[Security Review] Daily Security Review — 2026-03-06

[github-actions[bot]]

📊 Executive Summary

A comprehensive, evidence-based security review of the gh-aw-firewall repository was conducted on 2026-03-06. The review analysed 3,009 lines of security-critical code across the iptables management layer, Squid proxy configuration, container entrypoint, domain-pattern validation, and the one-shot-token LD_PRELOAD library.

Overall posture: Strong. The defence-in-depth architecture (host iptables → Squid ACL → capability dropping → token isolation) is well-designed. Three low-to-medium findings were identified; none allow remote exploitation without physical access to the CLI flags. No critical vulnerabilities were found, and the npm dependency audit returned 0 vulnerabilities.

---

🔍 Findings from Previous Security Runs

No recent runs of firewall-escape-test or secret-digger workflows were reachable via the agentic-workflow log API during this run (tool returned exit status 1). Analysis relies solely on static code review and local command evidence.

---

🛡️ Architecture Security Analysis

Network Security Assessment — ✅ Strong

Evidence commands:

cat containers/agent/setup-iptables.sh
cat src/host-iptables.ts

Finding: Firewall rule ordering is correct. Host-level DOCKER-USER → custom FW_WRAPPER chain → Squid ACLs form a coherent multi-layer stack.

Key observations:

• iptables rules properly ALLOW Squid egress before applying blanket REJECT (line ~290 host-iptables.ts).
• DNS exfiltration is prevented: only explicitly listed trusted servers (default 8.8.8.8, 8.8.4.4) can receive port-53 traffic; all other UDP is REJECTed ([FW_BLOCKED_UDP] prefix).
• IPv6 fall-through is blocked: when ip6tables is unavailable, IPv6 is disabled via sysctl net.ipv6.conf.all.disable_ipv6=1 (src/host-iptables.ts:96–100, containers/agent/setup-iptables.sh:33–37).
• Dangerous port list is enforced at both Squid (L7) and iptables NAT (L3/L4) levels.

⚠️ Finding 1 — Medium: Blanket ICMPv6 ACCEPT in IPv6 chain

// src/host-iptables.ts:395-404
// 3. Allow essential ICMPv6 (required for IPv6 functionality)
await execa('ip6tables', [
  '-t', 'filter', '-A', CHAIN_NAME_V6,
  '-p', 'ipv6-icmp',
  '-j', 'ACCEPT',
]);

When the user specifies IPv6 DNS servers (e.g., --dns-servers 2001:4860:4860::8888), the IPv6 chain is created and ALL ICMPv6 message types are allowed. This includes:

• Type 128/129 (echo request/reply) — usable for ICMP tunnel exfiltration (ping-tunnel, icmptunnel, etc.)
• Type 133-137 (Neighbour/Router Discovery) — could allow rogue RA injection

ICMP tunneling tools can carry arbitrary payloads over ICMP echo, completely bypassing Squid domain filtering. The risk is limited to networks that route IPv6, but the control should be tightened.

Recommended fix — replace the blanket accept with specific types:

// Allow only essential ICMPv6 types (NOT echo request/reply which enable tunneling)
const essentialIcmpv6Types = [
  1,   // Destination Unreachable
  2,   // Packet Too Big (required for PMTU)
  3,   // Time Exceeded
  135, // Neighbor Solicitation (NDP)
  136, // Neighbor Advertisement (NDP)
];
for (const type of essentialIcmpv6Types) {
  await execa('ip6tables', ['-t','filter','-A',CHAIN_NAME_V6,'-p','ipv6-icmp','--icmpv6-type',type.toString(),'-j','ACCEPT']);
}

---

Container Security Assessment — ✅ Strong with one observation

Evidence commands:

grep -n "cap_drop\|cap_add\|security_opt\|no-new-priv" src/docker-manager.ts
python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); print(d['defaultAction']); [print('BLOCKED:',r['names']) for r in d['syscalls'] if r['action']=='SCMP_ACT_ERRNO']"
```

Output:
```
SCMP_ACT_ALLOW
BLOCKED: ['ptrace', 'process_vm_readv', 'process_vm_writev']
BLOCKED: ['kexec_load', 'kexec_file_load', 'reboot', 'init_module', 'finit_module', ... 'pivot_root', ...]
BLOCKED: ['umount', 'umount2']

