profile.json):

• NET_ADMIN never granted to agent; iptables setup isolated to awf-iptables-init sidecar
• SYS_CHROOT + SYS_ADMIN dropped via capsh --drop=... before user code runs (entrypoint.sh:run_chroot_command)
• Explicit cap_drop: [NET_RAW, SYS_PTRACE, SYS_MODULE, SYS_RAWIO, MKNOD]
• no-new-privileges:true security_opt
• procfs at /host/proc with hidepid=2 — prevents reading other process /proc/[pid]/environ
• tmpfs overlays over workDir and MCP log dirs prevent agent reading docker-compose.yml (plaintext secrets)
• One-shot token LD_PRELOAD library: caches tokens, then clears them from environ
• Resource limits: mem_limit: 6g, pids_limit: 1000; UID/GID 0 rejected

Weakness: apparmor:unconfined (agent-service.ts:110) — required to allow mount -t proc during startup. AppArmor provides no protection during the startup window before capsh drops SYS_ADMIN.

Domain Validation

Strengths (src/domain-validation.ts, src/squid/domain-acl.ts):

• SQUID_DANGEROUS_CHARS = /[\s\0"';#]/` applied at both parse time and interpolation time
• DOMAIN_DANGEROUS_CHARS additionally blocks backslash
• Over-broad patterns (*, *.*) explicitly rejected
• assertSafeForSquidConfig() called at every interpolation point — defense-in-depth

No weaknesses identified here.

Input Validation

Strengths: execa used with array args throughout — no shell injection. AWF_PREFLIGHT_BINARY validated with ^[a-zA-Z0-9_][a-zA-Z0-9_.-]*$. IPv4 validated with full octet regex. Port ranges reject leading zeros.

Weakness (compose-sanitizer.ts:4):

return /(TOKEN|KEY|SECRET)/i.test(name);

Env vars named PASSWORD, AUTH, CRED, CERT, PW are NOT redacted in diagnostic dumps.

---

⚠️ Threat Model

#	STRIDE	Threat	File:line	Severity
T1	EoP	Agent exploits SYS_ADMIN during AppArmor-unconfined startup window	agent-service.ts:94, entrypoint.sh:run_chroot_command	High
T2	Info Disc.	Diagnostic docker-compose.yml leaks PASSWORD/AUTH/CRED env vars	compose-sanitizer.ts:4	Medium
T3	Bypass	--enable-host-access DNAT bypass skips Squid domain ACL for host traffic on 80/443	setup-iptables.sh:~185	Medium
T4	Info Disc.	HTTP traffic unfiltered if init container NAT commit fails	setup-iptables.sh:~280	Medium
T5	Repudiation	Dangerous-port list duplicated in TS + shell; sync drift leaves port unblocked in one layer	policy-manifest.ts, setup-iptables.sh:228	Low
T6	Repudiation	iptables LOG rate-limit (5/min) misses burst traffic	setup-iptables.sh:296	Low
T7	EoP	AWF_HOST_SERVICE_PORTS bypasses DANGEROUS_PORTS for host gateway	setup-iptables.sh:200	Low
T8	Tamper	Upstream proxy (--upstream-proxy) routes all traffic through attacker-controlled proxy if misconfigured	src/squid/upstream-proxy.ts	Low

---

🎯 Attack Surface Map

Surface	Entry Point	Protections	Residual Risk
HTTP/HTTPS egress	TCP 80/443 agent → internet	iptables DNAT → Squid ACL; IP-literal block; IPv6 disabled	Low
Non-HTTP TCP/UDP	Any port	iptables OUTPUT DROP; 15 dangerous ports listed	Low
DNS exfiltration	UDP/TCP 53	resolv.conf to 127.0.0.11 only; iptables DROP	Low
Container escape via cap	Linux capabilities	NET_ADMIN never granted; caps dropped pre-user-code	Medium (AppArmor window)
Secret leakage via diagnostics	/proc/environ, docker-compose.yml	tmpfs overlay; one-shot token; compose sanitizer	Medium (narrow regex)
Domain injection → Squid config	--allow-domains	SQUID_DANGEROUS_CHARS dual-layer	Low
Host access bypass	--enable-host-access	DNAT bypass to host gateway only; iptables ACCEPT on 80/443	Medium (no domain filter)

---

✅ Recommendations

🟠 High

H1 — Narrow the AppArmor-unconfined + SYS_ADMIN window

Write a minimal AppArmor profile permitting only mount to /host/proc, or drop SYS_ADMIN immediately after the procfs mount inside entrypoint.sh rather than waiting for the user-code capsh invocation. This collapses the window where both SYS_ADMIN and apparmor:unconfined are simultaneously active.

🟡 Medium

M1 — Broaden compose sanitizer pattern (compose-sanitizer.ts:4):

// Recommended:
return /(TOKEN|KEY|SECRET|PASSWORD|PASSWD|AUTH|CREDENTIAL|CRED|CERT|PW)\b/i.test(name);

M2 — Log --enable-host-access domain-bypass prominently at WARN level at container startup and document the trade-off in CLI help text. Operators may not realize domain filtering is bypassed for localhost traffic.

M3 — HTTP_PROXY defense-in-depth: Consider setting http_proxy for non-curl tools while using a curl wrapper or test-flag workaround to avoid the httpoxy/exit-code side effect.

🔵 Low

L1 — Auto-generate the shell dangerous-ports array from the TypeScript constant, or add a CI test asserting parity.

L2 — Raise iptables LOG rates to 60/min --limit-burst 100 for better burst forensics.

L3 — Add troubleshooting note explaining TLS error (proxy-unaware) vs TCP_DENIED (proxy-aware) blocked HTTPS.

L4 — Surface AWF_HOST_SERVICE_PORTS dangerous-port bypass at WARN log level.

---

📈 Security Metrics

Metric	Value
Dangerous ports blocked (iptables)	15
Capabilities dropped on agent	7 (NET_RAW + SYS_PTRACE + SYS_MODULE + SYS_RAWIO + MKNOD + SYS_CHROOT + SYS_ADMIN)
AppArmor status	unconfined (startup window only; SYS_ADMIN dropped before user code)
Seccomp profile	Active (414-line custom profile)
One-shot token clearing	Active (LD_PRELOAD SO)
procfs hidepid	2
Critical / High / Medium / Low	0 / 1 / 3 / 4

Static analysis only — no dynamic escape testing performed in this run.

Generated by Daily Security Review and Threat Modeling · 78.4 AIC · ⊞ 6.9K · ◷

• expires on Jun 27, 2026, 12:59 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The omens are favorable, and the build should now be judged by the forge.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-27T12:59:08.329Z.

Closed by Workflow