[Security Review] Daily Security Review and Threat Modeling — 2026-03-04

[github-actions[bot]]

📊 Executive Summary

This report covers a comprehensive, evidence-based security review of the gh-aw-firewall repository, conducted against the codebase on 2026-03-04. All findings are backed by specific file paths, line numbers, and command outputs.

Security posture: Moderate — well-layered defense-in-depth with several gaps that should be addressed.

Metric	Value
Lines of security-critical code analyzed	~2,800 (iptables, squid, entrypoint, docker-manager, domain patterns)
Attack surfaces identified	9
Critical findings	1
High findings	2
Medium findings	4
Low findings	3
Open npm vulnerabilities	2 (1 high, 1 moderate)

---

🔍 Context: Previous Firewall Escape Test Agent

No previous run of a dedicated "firewall-escape-test" workflow was found in the repository's workflow definitions. The security-review workflow itself is the primary security analysis mechanism. Log download was unavailable (unauthenticated environment), so this review is based entirely on fresh codebase analysis.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Strengths:

• Defense-in-depth: two independent enforcement layers
  • Container-level (containers/agent/setup-iptables.sh): NAT DNAT redirects HTTP/HTTPS to Squid; TCP DROP default
  • Host-level (src/host-iptables.ts): DOCKER-USER chain via FW_WRAPPER/FW_WRAPPER_V6 rejects non-allowed traffic
• DNS restricted to whitelisted servers only (default: Google DNS 8.8.8.8/8.8.4.4), preventing DNS-over-UDP exfiltration
• Dangerous ports blocked in both Squid ACLs and iptables NAT pre-routing (defense-in-depth)
• Multicast and link-local traffic rejected at host level (224.0.0.0/4, ff00::/8)
• Fixed network topology (172.30.0.0/24) with predictable IPs makes Squid IP bypass hard
• ICMP fully blocked at host level via the FW_WRAPPER default-deny rule 8

Gaps:

• UDP not explicitly blocked at container level (see Finding F3)
• IPv6 fallback when ip6tables is unavailable (see Finding F5)

Container Security Assessment

Strengths:

• NET_ADMIN + SYS_CHROOT + SYS_ADMIN dropped via capsh --drop=cap_net_admin,cap_sys_chroot,cap_sys_admin in entrypoint.sh before any user code runs
• no-new-privileges:true security option prevents SUID/SGID privilege escalation (src/docker-manager.ts:884)
• NET_RAW dropped from both Squid and agent containers, preventing raw socket creation and ping-based exfiltration

Gaps:

• Permissive seccomp profile (see Finding F1 — Critical)
• SYS_ADMIN during initialization phase (see Finding F2)

Domain Validation Assessment

Strengths:

• Overly broad patterns (*, *.*) explicitly rejected (src/domain-patterns.ts:127-135)
• ReDoS mitigation: DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*' used instead of .* in wildcard-to-regex conversion (src/domain-patterns.ts:68-72)
• Max domain length enforced: 512 bytes (src/domain-patterns.ts:248)
• Blocked domains placed before allowed domains in Squid config (correct precedence)

Gaps:

• Multi-wildcard validation edge case (see Finding F6)

Input Validation Assessment

Strengths:

• Shell escaping for single-argument commands: '\$\{arg.replace(/'/g, "'\\''")}' (src/cli.ts:509)
• User UID/GID validated to reject root (0) and system range (0-999) (src/docker-manager.ts:31)
• URL patterns require https:// prefix, path component, and broad-pattern check

Gaps:

• URL pattern injection into Squid config (see Finding F7)

---

⚠️ Findings

F1 — CRITICAL: Permissive Seccomp Profile (Allow-by-Default)

File: containers/agent/seccomp-profile.json

Evidence:

$ python3 -c "
import json
d = json.load(open('containers/agent/seccomp-profile.json'))
print('Default action:', d['defaultAction'])
# → SCMP_ACT_ALLOW
"

The custom seccomp profile uses "defaultAction": "SCMP_ACT_ALLOW" — a blocklist approach where all syscalls are allowed unless explicitly denied. Only 28 syscalls are blocked. Docker's built-in default profile uses the opposite approach: SCMP_ACT_ERRNO (deny-by-default) with an allowlist of ~300+ safe syscalls.

Dangerous syscalls NOT blocked by this profile:

Syscall	Risk
mount	Mount arbitrary filesystems (allowed intentionally for procfs in entrypoint, but remains accessible in user code via seccomp — only CAP_SYS_ADMIN blocks it)
unshare	Create new namespaces; --user namespace doesn't require capabilities on many kernels
clone	With CLONE_NEWNET flag, could create a new network namespace (requires CAP_NET_ADMIN, which IS dropped)
bpf	Load eBPF programs for network interception (requires CAP_BPF or CAP_SYS_ADMIN; blocked by capability drop, but defense-in-depth is weakened)
perf_event_open	Side-channel attacks, Spectre/Meltdown exploitation
userfaultfd	Used in DIRTYCOW-style race conditions
io_uring_setup	io_uring has been a source of container escapes (CVE-2023-2163, others)
setns	Join existing namespaces
kcmp	Compare kernel objects between processes

Why it matters: Although no-new-privileges:true and capability dropping provide compensating controls, the seccomp profile is the primary syscall-level boundary. Replacing Docker's hardened default profile with a permissive one significantly reduces the syscall-level attack surface protection.

Recommendation: Replace the custom profile with either Docker's default profile (by removing the seccomp= security option) or change defaultAction to SCMP_ACT_ERRNO and provide an explicit allowlist of required syscalls.

---

F2 — HIGH: SYS_ADMIN Capability During Container Initialization

File: src/docker-manager.ts:870

cap_add: ['NET_ADMIN', 'SYS_CHROOT', 'SYS_ADMIN'],

The agent container starts with SYS_ADMIN, one of the most powerful Linux capabilities (equivalent to "superuser for the kernel"). It is needed for mounting procfs at /host/proc in entrypoint.sh. However, there is a race condition window between container start and the capsh --drop call in the entrypoint where the full SYS_ADMIN capability is available.

Attack vector: If an attacker can inject code into the container before the capsh drop (e.g., via a malicious Docker image, a compromised base layer, or a vulnerability in the entrypoint initialization steps that run before the drop), they would have SYS_ADMIN access.

Mitigating factors:

• Container images are pulled from GHCR (trusted registry)
• Entrypoint runs as root, then drops to awfuser — standard pattern
• no-new-privileges:true prevents SUID escalation after drop

Recommendation: Consider using a minimal setup container that only mounts the procfs, then use nsenter or Docker's --init to avoid needing SYS_ADMIN in the main agent container. At minimum, document this as a known risk in the security documentation.

---

F3 — HIGH: npm Dependency Vulnerabilities

Evidence:

$ npm audit
# minimatch  10.0.0 - 10.2.2
# Severity: HIGH
# minimatch has ReDoS: matchOne() combinatorial backtracking
# GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74
# fix available via npm audit fix
#
# ajv  <6.14.0 || >=7.0.0-alpha.0 <8.18.0
# Severity: moderate
# ajv has ReDoS when using $data option - GHSA-2g4f-4pwh-qvx6

minimatch (used by development tooling) has two ReDoS vulnerabilities. While these are in dev dependencies (commitlint), they run in CI pipelines and could affect automated workflows.

Recommendation: Run npm audit fix to resolve both. This is a low-effort fix.

---

F4 — MEDIUM: UDP Not Explicitly Blocked at Container Level

File: containers/agent/setup-iptables.sh:293

# Container OUTPUT filter chain — only blocks TCP:
iptables -A OUTPUT -p tcp -j DROP
# No corresponding: iptables -A OUTPUT -p udp -j DROP

The container's iptables OUTPUT filter only drops TCP. Non-DNS UDP traffic (ports other than 53) is not blocked at the container iptables level. UDP-based protocols (e.g., QUIC/HTTP3 on port 443 UDP, NTP, SNMP, custom UDP exfiltration channels) would bypass the container-level firewall.

Mitigating factor: The host-level FW_WRAPPER chain (src/host-iptables.ts:479-491) does block all other UDP. However, this creates a single point of enforcement for UDP — if the host chain were to fail, be bypassed, or not set up before container traffic flows, UDP would be unrestricted.

Recommendation: Add a UDP DROP rule in setup-iptables.sh after the DNS ACCEPT rules:

# After DNS allow rules and before end of script
iptables -A OUTPUT -p udp -j DROP

---

F5 — MEDIUM: IPv6 Egress Uncontrolled When ip6tables Unavailable

File: containers/agent/setup-iptables.sh (multiple IPv6 guards)

if [ "$IP6TABLES_AVAILABLE" = true ]; then
  # ... IPv6 rules
else
  echo "[iptables] WARNING: ip6tables is not available, IPv6 rules will be skipped"
fi

When ip6tables is unavailable inside the container, all IPv6 outbound traffic bypasses the Squid proxy and is not subject to domain whitelisting. An attacker who knows the IPv6 address of a target can make unrestricted outbound connections.

