[Security Review] Daily Security Review — gh-aw-firewall (2026-05-09)

[github-actions[bot]]

📊 Executive Summary

This review covers the gh-aw-firewall (@github/agentic-workflow-firewall) v0.23.1 codebase, performing evidence-based analysis of network security, container hardening, domain validation, and input handling. The firewall demonstrates strong defence-in-depth across multiple layers. No critical vulnerabilities were found; however, several medium-to-high-severity design considerations and hardening gaps warrant attention.

Metric	Value
Attack surfaces identified	7
Critical findings	0
High findings	2
Medium findings	4
Low findings	3

---

🔍 Findings from Firewall Escape Test (Secret Digger – Copilot)

The pre-fetched escape test summary (/tmp/gh-aw/escape-test-summary.txt) contained the conclusion logs from the prior Secret Digger (Copilot) workflow run (Actions run 24273493151):

• GH_AW_AGENT_CONCLUSION: success
• GH_AW_SECRET_VERIFICATION_RESULT: success
• Output was noop only — the agent produced no issues/discussions/PRs

Interpretation: The agent ran successfully and produced a noop, indicating no secrets were leaked or exfiltrated through the firewall in that run. The "Secret Digger" workflow is designed to test whether an agent inside the firewall can extract secrets; a noop conclusion means no secrets were exfiltrated and no disclosure findings were reported.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Evidence gathered:

# containers/agent/setup-iptables.sh — key rules
# Line 47-49: IPv6 disabled
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

# Line 100-101: Localhost bypass
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN

# Line 166-167: Allow Squid itself (prevent DNAT loop)
iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN

# Line 206-222: Host gateway bypass (--allow-host)
iptables -t nat -A OUTPUT -d "$HOST_GATEWAY_IP" -j RETURN
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 443 -j ACCEPT

Strengths:

• IPv6 fully disabled inside agent network namespace — prevents IPv6 bypass of IPv4-only DNAT rules
• DNS restricted to whitelisted servers only; Docker embedded DNS (127.0.0.11) always allowed
• All TCP 80/443 DNAT'd to Squid as defence-in-depth for proxy-unaware tools
• Dangerous ports (SSH 22, SMTP 25, databases, Redis) explicitly blocked with LOG+DROP
• Host-level FW_WRAPPER chain in DOCKER-USER provides additional egress filtering

⚠️ HIGH: Host Gateway Bypass (--allow-host)

containers/agent/setup-iptables.sh:204-228 — When --allow-host is enabled, all traffic to host.docker.internal bypasses Squid entirely:

HOST_GATEWAY_IP=$(getent hosts host.docker.internal | awk 'NR==1 { print $1 }')
iptables -t nat -A OUTPUT -d "$HOST_GATEWAY_IP" -j RETURN   # skip DNAT to Squid
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 443 -j ACCEPT

Squid provides L7 domain filtering; bypassing it for the host gateway means any domain reachable via the host (if the host has broader internet access) is unfiltered. If an attacker inside the container can manipulate host.docker.internal DNS resolution (e.g., via a compromised Docker daemon or hosts file manipulation), arbitrary IPs could be added to the bypass set.

MEDIUM: iptables-save parsing for Docker DNS rules

containers/agent/setup-iptables.sh:78-93 — Docker's embedded DNS DNAT rules are preserved using:

DOCKER_DNS_RULES=$(iptables-save -t nat 2>/dev/null | grep -- "-A OUTPUT.*127.0.0.11" || true)
# then later:
iptables -t nat $rule 2>/dev/null || true

The $rule variable is derived from parsing iptables-save output and passed as shell word-split arguments to iptables. If Docker's rule format ever changes to include special characters, this could inject unexpected arguments. Risk is low in practice (Docker controls the output format) but represents a shell injection surface.

