Skip to content

[isolation] [Network Isolation] host.docker.internal HTTP reachable outside Squid ACL path #1756

Open
Open
[isolation] [Network Isolation] host.docker.internal HTTP reachable outside Squid ACL path#1756
Labels
automationisolation-testingsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 7, 2026

Summary
A network-boundary differential was observed where --noproxy HTTP requests to host-gateway endpoints (172.17.0.1 / host.docker.internal) returned a non-Squid service response, while other --noproxy HTTP/HTTPS egress remained intercepted by Squid behavior. This indicates a potential bypass surface for host-gateway traffic.

Environment

  • Repository: github/gh-aw-firewall
  • Workflow run: 24095296594
  • gh-aw version: cli_version field not present in lock metadata; context value GH_AW_INFO_CLI_VERSION=v0.67.2
  • Compiler metadata from lock: compiler_version=v0.67.2

Methodology (sanitized)

  • Focused deep dive on network isolation only (interfaces/routes, socket inventory, metadata endpoint behavior, gateway reachability, no-proxy path differentials)
  • Collected headers/status only for HTTP probes (-D - -o /dev/null), with no sensitive payload extraction

Reproduction

  1. Control probe showing expected interception behavior for public target:
curl --noproxy '*' -m 4 -sS -D - -o /dev/null (example.com/redacted) | sed -n '1,12p'

Observed: Server: squid/6.14 and X-Squid-Error: ERR_INVALID_URL.

  1. Probe host-gateway endpoint:
curl --noproxy '*' -m 4 -sS -D - -o /dev/null (172.17.0.1/redacted) | sed -n '1,12p'
curl --noproxy '*' -m 4 -sS -D - -o /dev/null (host.docker.internal/redacted) | sed -n '1,12p'

Observed: non-Squid response (HTTP/1.1 404 Not Found, Content-Type: text/plain; charset=utf-8, no Squid headers).

  1. Differential context:
  • Link-local metadata probes (169.254.169.254, 169.254.170.2, 100.100.100.200, 168.63.129.16) returned Squid 400 ERR_INVALID_URL headers (intercepted path).
  • Host gateway 172.17.0.1:80 remained reachable and fingerprinted to a non-Squid responder.

Security concern
If host-gateway traffic can bypass the expected Squid enforcement path, agent workloads may be able to reach host-adjacent services not governed by domain ACL policy. Even with a 404 in this run, the reachability itself is a boundary concern and may expose environment-specific attack surface.

Recommended follow-up

  • Verify iptables DNAT/OUTPUT handling for traffic targeting host-gateway addresses (172.17.0.1, host.docker.internal, and equivalent bridge/gateway IPs).
  • Add explicit deny/redirect policy for host-gateway destinations unless explicitly required.
  • Add integration test asserting that --noproxy requests to host-gateway endpoints are either blocked or Squid-mediated with expected ACL behavior.

Generated by Secret Digger (Codex) ·

  • expires on Apr 8, 2026, 5:40 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationisolation-testingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions