[Security Review] Daily Security Review and Threat Modeling — 2026-03-27

[github-actions[bot]]

📊 Executive Summary

This review analyzed ~28,000 lines of security-critical TypeScript, bash, and C code across the AWF firewall stack. The overall security posture is strong: the architecture implements defense-in-depth with multiple independent control layers (host iptables → container iptables → Squid proxy → capability dropping → seccomp → one-shot token protection). Four actionable findings were identified: one medium severity (IPv6 filter chain gap), two low severity (ICMP tunneling not explicitly blocked; dangerous-ports list divergence), and one informational (wildcard domain over-permissiveness).

No findings from a "Firewall Escape Test Agent" workflow were available — no workflow by that name exists in this repository.

---

🔍 Findings from Firewall Escape Test

The firewall-escape-test workflow does not exist in this repository. The closest available workflows are security-review and secret-digger-*. No prior escape-test results were available to cross-reference.

---

🛡️ Architecture Security Analysis

Network Security Assessment

The network security architecture implements three enforced layers:

Layer 1 — Host iptables (src/host-iptables.ts)

The host creates a dedicated AWF-WRAPPER chain in DOCKER-USER that:

• Allows Squid proxy IP unrestricted egress
• Allows ESTABLISHED,RELATED return traffic
• Allows DNS only to configured upstream servers (default 8.8.8.8, 8.8.4.4)
• Blocks multicast (224.0.0.0/4) and link-local (169.254.0.0/16) — critical for cloud metadata endpoint protection
• Default deny via REJECT --reject-with icmp-port-unreachable

Evidence (src/host-iptables.ts:490-530):

await execa('iptables', ['-t','filter','-A',CHAIN_NAME,'-d','169.254.0.0/16','-j','REJECT','--reject-with','icmp-port-unreachable']);
await execa('iptables', ['-t','filter','-A',CHAIN_NAME,'-d','224.0.0.0/4','-j','REJECT','--reject-with','icmp-port-unreachable']);

Layer 2 — Container iptables (containers/agent/setup-iptables.sh)

Inside the agent container's network namespace:

• Docker DNS rules preserved before flush
• DNAT redirect: all TCP port 80 and 443 → Squid:3128
• Dangerous port list (SSH:22, Telnet:23, SMTP:25, MySQL:3306, PostgreSQL:5432, Redis:6379, MongoDB:27017, etc.) get NAT RETURN → fall through to filter DROP
• IPv4 default deny: iptables -A OUTPUT -p tcp -j DROP and iptables -A OUTPUT -p udp -j DROP

Layer 3 — Squid proxy (src/squid-config.ts)

• Domain allowlist via dstdomain (exact + subdomains) and dstdom_regex (wildcards)
• Protocol-specific restrictions ((redacted) vs https://` vs both)
• Optional DLP URL pattern scanning
• Blocklist domains take precedence over allowlist

DNS Exfiltration Prevention:

• DNS queries are restricted to configured upstream servers via iptables
• Direct DNS to non-whitelisted servers blocked at both container and host levels
• Docker embedded DNS (127.0.0.11) only forwards to configured servers

Container Security Assessment

Capability management (containers/agent/entrypoint.sh:333-345, src/docker-manager.ts:1141-1164):

• Agent gets SYS_CHROOT + SYS_ADMIN at container start (needed for chroot and procfs mount)
• Both capabilities are dropped via capsh --drop=cap_sys_chroot,cap_sys_admin before user code runs
• NET_ADMIN is never granted to the agent — dedicated iptables-init init container handles network setup
• Squid container drops NET_RAW, MKNOD, AUDIT_WRITE, SETFCAP

iptables-init init container (src/docker-manager.ts:1262-1297):

network_mode: service:agent  # Shares agent's netns
cap_add: [NET_ADMIN, NET_RAW]
cap_drop: [ALL]
```
The init container writes `/tmp/awf-init/ready` as a signal, then exits. The agent never holds `NET_ADMIN`.

**Seccomp profile** (`containers/agent/seccomp-profile.json`):
- Default action: `SCMP_ACT_ERRNO` (deny-by-default)
- Explicitly blocks: `ptrace`, `process_vm_readv`, `process_vm_writev`, `kexec_load`, `kexec_file_load`, `reboot`, `init_module`, `finit_module`, `delete_module`, `pivot_root`, `add_key`, `request_key`, `keyctl`
- Allows: large allowlist needed for development tools (git, npm, node, python, java, rust)
- Notable allowances: `unshare`, `setns`, `clone`, `mount`, `open_by_handle_at`, `chroot` (all required for legitimate operation but noted below)

**One-shot token protection** (`containers/agent/one-shot-token/`):
- `LD_PRELOAD` shared library intercepts `getenv()` calls
- Protected tokens: `COPILOT_GITHUB_TOKEN`, `GITHUB_TOKEN`, `GH_TOKEN`, `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `CODEX_API_KEY`, etc.
- First call returns value and clears `/proc/self/environ`; subsequent calls return cached value
- Parent shell unsets tokens 5 seconds after agent start (`entrypoint.sh:676-690`)

**Docker-in-Docker prevention** (`containers/agent/docker-stub.sh`):
```
ERROR: Docker-in-Docker support was removed in AWF v0.9.1

Docker commands inside the container return exit 127.

Domain Validation Assessment

Domain pattern handling (src/domain-patterns.ts) correctly:

• Blocks *, *.*, .*, *. as overly broad
• Blocks patterns where wildcardSegments > 1 AND wildcardSegments >= totalSegments - 1
• Escapes all regex metacharacters except *
• Uses [a-zA-Z0-9.-]* instead of .* to prevent ReDoS
• Anchors all regex with ^ and $

Input Validation Assessment

Port validation (src/squid-config.ts:468-496, setup-iptables.sh:166-178):

• Both TypeScript and bash validate port ranges independently
• Both block DANGEROUS_PORTS from being added via --allow-host-ports
• Bash validation rejects leading zeros to match TypeScript behavior

---

⚠️ Threat Model (STRIDE)

#	Category	Threat	Evidence	Likelihood	Impact	Severity
T1	Info Disclosure	IPv6 filter chain gap — TCP/UDP IPv6 egress unblocked when ip6tables available	setup-iptables.sh: zero ip6tables -A OUTPUT filter rules; IPv4 has explicit DROP	Medium	High	Medium
T2	Info Disclosure	ICMP tunneling not blocked at container level	setup-iptables.sh: only -p tcp and -p udp DROP rules; ICMP unaddressed	Low	Low	Low
T3	Tampering	Dangerous-ports list divergence (CouchDB 5984/6984, InfluxDB 8086/8088, Elasticsearch 9200/9300 blocked in Squid but not in container iptables)	squid-config.ts:14-33 (21 ports) vs setup-iptables.sh:294-310 (15 ports)	Low	Medium	Low
T4	Info Disclosure	*.com-style TLD wildcards pass validation, granting access to all .com domains	domain-patterns.ts:177-183: wildcardSegments > 1 fails for *.com; wildcardToRegex('*.com') → ^[a-zA-Z0-9.-]*\.com$ which matches any .com host	Low	High	Low
T5	Elevation of Privilege	open_by_handle_at + name_to_handle_at allowed in seccomp (Shocker attack primitives)	seccomp-profile.json:lines 152,164	Very Low	High	Informational
T6	Repudiation	Squid logs use Unix timestamps only; no structured JSON log format	src/squid-config.ts:40 (logformat)	Low	Low	Informational
T7	Spoofing	ACTIONS_RUNTIME_TOKEN and ACTIONS_ID_TOKEN not in EXCLUDED_ENV_VARS or AWF_ONE_SHOT_TOKENS	src/docker-manager.ts:467-487; containers/agent/entrypoint.sh:351-376	Low (requires --env-all)	Medium	Low
T8	DoS	brace-expansion ReDoS (CVSS 6.5) in dev dependency chain	npm audit output	Low	Low	Low