---

Container Security Assessment

Evidence:

# src/services/agent-service.ts:96, 98-112
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', ...],
security_opt: [
  'no-new-privileges:true',
  'seccomp=<workDir>/seccomp-profile.json',
  'apparmor:unconfined',   # ← notable
]

# iptables-init container (agent-service.ts:255-256)
cap_add: ['NET_ADMIN', 'NET_RAW'],
cap_drop: ['ALL'],

# Seccomp profile default action
defaultAction: SCMP_ACT_ERRNO
# Blocked syscalls include: ptrace, process_vm_readv/writev,
# kexec_load, reboot, init_module, umount, key management syscalls

Strengths:

• NET_ADMIN is correctly isolated to the short-lived iptables-init init container, never granted to the agent
• no-new-privileges:true prevents SUID escalation
• Seccomp profile with default-deny blocks broad categories of dangerous syscalls (ptrace, kernel module loading, kexec, key management)
• SYS_CHROOT and SYS_ADMIN are explicitly dropped before user code runs (entrypoint.sh:355-358)
• API proxy sidecar drops ALL capabilities with no-new-privileges:true (api-proxy-service.ts:159-162)

⚠️ HIGH: AppArmor Unconfined

src/services/agent-service.ts:112:

'apparmor:unconfined'

The agent container runs with AppArmor disabled. The comment explains this is needed to allow mount for procfs at /host/proc. While SYS_ADMIN is dropped before user code runs, the absence of AppArmor confinement means there is no Mandatory Access Control (MAC) layer constraining file access, system call patterns, or socket operations during the window when SYS_ADMIN is held. AppArmor's unconfined mode bypasses one of Docker's default security layers entirely.

MEDIUM: SYS_ADMIN Held During Startup

containers/agent/entrypoint.sh:465 — SYS_ADMIN is granted to the entire agent container and only dropped just before user code runs. During the entrypoint script execution window, the container holds SYS_ADMIN, which is a very powerful capability (allows arbitrary mounts, some namespace operations). If the entrypoint script itself had a vulnerability exploitable remotely (e.g., via environment variable injection), SYS_ADMIN would be available.

---

Domain Validation Assessment

Evidence:

// src/domain-patterns.ts — SQUID_DANGEROUS_CHARS
export const SQUID_DANGEROUS_CHARS = /[\s\0"'`;#]/;

// Domain validation rejects:
const DOMAIN_DANGEROUS_CHARS = /[\s\0"'`;#\\]/;

// Wildcard: uses character class to prevent ReDoS
export const DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*';
// e.g., *.github.com → ^[a-zA-Z0-9.-]*\.github\.com$

// Overly broad patterns blocked:
// '*', '*.*', patterns with >1 wildcard segment covering most segments

Strengths:

• Injection of Squid config directives blocked via comprehensive character allowlist
• Backslash explicitly rejected for domain names (prevents regex injection into Squid config)
• ReDoS prevented by using character class [a-zA-Z0-9.-]* instead of .* in wildcard expansion
• Maximum domain length enforced (512 chars) before regex matching
• Protocol-specific allowlisting (http/https/both) is well-implemented

LOW: URL Allowlist (--allow-urls) Uses Less Strict Validation

src/domain-patterns.ts — The SQUID_DANGEROUS_CHARS regex (used for URLs) excludes \ (backslash is allowed), while domain validation (DOMAIN_DANGEROUS_CHARS) rejects it. URLs legitimately use \ for regex escaping per the comment, but this creates an asymmetry in injection protection between --allow-domains and --allow-urls.

---

Input Validation Assessment

Evidence:

// src/cli.ts:547
const agentCommand = args.length === 1 ? args[0] : joinShellArgs(args);

// Single argument → passed as-is to shell (intentional: $HOME expands in container)
// Multi-argument → joined with escapeShellArg() quoting

Strengths:

• joinShellArgs uses escapeShellArg which single-quotes arguments with special characters
• Domain inputs validated before being interpolated into Squid config

MEDIUM: Single-Argument Shell Pass-Through

src/cli.ts:523-547 — When exactly one argument is provided, it is passed as a raw shell command string (unescaped). This is documented as intentional — shell variables like $HOME must expand inside the container. However, this means the user's input is executed verbatim through /bin/sh -c, which is inherently a shell injection surface if AWF is invoked programmatically with user-controlled input. This is an acceptable design trade-off for interactive use, but dangerous if AWF is called as part of an automated pipeline where the command is constructed from untrusted input.

