[Security Review] Daily Security Review and Threat Modeling — 2026-03-14

[github-actions[bot]]

Automated Security Review | Run: 23089012476 | Date: 2026-03-14

---

📊 Executive Summary

Overall security posture is good. The defense-in-depth architecture (host iptables → container NAT → Squid L7) is well-designed, and critical paths (credential isolation, capability dropping, domain validation) are robustly implemented. No critical vulnerabilities were found.

Two findings warrant attention: an IPv6 proxy bypass (when ip6tables is available in the agent container but no IPv6 DNAT rules exist for ports 80/443) and a dangerous ports list inconsistency between the two enforcement layers. All other findings are low or informational.

Metric	Value
Security-critical files analyzed	7
Lines of security-critical code	4,881
Attack surfaces mapped	8
Critical findings	0
High findings	0
Medium findings	1
Low findings	3
Informational	2
npm vulnerabilities (high/critical)	0
npm vulnerabilities (moderate)	4

---

🔍 Findings from Firewall Escape Test

The firewall-escape-test workflow name was not found in the current workflow registry. The security-review workflow logs could not be fetched (git not in PATH in this runner context). No complementary escape test report was available for cross-referencing this cycle.

---

🛡️ Architecture Security Analysis

Network Security Assessment

The dual-layer enforcement model is well-designed:

1. Host level (src/host-iptables.ts): Creates a FW_WRAPPER chain in DOCKER-USER that applies to ALL containers on the awf-net bridge. Default-deny for TCP/UDP with explicit allows for Squid egress, DNS forwarding, and conntrack-established return traffic.

2. Container level (containers/agent/setup-iptables.sh): NAT DNAT rules redirect port 80/443 to Squid (\$\{SQUID_IP}:3128). OUTPUT filter chain enforces default-deny for TCP/UDP independently of NAT.

3. Squid level (src/squid-config.ts): L7 domain ACL filtering with dstdomain and dstdom_regex ACLs. Explicit http_access deny all at end of chain.

Firewall rule ordering is correct: deny rules for unsafe ports precede allow rules for safe ports in Squid. The NAT DANGEROUS_PORTS RETURN rules precede DNAT redirect rules in the container.

DNS exfiltration prevention: Direct UDP/TCP port 53 traffic to non-configured DNS servers is blocked at both host and container filter chain levels. Only explicitly configured upstream servers (default: Google 8.8.8.8/8.8.4.4) are permitted.

Cloud metadata endpoint: 169.254.0.0/16 is explicitly REJECTed in the host FW_WRAPPER chain (line 385 of src/host-iptables.ts). Port 80 traffic to 169.254.169.254 would also be DNAT'd to Squid and blocked there.

⚠️ FINDING: IPv6 Proxy Bypass When ip6tables Is Available

Severity: Medium

Evidence:

# From containers/agent/setup-iptables.sh
# IPv4 DNAT rules exist:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination "\$\{SQUID_IP}:\$\{SQUID_PORT}"
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination "\$\{SQUID_IP}:\$\{SQUID_PORT}"

# IPv6 DNAT rules: ABSENT
# grep "ip6tables.*DNAT" setup-iptables.sh → (no results)

# IPv6 filter OUTPUT DROP: ABSENT
# grep "ip6tables.*OUTPUT.*DROP|ip6tables.*OUTPUT.*REJECT" → (no results)

When ip6tables is available inside the agent container, IPv6 HTTP/HTTPS connections (ports 80/443) are not redirected to Squid. The IP6TABLES_AVAILABLE=true path only adds loopback (::1) and DNS exemptions to the ip6tables NAT OUTPUT chain — no DNAT redirect for ports 80/443. The ip6tables filter OUTPUT chain is also never populated, so there is no IPv6 DROP rule for TCP/UDP.

Additionally, at the host level (src/host-iptables.ts), the FW_WRAPPER_V6 chain is only created when IPv6 DNS servers are configured (hasIpv6Dns = upstreamDns.some(s => s.includes(':'))). With default IPv4-only DNS (8.8.8.8/8.8.4.4), no IPv6 filter chain is inserted into DOCKER-USER at all.

Impact: If a destination server has AAAA records and the Docker network has IPv6 routing, an agent process could make direct IPv6 connections bypassing domain whitelisting entirely.

Mitigating factor: The Docker network (awf-net) is created without IPv6 enabled (no --ipv6 flag in src/host-iptables.ts:ensureFirewallNetwork()), so containers likely have no routable IPv6 addresses by default. Risk is only realized if Docker's default bridge or IPv6 is otherwise reachable.

Recommendation: Add ip6tables DNAT rules for ports 80/443 → Squid, and a default DROP for TCP/UDP in the agent container's setup, mirroring the IPv4 rules. Also unconditionally insert a FW_WRAPPER_V6 default-deny chain into DOCKER-USER regardless of DNS server type.

---

Container Security Assessment

Capability Management: NET_ADMIN is never granted to the agent container (iptables setup is handled by a separate init container). This is a strong design choice that prevents firewall rule modification by untrusted code.

In chroot mode, CAP_SYS_CHROOT and CAP_SYS_ADMIN are dropped via capsh before executing user commands (confirmed at containers/agent/entrypoint.sh lines 303–312).

Seccomp Profile: Default action is SCMP_ACT_ERRNO (secure). 343 syscalls explicitly allowed. Notably:

# Verified with seccomp-profile.json analysis:
# dangerous syscalls allowed:
mount: SCMP_ACT_ALLOW      ← allowed
unshare: SCMP_ACT_ALLOW    ← allowed
setns: SCMP_ACT_ALLOW      ← allowed
chroot: SCMP_ACT_ALLOW     ← allowed
clone3: SCMP_ACT_ALLOW     ← allowed
pivot_root: SCMP_ACT_ERRNO ← correctly blocked

mount, unshare, setns, and chroot are allowed by seccomp but their dangerous use requires CAP_SYS_ADMIN/CAP_SYS_CHROOT which are dropped. unshare with CLONE_NEWNET to create new network namespaces could theoretically bypass iptables rules (new namespace has no rules), but requires CAP_SYS_ADMIN (dropped in chroot mode) or CAP_NET_ADMIN (never granted).

Non-root execution: Agent runs as awfuser (UID dynamically matched to host user). Root escalation prevented by UID=0 check in entrypoint (lines 27–34).

One-Shot Token: Credential isolation via LD_PRELOAD is well-designed. On first getenv() call for token variables, the value is cached and removed from /proc/self/environ via unsetenv(). Token names are XOR-obfuscated to prevent strings extraction.

⚠️ FINDING: git safe.directory Wildcard

Severity: Low

# containers/agent/entrypoint.sh line 296:
runuser -u awfuser -- git config --global --add safe.directory '*' 2>/dev/null || true

This globally disables git's safe directory ownership check for awfuser, allowing git operations in any directory regardless of ownership. While necessary for workflows that operate on repositories owned by different UIDs, it removes a protection against git hook attacks in untrusted repositories.

Recommendation: Document this intentional trade-off. Consider scoping to specific workspace paths if the use case allows.

---

Domain Validation Assessment

Pattern validation in src/domain-patterns.ts is strong:

• Overly broad patterns (*, *.*, patterns with only wildcards/dots) are rejected
• Wildcard conversion uses [a-zA-Z0-9.-]* character class instead of .* to prevent ReDoS
• Protocol prefixes ((redacted) https://`) are correctly stripped before validation
• Double dots, bare dots, incomplete patterns are caught

// src/domain-patterns.ts — wildcardToRegex() uses safe character class:
const DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*';
// Result: anchored '^' + escaped_pattern + '$' — no catastrophic backtracking
```

**Squid domain matching**: Plain domains always get a leading dot prefix via `formatDomainForSquid()`, correctly matching the domain itself and all subdomains.

**Direct IP blocking**: Squid config includes:
```
acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
acl dst_ipv6 dstdom_regex ^\[?[0-9a-fA-F:]+\]?$
http_access deny dst_ipv4
http_access deny dst_ipv6

This correctly prevents bypassing domain filtering via raw IP addresses in CONNECT requests.

FINDING: Dangerous Ports List Inconsistency Between Layers

Severity: Low

# Verified analysis of both files:
# In squid-config.ts DANGEROUS_PORTS but NOT in setup-iptables.sh DANGEROUS_PORTS:
{5984, 6984, 8086, 8088, 9200, 9300}
# (CouchDB, InfluxDB, Elasticsearch)

The Squid config's DANGEROUS_PORTS list includes 6 ports not in the container iptables DANGEROUS_PORTS list. For those 6 ports, the iptables NAT lacks a RETURN rule, so traffic gets DNAT'd to Squid and blocked there. This is functionally equivalent but violates the defense-in-depth principle that each layer should independently enforce the same policy.

Recommendation: Synchronize the dangerous ports list between src/squid-config.ts and containers/agent/setup-iptables.sh.

---

Input Validation Assessment

Command injection: User-supplied commands are passed to Docker Compose as an array (['/bin/bash', '-c', config.agentCommand.replace(/\$/g, '$$$$')]), not via shell. The execa library is used throughout with array arguments — no shell string interpolation for docker commands.

The custom ESLint rule local/no-unsafe-execa enforces safe execa usage (prevents template literals and string concatenation in command/args positions).

Port validation: User-supplied ports via --allow-host-ports are validated against DANGEROUS_PORTS and sanitized with /[^0-9-]/g removal before insertion into Squid config and iptables rules.

---

⚠️ Threat Model (STRIDE)

Threat	Category	Evidence	Likelihood	Impact	Severity
IPv6 bypasses proxy when AAAA records resolve	Information Disclosure	setup-iptables.sh: no ip6tables DNAT for 80/443	Low (IPv6 may not be routable)	High	Medium
DNS tunneling to non-whitelisted resolvers	Information Disclosure	Both iptables layers block UDP/TCP 53 except to configured upstreams	Very Low	Medium	Low
Domain wildcard pattern too broad	Spoofing	validateDomainOrPattern() rejects *, *.*, multi-wildcard patterns	Very Low	Medium	Low
Credential exposure via /proc/self/environ	Information Disclosure	One-shot-token removes tokens from environment after first read	Very Low	High	Low
Container escape via namespace unshare	Elevation of Privilege	unshare allowed in seccomp; mitigated by no CAP_SYS_ADMIN/CAP_NET_ADMIN	Very Low	Critical	Low
Docker socket abuse (chroot+docker mode)	Elevation of Privilege	Socket mounted RW when --enable-docker used; intentional feature	Low	High	Info
Host filesystem modification via workspace mount	Tampering	Workspace mounted RW in chroot mode; intentional design	Low	Medium	Info
Firewall rule modification at runtime	Tampering	NET_ADMIN never granted to agent; init container drops it before exec	Very Low	Critical	Low
Squid config injection via base64 env var	Tampering	Config injected via AWF_SQUID_CONFIG_B64; generated, not user-controlled	Very Low	High	Low
js-yaml prototype pollution in YAML generation	Tampering	GHSA-mh29-5h37-fv8m; << merge only in generated YAML, not parsed from user input	Very Low	Low	Low

---

🎯 Attack Surface Map

Entry Point	File:Line	What it does	Current Protections	Risk
--allow-domains CLI argument	src/cli.ts:1243	Defines allowed domains	validateDomainOrPattern(), wildcard sanitization	Low
--allow-host-ports CLI argument	src/squid-config.ts:468	Extends allowed ports	DANGEROUS_PORTS check, /[^0-9-]/g sanitization	Low
User command string	src/cli.ts:1232	Arbitrary command executed in container	Runs as non-root awfuser; capability-dropped; iptables enforced	Medium
Docker socket (chroot+docker mode)	src/docker-manager.ts:743	Direct Docker daemon access	Only when --enable-docker explicitly set; socket hidden by default	Medium
Host filesystem via /host mount	src/docker-manager.ts:577	Read-only system paths; RW workspace	System dirs mounted :ro; credential files hidden via /dev/null bind	Low
AWF_SQUID_CONFIG_B64 env var	src/docker-manager.ts:314	Squid configuration injection	Generated internally, never from user input	Low
HTTP/HTTPS via Squid proxy	src/squid-config.ts	All outbound web traffic	Domain ACL; dangerous ports blocked; IP direct-connect blocked	Low
IPv6 traffic (when available)	containers/agent/setup-iptables.sh	Outbound IPv6 connections	No DNAT rules; host-level chain may not exist	Medium

---

📋 Evidence Collection

IPv6 bypass investigation commands

# grep "ip6tables.*DNAT" containers/agent/setup-iptables.sh
# (no output — confirmed no IPv6 DNAT rules)

# grep "ip6tables.*OUTPUT.*DROP|ip6tables.*OUTPUT.*REJECT" containers/agent/setup-iptables.sh  
# (no output — confirmed no IPv6 filter OUTPUT rules)

# grep "hasIpv6Dns" src/host-iptables.ts
# Line 293: const hasIpv6Dns = upstreamDns.some(s => s.includes(':'));
# Line 294: if (hasIpv6Dns && ip6tablesAvailable) {
# → FW_WRAPPER_V6 only created when IPv6 DNS configured

Dangerous ports inconsistency analysis

# iptables_ports = {22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 5432, 6379, 27017, 27018, 28017}
# squid_ports = {22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 5432, 5984, 6379, 6984,
#                8086, 8088, 9200, 9300, 27017, 27018, 28017}
# In squid but NOT iptables: {5984, 6984, 9200, 9300, 8086, 8088}
```

</details>

<details>
<summary>Seccomp profile analysis</summary>

```
Default action: SCMP_ACT_ERRNO
Explicitly allowed syscalls: 343
Dangerous syscalls with SCMP_ACT_ALLOW: mount, chroot, unshare, setns, clone3
pivot_root: SCMP_ACT_ERRNO (correctly blocked)
```

</details>

<details>
<summary>npm audit results</summary>

```
Total vulnerabilities: 4 (all moderate, 0 high/critical)
- js-yaml: prototype pollution in << merge (GHSA-mh29-5h37-fv8m)
  Impact: Low — YAML generated programmatically, not parsed from untrusted input
- markdown-it, markdownlint, markdownlint-cli2: ReDoS
  Impact: Low — dev dependencies only, not in production runtime

---

✅ Recommendations

Medium

1. Fix IPv6 proxy bypass in container setup-iptables.sh
   • Add ip6tables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT and --dport 443 -j DNAT rules targeting Squid (if Squid is reachable via IPv6, or block IPv6 outbound entirely)
   • Add ip6tables -A OUTPUT -p tcp -j DROP and -p udp -j DROP mirror rules
   • In src/host-iptables.ts, unconditionally create FW_WRAPPER_V6 with a default-deny policy and insert it into DOCKER-USER, regardless of whether IPv6 DNS is configured

Low

2. Synchronize dangerous ports lists

   • Add ports 5984, 6984, 8086, 8088, 9200, 9300 to DANGEROUS_PORTS in containers/agent/setup-iptables.sh to match src/squid-config.ts
   • Consider extracting a single authoritative list shared between both files

3. Document git safe.directory '*' trade-off

   • Add a comment in containers/agent/entrypoint.sh explaining why the wildcard is needed and what protections exist despite it
   • Consider using git config --system scoped to specific workspace directories if technically feasible

4. Update js-yaml dependency

   • Run npm audit fix to resolve the moderate js-yaml prototype pollution (GHSA-mh29-5h37-fv8m)
   • Low risk since YAML is generated programmatically, but keeping dependencies current is good hygiene

Informational

5. Consider adding IPv6 to Docker network explicitly

   • Either explicitly enable IPv6 in awf-net with proper ip6tables rules, or explicitly disable IPv6 at the Docker daemon level for this network to make the current behavior deterministic

6. seccomp: consider restricting unshare

   • unshare(CLONE_NEWUSER) can be used without privileges on some kernels to create user namespaces with uid_map tricks. Consider adding a conditional args filter on unshare to only allow non-network-namespace flags.

---

📈 Security Metrics

• Lines of security-critical code analyzed: 4,881 across 7 files
• Attack surfaces identified: 8
• STRIDE threats evaluated: 10
• Findings requiring action: 4 (1 medium, 3 low)
• npm high/critical vulnerabilities: 0
• Defense layers verified: 3 (host iptables → container iptables NAT → Squid ACL)

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 21, 2026, 1:44 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-21T13:44:39.576Z.

Closed by Workflow