---

🎯 Attack Surface Map

Entry Point	File:Line	What It Does	Current Protections	Risk
--allow-domains CLI arg	src/cli.ts, src/domain-patterns.ts	Builds Squid domain ACL	validateDomainOrPattern() blocks *, *.*, multi-wildcard	Low — TLD wildcards like *.com allowed
--env-all CLI flag	src/docker-manager.ts:597-601	Passes all host env vars to container	EXCLUDED_ENV_VARS set; one-shot token LD_PRELOAD; warning logged	Medium — CI secrets like ACTIONS_RUNTIME_TOKEN pass through
--env-file CLI flag	src/docker-manager.ts:641-649	Reads env file, injects into container	EXCLUDED_ENV_VARS checked; no secret scanning of file content	Low
--allow-host-ports	src/squid-config.ts:468-500, setup-iptables.sh:327-354	Opens additional TCP ports to Squid	DANGEROUS_PORTS blocklist; integer validation; range check	Low
Container network (IPv6)	setup-iptables.sh	IPv6 egress traffic	NAT rules only; NO filter DROP rules when ip6tables available	Medium
Container ICMP	setup-iptables.sh:400-407	ICMP packet egress	NOT blocked at container level; partially blocked at host	Low
/tmp mount (rw)	src/docker-manager.ts	Read-write host /tmp access	Path-scoped to agent workdir	Low
Docker socket	containers/agent/docker-stub.sh	Docker command interception	Stub returns exit 127	Very Low
Squid CONNECT for HTTPS	src/squid-config.ts	HTTPS domain enforcement	SNI-based dstdomain ACL; no SSL bump by default	Low — proxy-unaware tools get TLS error not 403
DNS channel	setup-iptables.sh:129-151	DNS query exfiltration	Restricted to configured upstream servers only	Low

---

📋 Evidence Collection

Finding T1: IPv6 Filter Chain Gap

Command: grep "ip6tables -A OUTPUT" containers/agent/setup-iptables.sh

Output: (no results) — zero filter chain rules for IPv6

IPv4 comparison:

iptables -A OUTPUT -p tcp -j DROP   # setup-iptables.sh:405
iptables -A OUTPUT -p udp -j DROP   # setup-iptables.sh:407

IPv6 has only NAT rules (loopback RETURN, ::1 RETURN, DNS RETURN). When ip6tables is available, no filter DROP rule exists for IPv6 TCP/UDP. The default ip6tables OUTPUT policy in a Docker container is ACCEPT, so unfiltered IPv6 egress is possible if the Docker network has IPv6 enabled.

Mitigating factors: Docker does not enable IPv6 by default. If ip6tables is unavailable, IPv6 is disabled via sysctl (net.ipv6.conf.all.disable_ipv6=1) — but this is the fallback path, not the nominal path.

Finding T3: Dangerous-Ports List Divergence

squid-config.ts (21 ports): 22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 5432, 5984, 6379, 6984, 8086, 8088, 9200, 9300, 27017, 27018, 28017

setup-iptables.sh (15 ports): 22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 5432, 6379, 27017, 27018, 28017

Missing from iptables: CouchDB (5984, 6984), InfluxDB (8086, 8088), Elasticsearch (9200, 9300)

These 6 ports are blocked by Squid ACL but NOT by container iptables NAT/filter rules. If Squid's domain ACL is misconfigured, these ports remain accessible at the iptables level.

Finding T4: TLD Wildcard Permissiveness

Validation logic (domain-patterns.ts:177-183):

if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) {
  throw new Error(`Pattern '\$\{trimmed}' has too many wildcard segments...`);
}
```

**Analysis of `*.com`:**
- `wildcardSegments = 1`, `totalSegments = 2`
- `1 > 1` → **false** → validation passes
- Generated regex: `^[a-zA-Z0-9.-]*\.com$`

**Matches:** `evil.com`, `any.thing.com`, `api.github.com`, `malware.delivery.com` — all `.com` domains

**Note:** This requires a user to deliberately pass `*.com` to `--allow-domains`. The validation's intent is to block truly reckless wildcards like `*` or `*.*`, and TLD wildcards may be intentional in some workflows. However, the documentation does not warn about this behavior.

</details>

<details>
<summary>Finding T7: GitHub Actions Tokens in --env-all</summary>

**`src/docker-manager.ts:517` — AWF_ONE_SHOT_TOKENS:**
```
COPILOT_GITHUB_TOKEN,GITHUB_TOKEN,GH_TOKEN,GITHUB_API_TOKEN,GITHUB_PAT,GH_ACCESS_TOKEN,
OPENAI_API_KEY,OPENAI_KEY,ANTHROPIC_API_KEY,CLAUDE_API_KEY,CODEX_API_KEY
```

**NOT protected:** `ACTIONS_RUNTIME_TOKEN`, `ACTIONS_ID_TOKEN`, `ACTIONS_RESULTS_URL`, `ACTIONS_CACHE_URL`

**Path:** With `--env-all`, `process.env` is iterated. `ACTIONS_RUNTIME_TOKEN` (if set in the runner environment) is NOT in EXCLUDED_ENV_VARS and NOT in the one-shot token list, so it would be passed into the container and remain readable from `/proc/self/environ`.

**Note:** Without `--env-all`, these tokens are not forwarded (only specific vars are forwarded by default), so the exposure only occurs when the user explicitly enables `--env-all`.

</details>

<details>
<summary>npm Audit Results</summary>

```
brace-expansion: moderate (CVSS 6.5) - Zero-step sequence causes process hang/memory exhaustion - fixable
handlebars: moderate (CVSS 4.7) - Prototype pollution leading to XSS via partial template injection - fixable

Both are transitive dev dependencies, not part of the production runtime.

---

✅ Recommendations

🔴 Medium — Plan to Address

1. Add IPv6 filter DROP rules in setup-iptables.sh

When ip6tables is available, add default-deny filter rules to match the IPv4 behavior:

# After existing IPv4 DROP rules (lines 405-407), add:
if [ "$IP6TABLES_AVAILABLE" = true ]; then
  ip6tables -A OUTPUT -p tcp -j DROP
  ip6tables -A OUTPUT -p udp -j DROP
fi

File: containers/agent/setup-iptables.sh after line 407

🟡 Low — Nice to Have

2. Synchronize dangerous-ports lists

Add CouchDB (5984, 6984), InfluxDB (8086, 8088), and Elasticsearch (9200, 9300) to DANGEROUS_PORTS in setup-iptables.sh to match squid-config.ts.

File: containers/agent/setup-iptables.sh:294-310

3. Warn on TLD-style wildcard domains

Add a validation warning (or error) for patterns like *.com, *.io, *.org that match entire TLDs. The wildcardSegments > 1 check needs to also catch single-wildcard TLD patterns:

// After existing wildcardSegments check:
if (wildcardSegments === 1 && segments[0] === '*' && totalSegments === 2) {
  throw new Error(`Pattern '\$\{trimmed}' matches all .\$\{segments[1]} domains and is not allowed`);
}

File: src/domain-patterns.ts:177

4. Add ACTIONS_RUNTIME_TOKEN to one-shot-token protection list

When running in GitHub Actions with --env-all, add Actions-specific tokens to AWF_ONE_SHOT_TOKENS and SENSITIVE_TOKENS in the entrypoint:

// src/docker-manager.ts:517
AWF_ONE_SHOT_TOKENS: '...,ACTIONS_RUNTIME_TOKEN,ACTIONS_ID_TOKEN',

# containers/agent/entrypoint.sh:367 (SENSITIVE_TOKENS array)
"ACTIONS_RUNTIME_TOKEN"
"ACTIONS_ID_TOKEN"

5. Fix npm audit vulnerabilities

npm audit fix

Both brace-expansion and handlebars have available fixes.

ℹ️ Informational

6. Consider blocking ICMP at container level

The container-level iptables only blocks TCP and UDP. Adding ICMP blocking adds defense-in-depth against ICMP tunneling (low practical risk given Docker network isolation):

iptables -A OUTPUT -p icmp -j DROP

7. Document TLD wildcard behavior

If *.com is intentionally allowed, document this behavior prominently so operators understand the scope.

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analyzed	~2,989 (core: iptables, squid config, domain patterns, entrypoint)
Total TypeScript LOC analyzed	~26,193
Attack surfaces identified	10
Threats modeled (STRIDE)	8
Critical findings	0
Medium findings	1
Low findings	4
Informational findings	3
npm vulnerabilities	2 (moderate, fixable)
Defense-in-depth layers	5 (host iptables → container iptables → Squid → capsh → seccomp + LD_PRELOAD)

AI generated by Daily Security Review and Threat Modeling

• expires on Apr 3, 2026, 1:58 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-04-03T13:58:07.454Z.

Closed by Workflow