---

⚠️ Threat Model (STRIDE)

Threat Category	Threat	Likelihood	Impact	Evidence
Spoofing	Malicious container impersonates Squid via IP collision on awf-net	Low	High	Fixed subnet 172.30.0.0/24; Squid IP hardcoded at 172.30.0.10
Tampering	Agent modifies iptables rules after init container exits	Low	Critical	Agent lacks NET_ADMIN; verified in agent-service.ts:88-96
Tampering	SYS_ADMIN used to re-mount blocked paths during startup window	Low	High	Capability dropped before user code; entrypoint must be trusted
Repudiation	Agent denies network activity (no per-process logging)	Medium	Medium	Squid logs by IP; iptables logs UID but not PID; no per-process attribution
Information Disclosure	Secret exfiltration via allowed domain (data-in-subdomain DNS)	Low	High	DNS restricted to whitelisted servers; Squid sees only CONNECT SNI for HTTPS
Information Disclosure	API keys leaked via agent environment	Low	High	API proxy sidecar design ensures keys never reach agent env when --enable-api-proxy
Denial of Service	iptables rule exhaustion / rate limiting bypass	Low	Medium	LOG rules have --limit 5-10/min rate limiting
Denial of Service	ReDoS via crafted domain in --allow-domains	Low	Low	Character class wildcards prevent catastrophic backtracking
Elevation of Privilege	SUID binary in /host bind mount	Low	High	no-new-privileges:true prevents SUID escalation even in chroot
Elevation of Privilege	AppArmor bypass (runs unconfined)	Medium	Medium	AppArmor disabled; seccomp + capability drop partially compensate
Elevation of Privilege	Container escape via SYS_ADMIN during startup	Very Low	Critical	Short window; entrypoint well-controlled; seccomp blocks dangerous syscalls

---

🎯 Attack Surface Map

Surface	Location	Current Protections	Risk
CLI argument parsing	src/cli.ts:512-547	escapeShellArg; domain validation	Low
Domain/URL allowlist	src/domain-patterns.ts	Dangerous char rejection; ReDoS protection	Low
Squid config generation	src/squid-config.ts	Input sanitised before interpolation	Low
iptables DNAT rules	containers/agent/setup-iptables.sh	IPv6 disabled; DNS restricted; dangerous port block	Medium
Host gateway bypass	setup-iptables.sh:204-228	Port restriction (80/443 + explicit ports)	High
Container capabilities	src/services/agent-service.ts:96-112	Cap drop before user code; seccomp; no-new-privileges	Medium
AppArmor	agent-service.ts:112	None (unconfined)	High
API proxy injection	containers/api-proxy/	cap_drop: ALL; no-new-privileges; Squid-only egress	Low

---

📋 Evidence Collection

Key evidence commands and outputs

Capability configuration (src/services/agent-service.ts:88-112):

cap_add: ['SYS_CHROOT', 'SYS_ADMIN']   // dropped before user code
cap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', ...]
security_opt: ['no-new-privileges:true', 'seccomp=<profile>', 'apparmor:unconfined']

iptables-init container (agent-service.ts:255-256):

cap_add: ['NET_ADMIN', 'NET_RAW']
cap_drop: ['ALL']

Seccomp profile default action:

defaultAction: SCMP_ACT_ERRNO
Blocked: ptrace, process_vm_readv/writev, kexec_load, kexec_file_load,
         reboot, init_module, finit_module, delete_module, umount, umount2,
         add_key, request_key, keyctl, name_to_handle_at, open_by_handle_at

IPv6 disabled in agent (setup-iptables.sh:47-49):

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Host gateway bypass (setup-iptables.sh:204-211):

HOST_GATEWAY_IP=$(getent hosts host.docker.internal | awk 'NR==1 { print $1 }')
iptables -t nat -A OUTPUT -d "$HOST_GATEWAY_IP" -j RETURN
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport 443 -j ACCEPT

Domain dangerous char validation (domain-patterns.ts):

const DOMAIN_DANGEROUS_CHARS = /[\s\0"'`;#\\]/;

Escape test conclusion:

GH_AW_AGENT_CONCLUSION: success
GH_AW_SECRET_VERIFICATION_RESULT: success
Output: noop only (no secrets exfiltrated)