⚠️ Finding 2 — Low: Seccomp profile uses allow-by-default with a narrow blocklist

The seccomp profile (containers/agent/seccomp-profile.json) has defaultAction: SCMP_ACT_ALLOW and only explicitly blocks 3 groups. The following dangerous syscalls are not blocked:

• unshare / clone (user namespace creation — can be used to gain faux-root inside a new namespace)
• mount (blocked by capability, but not by seccomp)
• chroot (blocked by CAP_SYS_CHROOT drop in chroot mode; open otherwise)

Mitigating factors that reduce severity:

• no-new-privileges:true is set (src/docker-manager.ts:884)
• CAP_SYS_ADMIN is dropped by capsh before user code runs (entrypoint.sh:278)
• NET_ADMIN, SYS_PTRACE, SYS_MODULE, MKNOD, SYS_RAWIO are in the container-level cap_drop list
• pivot_root is blocked by seccomp

Recommendation: Adopt a deny-by-default seccomp profile (based on Docker's default allowlist) rather than an allow-by-default profile. At minimum, add unshare, clone3, chroot, and mount to the SCMP_ACT_ERRNO list.

AppArmor note: The agent container runs apparmor:unconfined (src/docker-manager.ts:886). This is necessary to allow procfs mounting (mount -t proc), which is needed by .NET, JVM, and other runtimes. The comment notes that SYS_ADMIN is dropped before user code, limiting the practical window of exposure.

---

Domain Validation Assessment — ✅ Excellent

Evidence command:

cat src/domain-patterns.ts | grep "validateDomainOrPattern\|wildcardToRegex\|DOMAIN_CHAR_PATTERN"

Key strengths:

• ReDoS-safe regex: wildcards convert to [a-zA-Z0-9.-]* (not .*) — src/domain-patterns.ts:83
• Overly-broad patterns rejected: *, *.*, patterns with >50% wildcard segments — src/domain-patterns.ts:155–178
• Input length capped at 512 before regex matching — src/domain-patterns.ts:248
• Protocol-specific restrictions ((redacted) https://`) properly handled

---

Input Validation — URL Pattern Injection

Evidence:

# Simulate parseUrlPatterns with embedded newline
python3 -c "
import re
pattern = 'https://github.com/myorg/*\nhttp_access allow all'
p = pattern.replace('/\$', '')
placeholder = chr(0) + 'WILDCARD' + chr(0)
p = p.replace('.*', placeholder)
p = re.sub(r'[.+?^\\$\{}()|\[\]\\\\]', lambda m: '\\\\\\\\' + m.group(), p)
p = p.replace('*', '[^\\\\\\\\s]*')
print('Contains newline:', chr(10) in p)
print('Result:', repr(p))
"
# Output: Contains newline: True

⚠️ Finding 3 — Low: URL pattern newline injection into squid.conf

The parseUrlPatterns function in src/ssl-bump.ts:313–338 does not strip newline characters from URL patterns. If a pattern containing \n is passed via --allow-urls, the generated squid.conf would contain injected directives.

Exploitation path:

1. Attacker controls the --allow-urls CLI flag
2. Passes a pattern like https://github.com/org/*\nhttp_access allow all
3. This injects http_access allow all into squid.conf, bypassing all domain restrictions

Severity: LOW — requires the attacker to directly invoke the AWF CLI with crafted flags. Typical AI agent workloads do not control CLI flags. However, if AWF CLI flags are assembled from untrusted input (e.g., a YAML template that interpolates user-supplied values), this could elevate to HIGH.

The parseDomains helper used to split --allow-urls (src/cli.ts:995) does call .trim() which strips leading/trailing whitespace, but internal newlines survive.

Recommended fix: Add a newline/control-character check in URL pattern validation:

// In cli.ts, URL pattern validation block (~line 1005):
if (/[\r\n\x00-\x1f]/.test(url)) {
  logger.error(`URL pattern "\$\{url}" contains illegal control characters`);
  process.exit(1);
}
```

---

## ⚠️ Threat Model

| # | Threat (STRIDE) | Attack Vector | Likelihood | Impact | Mitigations |
|---|---|---|---|---|---|
| T1 | **Info Disclosure** — ICMP tunnel over IPv6 | IPv6 network + ICMPv6 ACCEPT rule | Low (requires IPv6 DNS config) | High (full data exfil) | IPv6 disabled by default; only active when user specifies IPv6 DNS |
| T2 | **Elevation of Privilege** — User namespace escape | `unshare -r` → faux-root → capability confusion | Low (no SYS_ADMIN in user code) | Medium | `no-new-privileges`, `cap_drop` in `capsh`, `pivot_root` blocked |
| T3 | **Tampering** — squid.conf injection via URL pattern | Malicious `--allow-urls` flag | Low (requires CLI access) | High (all traffic allowed) | Requires `--ssl-bump`; user already has shell access |
| T4 | **Info Disclosure** — Token leak via static binary | Statically-linked binary bypasses LD_PRELOAD | Medium (Go/Rust tools common) | Medium (token exposure in memory, not exfiltrated) | Network blocks exfiltration; documented limitation |
| T5 | **Info Disclosure** — Task-level /proc environ | `/proc/PID/task/TID/environ` | Low (requires same-container process) | Low | Token cleared from main environ; one-shot-token logs warnings |
| T6 | **DoS** — Resource exhaustion | Process fork bomb inside container | Medium | Medium | `pids_limit: 1000`, `mem_limit: 4g` (`docker-manager.ts:889–891`) |
| T7 | **Repudiation** — Log tampering | Agent writes to squid-logs mount | Low (read-only access needed) | Low | Logs owned by `proxy` user (container), agent runs as `awfuser` |
| T8 | **Spoofing** — DNS poisoning to whitelist bypass | Compromise of Google DNS (8.8.8.8) | Very Low | High | Squid connects to resolved IPs; SNI checked independently |

---

## 🎯 Attack Surface Map

| Entry Point | File:Line | What It Does | Current Protections | Risk |
|---|---|---|---|---|
| `--allow-domains` | `src/cli.ts:920–930` | Domains added to Squid ACL | `validateDomainOrPattern()`, ReDoS-safe regex | Low |
| `--allow-urls` | `src/ssl-bump.ts:313` | Patterns embedded in squid.conf | Dangerous-pattern checks; **no newline strip** | Low→Med |
| `--allow-host-ports` | `src/squid-config.ts:484` | Ports added to Safe_ports ACL | `sanitizedPort.replace(/[^0-9-]/g, '')` | Low |
| `--dns-servers` | `src/cli.ts:849` | Controls DNS whitelist | IPv4/v6 address validation | Low |
| `AWF_USER_UID` env | `src/docker-manager.ts:44–59` | Sets container UID | `validateIdNotInSystemRange` (min 1000) | Low |
| `agentCommand` (Docker) | `src/docker-manager.ts:896` | Shell command in container | `$`→`$$` escape for Compose interpolation only | By-design |
| IPv6 ICMPv6 chain | `src/host-iptables.ts:395–404` | Controls IPv6 exit traffic | None for echo request/reply | Medium |
| Seccomp profile | `containers/agent/seccomp-profile.json` | Syscall filtering | 3 rule groups, allow-by-default | Low |
| LD_PRELOAD (one-shot-token) | `containers/agent/one-shot-token/` | Token env isolation | Intercepts `getenv`/`secure_getenv` | Low (documented bypass) |
| `/dev/null` credential overlays | `src/docker-manager.ts:755–800` | Hide credential files | 15 specific file paths hidden | Low |

---

## 📋 Evidence Collection

<details>
<summary>npm audit — 0 vulnerabilities</summary>

```
Command: cd /home/runner/work/gh-aw-firewall/gh-aw-firewall && npm audit
Output: found 0 vulnerabilities
```
</details>

<details>
<summary>DANGEROUS_PORTS comparison — Squid vs iptables</summary>

```
Command: diff <(grep ports in squid-config.ts) <(grep ports in setup-iptables.sh)

squid-config.ts ports (22 total): 22, 23, 25, 110, 143, 445, 1433, 1521, 3306,
  3389, 5432, 5984, 6379, 6984, 8086, 8088, 9200, 9300, 27017, 27018, 28017

setup-iptables.sh ports (15 total): 22, 23, 25, 110, 143, 445, 1433, 1521,
  3306, 3389, 5432, 6379, 27017, 27018, 28017

Missing from iptables DANGEROUS_PORTS:
  5984 (CouchDB), 6984 (CouchDB SSL), 8086 (InfluxDB HTTP), 8088 (InfluxDB RPC),
  9200 (Elasticsearch HTTP), 9300 (Elasticsearch transport)

Risk: LOW — these ports are NOT redirected to Squid (no DNAT rule) AND hit the
  default DROP rule in the OUTPUT filter chain. They are blocked by the final
  `iptables -A OUTPUT -p tcp -j DROP` rule regardless.
```
</details>

<details>
<summary>Seccomp profile analysis</summary>

```
Command: python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); ..."
Output:
  Default action: SCMP_ACT_ALLOW
  BLOCKED syscalls (3 groups):
    - ptrace, process_vm_readv, process_vm_writev
    - kexec_load, kexec_file_load, reboot, init_module, ... pivot_root, ...
    - umount, umount2
  
  NOT blocked: unshare, clone, mount, chroot
```
</details>

<details>
<summary>URL pattern newline injection PoC</summary>

```
Command: python3 newline simulation
Pattern input:  'https://github.com/myorg/*\nhttp_access allow all'
Result in squid.conf:
  acl allowed_url_0 url_regex ^(github/redacted)\.com/myorg/[^\s]*
  http_access allow all
  $

Contains newline: True

---

✅ Recommendations

🔴 Medium — Address Soon

1. Restrict ICMPv6 types in IPv6 chain (src/host-iptables.ts:395–404)

• Replace '-p', 'ipv6-icmp', '-j', 'ACCEPT' with specific type allows
• Allow only: types 1 (dest unreachable), 2 (packet too big), 3 (time exceeded), 135-136 (NDP)
• Block types 128-129 (echo request/reply) to prevent ICMP tunnel exfiltration
• Low effort, high value; prevents complete bypass of domain filtering over IPv6

🟡 Low — Plan to Address

2. Add newline/control-char validation for --allow-urls (src/cli.ts:~1005)

• Reject patterns containing \r, \n, or other control characters (/[\r\n\x00-\x1f]/)
• Prevents squid.conf injection if URL patterns ever come from less-trusted sources
• 2-line fix in the existing URL pattern validation block

3. Harden seccomp profile to deny-by-default (containers/agent/seccomp-profile.json)

• Replace SCMP_ACT_ALLOW default with Docker's standard deny-by-default allowlist
• Explicitly add unshare, clone3, chroot, mount to the ERRNO blocklist
• This adds a layer under the capability model; medium effort, medium value

4. Align DANGEROUS_PORTS between squid-config.ts and setup-iptables.sh

• Add 5984, 6984, 8086, 8088, 9200, 9300 to setup-iptables.sh DANGEROUS_PORTS
• Eliminates the divergence between L7 (Squid) and L3/L4 (iptables) blocklists
• Low risk (default DROP covers them) but reduces maintenance debt

🟢 Informational

5. Consider specific ICMPv4 restriction (src/host-iptables.ts)

• Currently, ICMP (IPv4) does not appear to be filtered in the FW_WRAPPER chain
• Tools like hping3 could theoretically use ICMP echo for tunneling over IPv4 too
• Mitigated by: no raw socket access (NET_RAW dropped), limited practical impact

6. Document LD_PRELOAD bypass in AGENTS.md / CLAUDE.md

• Static binaries (Go, statically-linked Rust) bypass one-shot-token protection
• This is documented in containers/agent/one-shot-token/README.md but not in AGENTS.md
• Helps operators understand the residual risk when running Go-based tools

---

📈 Security Metrics

Metric	Value
Lines of security-critical code analysed	3,009
Attack surfaces identified	10
STRIDE threats modelled	8
Critical findings	0
Medium findings	1 (ICMPv6 ACCEPT)
Low findings	3 (seccomp, url-pattern, ports-list)
Informational	2
npm dependency vulnerabilities	0
Dangerous syscalls NOT blocked by seccomp	4 (unshare, clone, mount, chroot)
Credential files hidden via /dev/null mounts	15

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 13, 2026, 1:52 PM UTC