Context: The host-level FW_WRAPPER_V6 chain provides some protection if ip6tables is available at the host level. However, if both container and host lack ip6tables, IPv6 is completely unrestricted.

Recommendation: If ip6tables is unavailable, the container should either:

1. Block all IPv6 output using ip6tables (fail-safe)
2. Or disable IPv6 in the container network configuration via sysctl -w net.ipv6.conf.all.disable_ipv6=1

---

F6 — MEDIUM: Wildcard Domain Validation Edge Case

File: src/domain-patterns.ts:164-170

const wildcardSegments = segments.filter(s => s === '*').length;
const totalSegments = segments.length;

if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) {
  throw new Error(`Pattern '\$\{trimmed}' has too many wildcard segments ...`);
}

A pattern like *.b.*.d.com has wildcardSegments=2, totalSegments=5. The check evaluates: 2 > 1 (true) AND 2 >= 4 (false) → pattern is accepted. This pattern would match anything.b.anything.d.com — a very broad domain set.

Recommendation: Tighten the validation to reject patterns with more than one wildcard segment:

if (wildcardSegments > 1) {
  throw new Error(`Pattern '\$\{trimmed}' has multiple wildcard segments and is not allowed`);
}

---

F7 — MEDIUM: URL Pattern Values Embedded in Squid Config Without Sanitization

File: src/squid-config.ts:117-120

const urlAcls = urlPatterns
  .map((pattern, i) => `acl allowed_url_\$\{i} url_regex \$\{pattern}`)
  .join('\n');

URL patterns from --allow-urls are embedded directly into the Squid configuration as url_regex ACL values. While basic validation occurs (must start with https://, must have a path, broad pattern rejection), Squid-specific injection characters (newlines, null bytes, config directives) are not sanitized. A crafted pattern like https://github.com/org/*\nhttp_access allow all could inject Squid directives if the newline check is incomplete.

Evidence: The validation in src/cli.ts:1004-1034 checks for broad patterns (.*) and path presence, but does not sanitize \n, \r, or other config-breaking characters.

Recommendation: Sanitize URL patterns to strip non-printable characters and newlines before embedding them in Squid config:

const sanitized = pattern.replace(/[\r\n\0]/g, '');

---

F8 — LOW: Container-Level Logs May Not Capture All UDP Blocked Events

File: containers/agent/setup-iptables.sh — no UDP LOG rule

The container's iptables does not include LOG rules for blocked UDP (since UDP blocking is handled at the host level). This means UDP blocking events only appear in host-level kernel logs (dmesg), not in container-accessible logs. For forensics, UDP exfiltration attempts would require host log access.

---

F9 — LOW: Predictable Work Directory Pattern

File: src/cli.ts:707

path.join(os.tmpdir(), `awf-\$\{Date.now()}`)

The work directory follows a predictable timestamp-based pattern (/tmp/awf-(milliseconds)). A malicious process running on the same host could predict or race to create/modify the work directory before AWF writes its configuration files, potentially injecting malicious squid.conf or docker-compose.yml content.

Mitigating factors: Requires local host access (same privilege level), and container file integrity checks during startup would catch obvious tampering.

Recommendation: Use crypto.randomUUID() or a cryptographically random suffix instead of Date.now().

---

⚠️ Threat Model (STRIDE)

Threat	Category	Vector	Likelihood	Impact	Severity	Mitigated By
DNS exfiltration via unauthorized server	Info Disclosure	UDP/TCP to non-whitelisted DNS	Low	Medium	Medium	Trusted DNS allowlist + UDP block
IPv6 bypass when ip6tables unavailable	Info Disclosure	Direct IPv6 outbound	Medium	High	High	Host-level ip6tables (when available)
ICMP tunneling	Info Disclosure	ICMP echo to external	Low	Medium	Medium	Host FW_WRAPPER default-deny rule 8
UDP-based exfiltration	Info Disclosure	UDP to non-DNS server	Medium	High	High	Host-level FW_WRAPPER UDP block
Wildcard domain bypass	Spoofing	Broad *.x.*.y.com pattern	Low	Medium	Medium	F6 validation edge case
Squid config injection via URL pattern	Tampering	\n in --allow-urls value	Low	High	Medium	Basic validation exists
Seccomp bypass via allowed syscalls	Elevation	io_uring, bpf, userfaultfd	Low-Medium	High	High	Capability drops (post-setup)
SYS_ADMIN exploit during initialization	Elevation	Malicious entrypoint hook	Very Low	Critical	High	GHCR image provenance
Work dir race condition	Tampering	/tmp/awf-(timestamp)	Very Low	High	Low	Requires local host access
ReDoS via minimatch	DoS	Malformed glob pattern in CI	Very Low	Low	Low	Dev dependency only

---

🎯 Attack Surface Map

#	Entry Point	Location	What It Does	Current Protections	Risk
1	--allow-domains CLI flag	src/cli.ts:870	Domain whitelist input	validateDomainOrPattern(), regex escaping	Low
2	--allow-urls CLI flag	src/cli.ts:989-1040	URL pattern for Squid regex ACL	Basic format validation, broad-pattern check	Medium (F7)
3	--allow-host-ports	src/cli.ts:778	Opens ports to host gateway	Dangerous port list, --enable-host-access required	Low
4	Container iptables OUTPUT chain	setup-iptables.sh:293	TCP drop, NAT to Squid	TCP DROP; UDP not dropped at container level	Medium (F4)
5	Host DOCKER-USER chain	src/host-iptables.ts	Egress filtering for all containers	Default-deny with specific allows	Low
6	Squid proxy ACL rules	src/squid-config.ts	Domain + port filtering	dstdomain + dstdom_regex, DANGEROUS_PORTS list	Low
7	Seccomp profile	containers/agent/seccomp-profile.json	Syscall filtering	28-syscall blocklist (weak)	Critical (F1)
8	Container capabilities	src/docker-manager.ts:870,884	Privilege controls	capsh drop + no-new-privileges	High (F2)
9	IPv6 egress	setup-iptables.sh	IPv6 traffic control	Conditional (ip6tables availability)	Medium (F5)

---

✅ Recommendations (Prioritized)

🔴 Critical — Address Immediately

1. Replace permissive seccomp profile with a deny-by-default allowlist

Option A (simplest): Remove the custom seccomp profile and rely on Docker's hardened default:

• Remove seccomp=\$\{config.workDir}/seccomp-profile.json from security_opt in src/docker-manager.ts:885

Option B (preserve custom blocks): Change defaultAction to SCMP_ACT_ERRNO and add an allowlist:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "syscalls": [
    { "names": ["read", "write", "open", "close", "...300+ safe syscalls..."], "action": "SCMP_ACT_ALLOW" }
  ]
}

Docker's default profile can be used as a starting point and the specific blocks for ptrace, keyctl, etc. preserved as additional hardening.

---

🟠 High — Address Soon

2. Add UDP DROP at container iptables level (containers/agent/setup-iptables.sh)

After the DNS ACCEPT rules (line ~280), add before the TCP DROP:

# Block all non-DNS UDP traffic
iptables -A OUTPUT -p udp -j DROP

3. Fix IPv6 handling when ip6tables unavailable (containers/agent/setup-iptables.sh)

Add a hard-fail or sysctl disable when ip6tables is unavailable:

else
  echo "[iptables] WARNING: ip6tables not available. Disabling IPv6 to prevent bypass..."
  sysctl -w net.ipv6.conf.all.disable_ipv6=1 2>/dev/null || true
  sysctl -w net.ipv6.conf.default.disable_ipv6=1 2>/dev/null || true
fi

4. Update vulnerable npm dependencies (root directory)

npm audit fix

This resolves both minimatch (high, ReDoS) and ajv (moderate, ReDoS).

---

🟡 Medium — Plan to Address

5. Tighten multi-wildcard domain validation (src/domain-patterns.ts:164-170)

// Replace current check with:
if (wildcardSegments > 1) {
  throw new Error(`Pattern '\$\{trimmed}' has multiple wildcard segments and is not allowed`);
}

6. Sanitize URL patterns for Squid config injection (src/squid-config.ts:117-120)

const sanitized = pattern.replace(/[\r\n\0\t]/g, '');
const urlAcls = urlPatterns
  .map((pattern, i) => `acl allowed_url_\$\{i} url_regex \$\{sanitized}`)

---

🟢 Low — Nice to Have

7. Use cryptographically random work directory suffix (src/cli.ts:707)

import { randomBytes } from 'crypto';
// Replace: `awf-\$\{Date.now()}`
// With:
`awf-\$\{randomBytes(8).toString('hex')}`

8. Add container-level UDP logging (containers/agent/setup-iptables.sh)

Before the UDP DROP rule, add a LOG rule for forensic visibility:

iptables -A OUTPUT -p udp -j LOG --log-prefix "[FW_BLOCKED_UDP_CONTAINER] " --log-level 4

9. Document SYS_ADMIN initialization risk in security documentation

Add an explicit note in docs/ explaining the SYS_ADMIN capability window during initialization and the compensating controls that make it safe.

---

📋 Evidence Collection

Seccomp profile analysis

$ python3 -c "
import json
d = json.load(open('containers/agent/seccomp-profile.json'))
print('Default action:', d['defaultAction'])         # SCMP_ACT_ALLOW
blocked = [s for sc in d['syscalls'] for s in sc['names'] if sc['action']=='SCMP_ACT_ERRNO']
print('Blocked:', sorted(blocked))
# → acct, add_key, create_module, delete_module, finit_module, get_kernel_syms,
#   init_module, kexec_file_load, kexec_load, keyctl, nfsservctl, personality,
#   pivot_root, process_vm_readv, process_vm_writev, ptrace, query_module,
#   reboot, request_key, swapoff, swapon, sysfs, syslog, umount, umount2,
#   uselib, ustat, vhangup

# Notable unblocked dangerous syscalls:
# mount, unshare, clone, bpf, perf_event_open, userfaultfd, io_uring_setup, setns, kcmp
"

npm audit output

$ cd /home/runner/work/gh-aw-firewall/gh-aw-firewall && npm audit 2>&1
# ajv  <6.14.0 || >=7.0.0-alpha.0 <8.18.0
# Severity: moderate — ReDoS (GHSA-2g4f-4pwh-qvx6)
# fix available via npm audit fix

# minimatch  10.0.0 - 10.2.2
# Severity: high — ReDoS GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74
# fix available via npm audit fix

# 2 vulnerabilities (1 moderate, 1 high)

Container iptables OUTPUT chain (UDP gap)

# From containers/agent/setup-iptables.sh lines 265-293:
# OUTPUT filter chain rules:
iptables -A OUTPUT -o lo -j ACCEPT
# DNS rules for each trusted server:
iptables -A OUTPUT -p udp -d "$dns_server" --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$dns_server" --dport 53 -j ACCEPT
# Docker embedded DNS:
iptables -A OUTPUT -p udp -d 127.0.0.11 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -d 127.0.0.11 --dport 53 -j ACCEPT
# Squid:
iptables -A OUTPUT -p tcp -d "$SQUID_IP" -j ACCEPT
# FINAL RULE — ONLY DROPS TCP, NOT UDP:
iptables -A OUTPUT -p tcp -j DROP
# ← No: iptables -A OUTPUT -p udp -j DROP

Host FW_WRAPPER chain structure

# From src/host-iptables.ts (IPv4 chain FW_WRAPPER):
# 1. Allow established/related connections
# 2. Allow loopback traffic
# 3. Allow Squid IP traffic
# 4. Allow DNS UDP/TCP to trusted servers
# 5. Allow API proxy ports (if enabled)
# 6. Block multicast (224.0.0.0/4)
# 7. Block all other UDP → REJECT --reject-with icmp-port-unreachable
# 8. Default deny all other traffic → REJECT --reject-with icmp-port-unreachable
# (ICMP is caught by rule 8, not explicitly allowed → blocked)

Wildcard validation logic

// src/domain-patterns.ts:164-170
const segments = trimmed.split('.');
const wildcardSegments = segments.filter(s => s === '*').length;
const totalSegments = segments.length;

// Pattern: *.b.*.d.com → wildcardSegments=2, totalSegments=5
// Check: (2 > 1) && (2 >= 5-1=4) → true && false → NOT thrown
// Result: *.b.*.d.com is ACCEPTED (unintended broad pattern)
if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) {
  throw new Error(`Pattern '\$\{trimmed}' has too many wildcard segments ...`);
}

---

📈 Security Metrics

• Lines of security-critical code analyzed: ~2,800
• Attack surfaces identified: 9
• Defense layers verified: 2 (container iptables + host DOCKER-USER chain)
• Total findings: 9 (1 critical, 2 high, 4 medium, 2 low)
• Findings with immediate fix available: 3 (F3: npm audit fix, F4: add UDP DROP, F7: sanitize URL patterns)
• Compensating controls for Critical finding: 2 (no-new-privileges:true, capability dropping via capsh)

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 11, 2026, 1:51 PM UTC