[Security Review] Daily Security Review — 2026-04-21

[github-actions[bot]]

Workflow run: 24723982343
Reviewer: GitHub Copilot (claude-sonnet-4.6)
Scope: Full codebase — network controls, container hardening, domain validation, input handling, privilege model

---

📊 Executive Summary

The gh-aw-firewall codebase demonstrates a mature, defense-in-depth security posture. The multi-layer architecture (host iptables → container DNAT → Squid ACL) is sound, and recent additions — IPv6 disablement, one-shot-token LD_PRELOAD, capability dropping, and DNS restriction — significantly raise the bar for egress escape. No critical vulnerabilities were identified. Five medium-priority findings and three low-priority hardening opportunities are documented below.

Category	Rating
Network Egress Controls	✅ Strong
Container Privilege Model	⚠️ Medium (non-chroot gap)
Domain/Input Validation	✅ Strong
Credential Isolation	✅ Strong
Logging / Audit Trail	✅ Good

---

🔍 Findings from Firewall Escape Test

The escape test summary file (/tmp/gh-aw/escape-test-summary.txt) contained GitHub Actions CI framework metadata from a "Secret Digger (Copilot)" workflow run (April 11, 2026), not structured escape-test results. Key observations from that metadata:

• GH_AW_SECRET_VERIFICATION_RESULT: success — secret isolation verification passed
• GH_AW_AGENT_CONCLUSION: success — agent completed without errors
• GH_AW_INFERENCE_ACCESS_ERROR: false — no inference service access failures
• Agent output had only noop safe-outputs, indicating no credentials or sensitive data were exfiltrated in that run
• The workflow concluded: "Agent succeeded with only noop outputs — this is not a failure"

Interpretation: The Secret Digger workflow is a continuous red-team probe designed to test whether a compromised agent inside the AWF sandbox can exfiltrate GitHub tokens or API keys. The result being success with a noop output means the firewall successfully blocked exfiltration — the agent found nothing to report. This is the expected behavior and validates the credential isolation layer.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered:

# src/host-iptables.ts lines 1-11 — host-level chain
const CHAIN_NAME = 'FW_WRAPPER';
const NETWORK_SUBNET = '172.30.0.0/24';

# containers/agent/setup-iptables.sh lines 36-49 — IPv6 disabled
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

# setup-iptables.sh lines 341-342 — DNAT to Squid
iptables -t nat -A OUTPUT -p tcp --dport 80  -j DNAT --to-destination "\$\{SQUID_IP}:\$\{SQUID_PORT}"
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination "\$\{SQUID_IP}:\$\{SQUID_PORT}"

# setup-iptables.sh lines 426-430 — default deny
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

Assessment: The layered approach is correct and well-implemented. IPv6 is disabled at the kernel level inside the container — a critical hardening step that prevents AAAA-record Happy Eyeballs bypasses. The DNAT approach intercepts proxy-unaware tools. The default-deny TCP/UDP policy is strong. DNS exfiltration is addressed by restricting DNS to configured servers only.

Gap identified (Medium — M1): When AWF_ENABLE_HOST_ACCESS is active, both host.docker.internal and the container's default gateway (172.30.0.1) are given unconditional NAT RETURN (bypass Squid) and filter ACCEPT rules on ports 80/443. This creates a partial egress path to the Docker host that sidesteps L7 domain filtering:

# setup-iptables.sh lines 207-211
iptables -t nat -A OUTPUT -d "$HOST_GATEWAY_IP" -j RETURN
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 443 -j ACCEPT

An attacker who controls code running in the agent container can send HTTP/HTTPS requests directly to the Docker host without Squid domain filtering when host access is enabled. Mitigation: document this as an explicit trust boundary in --enable-host-access documentation, and consider whether an optional host-side nginx/squid reverse proxy could enforce domain policy even for host-bound traffic.

Container Privilege Model

Evidence gathered:

# entrypoint.sh lines 356-365
if [ "\$\{AWF_CHROOT_ENABLED}" = "true" ]; then
  CAPS_TO_DROP="cap_sys_chroot,cap_sys_admin"
else
  # In non-chroot mode, no capabilities need to be dropped
  CAPS_TO_DROP=""
fi

Gap identified (Medium — M2): In non-chroot mode (AWF_CHROOT_ENABLED unset or not "true"), the entrypoint sets CAPS_TO_DROP="" and no capabilities are explicitly stripped before running the user command. The agent container does not receive NET_ADMIN (handled by the init container), but it retains all other default Docker capabilities — including DAC_OVERRIDE, CHOWN, FOWNER, SETUID, SETGID, AUDIT_WRITE, and MKNOD. In the CIS Docker Benchmark (check 5.3), cap_drop: ALL with explicit allowlist is recommended. The non-chroot path should drop unnecessary capabilities explicitly.

Strength: The iptables init container pattern is well-designed — NET_ADMIN is never granted to the agent container; instead, a dedicated awf-iptables-init container shares the network namespace and runs setup. This is the correct architecture for network namespace manipulation without granting NET_ADMIN to user code.

Gap identified (Low — L1): The ready-file handshake at entrypoint.sh:133 polls /tmp/awf-init/ready with a 30-second timeout:

while [ ! -f /tmp/awf-init/ready ]; do
  if [ "$INIT_ELAPSED" -ge "$INIT_TIMEOUT" ]; then
    echo "[entrypoint][ERROR] Timed out waiting for iptables init container after 30s"
    exit 1
  fi

If the init container crashes silently (exit 0 but no ready file), the entrypoint waits 30 seconds then exits — which is the correct safe-fail behavior. However, if the init container partially applies rules before crashing, the agent could start with incomplete iptables rules. Consider adding an integrity hash or rule count checksum to the ready file.

Domain Validation Assessment

Evidence gathered:

# src/domain-patterns.ts lines 1-30
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

# src/squid-config.ts lines 98-108 — defense-in-depth assertion
function assertSafeForSquidConfig(value: string): string {
  if (SQUID_DANGEROUS_CHARS.test(value)) {
    throw new Error(
      `SECURITY: Domain or pattern contains characters unsafe for Squid config...`
    );
  }
}

Assessment: The domain injection protection is well-implemented. assertSafeForSquidConfig validates every domain and regex before interpolation into squid.conf. The SQUID_DANGEROUS_CHARS set correctly covers the main injection primitives. The wildcard-to-regex conversion uses [a-zA-Z0-9.-]* (not .*) to prevent ReDoS. Port specs are sanitized with replace(/[^0-9-]/g, '') (squid-config.ts:567) before insertion.

Note (Low — L2): The SQUID_DANGEROUS_CHARS regex excludes backslash (intentionally documented for URL regex patterns). The code comment states domain names are additionally validated in validateDomainOrPattern() to reject \. Ensure this secondary validation is always enforced before any domain string reaches assertSafeForSquidConfig to maintain the defense-in-depth guarantee.

Input Validation Assessment

Evidence gathered:

# entrypoint.sh lines 15-33 — UID/GID validation
if ! [[ "$HOST_UID" =~ ^[0-9]+$ ]]; then exit 1; fi
if [ "$HOST_UID" -eq 0 ]; then exit 1; fi  # Prevent root

# src/host-iptables.ts lines 96-101 — IP validation
const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}$/;
if (!ipv4Regex.test(gateway)) { return null; }

# setup-iptables.sh lines 185-196 — port spec validation
is_valid_port_spec() {
  if echo "$spec" | grep -qE '^[1-9][0-9]{0,4}-[1-9][0-9]{0,4}$'; then ...

Assessment: Input validation is thorough across all three layers (TypeScript, bash entrypoint, bash iptables setup). UID/GID validation correctly rejects non-numeric values and root (0). IPv4 addresses fetched from Docker APIs are validated before use in iptables commands. Port specs are validated against leading-zero patterns that could be interpreted ambiguously.

Gap identified (Medium — M3): At entrypoint.sh:347:

runuser -u awfuser -- git config --global --add safe.directory '*' 2>/dev/null || true
```
This configures git to trust **all** directories as safe, which suppresses the CVE-2022-24765 protection. If a malicious `.git/hooks/` directory exists in an untrusted path that the agent traverses (e.g., via a path traversal in a workspace), git operations could execute hooks. Consider restricting to the workspace directory only: `git config --global --add safe.directory "\$\{WORKDIR}"`.

---

## ⚠️ Threat Model (STRIDE)

| Threat Category | Threat | Location | Likelihood | Impact | Severity |
|---|---|---|---|---|---|
| **Spoofing** | Attacker impersonates Squid proxy by poisoning DNS resolution of `squid-proxy` hostname | `setup-iptables.sh:66` | Low (Docker DNS controls) | High | Medium |
| **Spoofing** | Agent container spoofs init container ready signal by writing `/tmp/awf-init/ready` directly | `entrypoint.sh:133` | Low (init container writes first) | High | Low |
| **Tampering** | Replace one-shot-token LD_PRELOAD library in shared `/tmp/awf-lib/` before agent starts | `entrypoint.sh:433` | Low (requires host access) | High | Medium |
| **Tampering** | Modify `.claude.json` (world-writable, mode 666) to redirect `apiKeyHelper` to attacker binary | `entrypoint.sh:193` | Low (requires same-UID access) | Medium | Low |
| **Repudiation** | Agent denies actions — iptables log uses UID not PID, making correlation to specific process harder | `setup-iptables.sh:421` | N/A | Low | Informational |
| **Information Disclosure** | Env var `CLAUDE_CODE_API_KEY_HELPER` printed to logs at `entrypoint.sh:162` — reveals helper path | `entrypoint.sh:162` | Medium (log capture) | Low | Low |
| **Information Disclosure** | Proxy credentials in `HTTP_PROXY` parsed/printed to entrypoint logs (`entrypoint.sh:337`) | `entrypoint.sh:337` | Low (if proxy includes creds) | Medium | Low |
| **Denial of Service** | Flood iptables LOG rules (rate-limited to 5/min, burst 10) to exhaust kernel log buffer | `setup-iptables.sh:420-421` | Low | Low | Low |
| **Elevation of Privilege** | Non-chroot mode retains default Docker capabilities (DAC_OVERRIDE, SETUID, etc.) | `entrypoint.sh:360-364` | Medium | High | **Medium** |
| **Elevation of Privilege** | Host access mode allows direct HTTP/HTTPS to Docker host gateway, bypassing domain ACL | `setup-iptables.sh:207-211` | Medium (if --enable-host-access) | Medium | **Medium** |
| **Elevation of Privilege** | `git safe.directory '*'` allows git hooks in any traversed directory | `entrypoint.sh:347` | Low | Medium | **Medium** |

---

## 🎯 Attack Surface Map

| Attack Surface | Entry Point | Current Protections | Risk |
|---|---|---|---|
| **Egress HTTP/HTTPS** | Any outbound TCP 80/443 | DNAT → Squid → domain ACL → default deny | Low |
| **Egress non-HTTP** | TCP/UDP to arbitrary ports | iptables default DROP; dangerous ports explicitly blocked | Low |
| **IPv6 egress** | Any IPv6 destination | `sysctl disable_ipv6=1` at container startup | Low |
| **DNS exfiltration** | UDP/TCP port 53 | Restricted to configured servers; Docker embedded DNS only in resolv.conf | Low |
| **Domain injection** | `--allow-domains` CLI arg | `assertSafeForSquidConfig()` + `validateDomainOrPattern()` | Low |
| **Command injection** | `awf <command>` CLI arg | `escapeShellArg()` single-quote wrapping | Low |
| **Host FS access (chroot)** | Selective bind mounts under `/host/` | Specific paths only; `/etc/shadow` excluded; ro for system dirs | Low |
| **Host access bypass** | `--enable-host-access` flag | Filter rules on 80/443 only; NAT bypasses Squid for host gateway | **Medium** |
| **Capability exploitation** | Non-chroot mode default caps | Docker default cap set (no explicit drop in non-chroot path) | **Medium** |
| **LD_PRELOAD tampering** | `/tmp/awf-lib/one-shot-token.so` copy | Host /tmp rw mount; no integrity check on copied library | **Medium** |
| **Git hook execution** | Any git operation in agent | `safe.directory '*'` disables dubious-ownership checks | **Medium** |
| **Credential re-read** | `getenv()` calls for token vars | `one-shot-token.so` LD_PRELOAD prevents multiple reads (chroot mode only) | Low (chroot); Medium (non-chroot) |
| **API key helper path** | `CLAUDE_CODE_API_KEY_HELPER` env | Path validated; copies to chroot-accessible location | Low |

---

## 📋 Evidence Collection

<details>
<summary>Command: host-iptables.ts chain constants</summary>

```
src/host-iptables.ts:7-11
const NETWORK_NAME = 'awf-net';
const CHAIN_NAME = 'FW_WRAPPER';
const CHAIN_NAME_V6 = 'FW_WRAPPER_V6';
const NETWORK_SUBNET = '172.30.0.0/24';
const AWF_NETWORK_GATEWAY = '172.30.0.1';

Command: IPv6 disablement (setup-iptables.sh:36-49)

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Command: Default deny rules (setup-iptables.sh:426-430)

iptables -A OUTPUT -p tcp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_TCP] "
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_UDP_AGENT] "
iptables -A OUTPUT -p udp -j DROP

Command: Capability dropping (entrypoint.sh:356-365)

if [ "\$\{AWF_CHROOT_ENABLED}" = "true" ]; then
  CAPS_TO_DROP="cap_sys_chroot,cap_sys_admin"
  echo "[entrypoint] Chroot mode enabled - dropping CAP_SYS_CHROOT and CAP_SYS_ADMIN"
else
  CAPS_TO_DROP=""
  echo "[entrypoint] No capabilities to drop (NET_ADMIN never granted to agent)"
fi