---

✅ Recommendations

🔴 High — Should Fix Soon

1. Document and restrict --allow-host use cases

The host gateway bypass (setup-iptables.sh:204-228) is currently an all-or-nothing exemption from Squid for the host gateway IP. Consider:

• Requiring explicit domain allowlisting even for host gateway traffic (reverse proxy through Squid)
• Adding a warning in CLI output when --allow-host is enabled
• Documenting in README that --allow-host disables L7 filtering for host-bound traffic

2. Investigate AppArmor profile for the agent

agent-service.ts:112 — apparmor:unconfined is used because procfs mount requires SYS_ADMIN and Docker's default AppArmor profile blocks mount. Since SYS_ADMIN is now the capability that gates mount (already held during startup), a custom AppArmor profile that allows only the specific proc mount and otherwise restricts the entrypoint could restore MAC coverage. Alternatively, document the explicit security trade-off in code comments and README.

🟡 Medium — Plan to Address

3. Narrow the SYS_ADMIN window further

containers/agent/entrypoint.sh:355-470 — The procfs mount occurs at line 465 and capability is dropped at line 358. Consider using a minimal helper binary (compiled with only mount capability via CAP_SYS_ADMIN via file capability setcap cap_sys_admin+ep) to perform the mount, allowing the main entrypoint to run without SYS_ADMIN entirely.

4. Harden iptables-save rule parsing

setup-iptables.sh:78-93 — Use a whitelist regex on each rule line extracted from iptables-save output before passing to iptables -t nat. Example:

if [[ "$rule" =~ ^-A\ OUTPUT\ -d\ 127\.0\.0\.11 ]]; then
  iptables -t nat $rule
fi

5. Add per-process logging correlation

Squid logs by client IP; iptables logs by UID. Neither provides PID-level attribution. Consider logging the process name/cmdline via auditd or an eBPF-based tool on the host to correlate network events to specific agent processes.

6. Warn on programmatic use of single-argument shell pass-through

src/cli.ts:523-547 — Add a lint rule or documentation note that AWF should not be called with user-controlled single-argument commands in automated pipelines. Alternatively, add a --no-shell flag that passes the command via exec (bypassing /bin/sh -c).

🟢 Low — Nice to Have

7. Align URL allowlist validation with domain allowlist

src/domain-patterns.ts — Consider whether backslash should be restricted in --allow-urls patterns, or document why the asymmetry with --allow-domains is intentional.

8. Add explicit IPv6 DROP rules as backup

setup-iptables.sh:47-49 — sysctl disable_ipv6 is best-effort and may fail silently. Add ip6tables -P OUTPUT DROP as a defence-in-depth fallback even if ip6tables is not always available.

9. Pin dependency versions for security-sensitive packages

package.json uses caret ranges (^) for execa, js-yaml, ajv. While devDependencies are not shipped, pinning production dependencies prevents unexpected version changes from introducing vulnerabilities.

---

📈 Security Metrics

Metric	Value
Security-critical source files analyzed	8 (host-iptables.ts, setup-iptables.sh, squid-config.ts, domain-patterns.ts, agent-service.ts, entrypoint.sh, api-proxy-service.ts, cli.ts)
Attack surfaces identified	7
STRIDE threat categories covered	6/6
Findings: Critical / High / Medium / Low	0 / 2 / 4 / 3
Seccomp syscalls blocked	25+
Capabilities granted to agent at startup	2 (SYS_CHROOT, SYS_ADMIN)
Capabilities held by agent during user code	0 (both dropped in entrypoint)
Secret Digger escape test result	✅ No secrets exfiltrated (noop)

Generated by Daily Security Review and Threat Modeling · ● 365.9K · ◷

• expires on May 16, 2026, 12:38 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir... the Codex smoke-test oracle passed through this circle and left a brief shimmer in the logs.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir... Codex passed through this discussion under the smoke-test moon, leaving a brief oracle mark in the runes.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

🔮 The ancient spirits stir: the Codex smoke test agent was here, leaving a bright ember in the oracle bowl.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-16T12:38:40.742Z.

Closed by Workflow