Command: Squid config injection guard (squid-config.ts:98-108)

export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

function assertSafeForSquidConfig(value: string): string {
  if (SQUID_DANGEROUS_CHARS.test(value)) {
    throw new Error(
      `SECURITY: Domain or pattern contains characters unsafe for Squid config...`
    );
  }
}

Command: UID/GID root prevention (entrypoint.sh:26-33)

if [ "$HOST_UID" -eq 0 ]; then
  echo "[entrypoint][ERROR] Invalid AWF_USER_UID: cannot be 0 (root)"
  exit 1
fi
```
</details>

<details>
<summary>Command: Escape test summary analysis</summary>

```
GH_AW_SECRET_VERIFICATION_RESULT: success
GH_AW_AGENT_CONCLUSION: success
Agent succeeded with only noop outputs - this is not a failure

Secret Digger (Copilot) workflow — agent found no exfiltration paths.

---

✅ Recommendations

🔴 Critical

None identified.

🟠 High

None identified.

🟡 Medium

M1 — Document and constrain --enable-host-access trust boundary
setup-iptables.sh:207-211
When host access is enabled, HTTP/HTTPS traffic to host.docker.internal and the network gateway bypasses Squid domain filtering. Add explicit documentation in help text and README that --enable-host-access creates an L7-unfiltered path to the Docker host. Consider adding an optional host-side proxy for this path, or restricting to a named allowlist of host ports only (not ports 80/443 open-ended).

M2 — Drop unnecessary capabilities in non-chroot mode
entrypoint.sh:360-364
When AWF_CHROOT_ENABLED is not set, no capabilities are dropped before user code runs. Add a baseline cap_drop in the Docker Compose agent service definition covering DAC_OVERRIDE, CHOWN, FOWNER, SETUID, SETGID, AUDIT_WRITE, MKNOD per CIS Docker Benchmark 5.3. Alternatively, add explicit cap_drop: ALL with a minimal allowlist in docker-manager.ts for both modes.

M3 — Scope git safe.directory to workspace only
entrypoint.sh:347
Replace:

git config --global --add safe.directory '*'

With:

git config --global --add safe.directory "\$\{AWF_WORKDIR:-/workspace}"

This restores CVE-2022-24765 protections for all paths outside the designated workspace, preventing malicious git hooks from executing if the agent traverses an attacker-controlled directory.

🔵 Low

L1 — Add integrity check to init container ready signal
entrypoint.sh:133, setup-iptables.sh:444-450
The current ready-file protocol is binary (exists/not-exists). Consider writing a rule count or SHA of the expected iptables state to the ready file and having the entrypoint validate it. This prevents partial rule sets from silently going undetected if the init container crashes mid-script.

L2 — Verify validateDomainOrPattern() always precedes assertSafeForSquidConfig()
src/domain-patterns.ts, src/squid-config.ts:102
The backslash exclusion from SQUID_DANGEROUS_CHARS relies on validateDomainOrPattern() rejecting \ in domain names. Add a test case that passes a domain containing \ directly to assertSafeForSquidConfig() to confirm the secondary check would catch it if validation is bypassed.

L3 — Reduce permissions on copied config files
entrypoint.sh:193,217,229,239
.claude.json is created/updated with mode 0666 (world-readable and world-writable) and the .claude/ directory with 0777. In a shared runner environment, these permissions allow any process running on the host to read session tokens cached in these files. Prefer 0600 (owner read/write only) for the files and 0700 for the directory.

---

📈 Security Metrics

Metric	Value
Files analyzed	5 security-critical files
Lines of security-critical code reviewed	~1,100 (entrypoint.sh, setup-iptables.sh, host-iptables.ts, squid-config.ts, domain-patterns.ts)
Attack surfaces identified	13
STRIDE threats catalogued	11
Critical findings	0
High findings	0
Medium findings	3
Low findings	3
Escape test result	✅ No exfiltration (Secret Digger: noop)

Generated by Daily Security Review and Threat Modeling · ● 638.5K · ◷

• expires on Apr 28, 2026, 1:20 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test agent has walked this thread.
By moonlit logs and iron gates, the firewall omens were read.
The oracle departs this circle, leaving verification sigils behind.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir, and the firewall runes confirm this path was walked.
I, the smoke test oracle, have passed through these halls and marked this cycle.
May the wards hold fast until the next divination.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex