[Security Review] Daily Security Review — 2026-03-13

[github-actions[bot]]

📊 Executive Summary

Review date: 2026-03-13
Lines of security-critical code analyzed: 6,165 (across 7 core files)
Attack surfaces identified: 9
STRIDE threats documented: 6 categories
Findings: 1 High · 3 Medium · 4 Low

The overall security architecture is well-designed: dual-layer enforcement (iptables + Squid ACLs), capability dropping, seccomp profiles, privilege de-escalation via capsh/gosu, and a default-deny network posture. One high-severity gap in IPv6 egress filtering was discovered. The remaining findings are defense-in-depth inconsistencies and hardening opportunities.

---

🔍 Findings from Firewall Escape Test Agent

The firewall-escape-test workflow was not found in this repository's workflow list. The security-guard and security-review workflows are present. The findings below are based solely on static analysis of the codebase.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Architecture: Two-tier enforcement — host-level DOCKER-USER chain (FW_WRAPPER) + container-level OUTPUT filter chain + Squid domain ACL.

Findings:

✅ Strengths

• Docker DOCKER-USER chain (FW_WRAPPER) intercepts all bridge egress traffic before routing.
• ESTABLISHED,RELATED conntrack rule allows return traffic correctly without over-permitting.
• DNS restricted: container sees only 127.0.0.11 (Docker embedded DNS); upstream resolvers controlled via docker-compose dns: field.
• IPv6 disabled via sysctl when ip6tables unavailable — prevents IPv6 from becoming an unfiltered bypass path.
• Squid's dstdomain ACLs always prefix domains with . via formatDomainForSquid(), ensuring subdomain matching.

⚠️ Finding 1 (High): IPv6 Egress Unfiltered at Container AND Host Level

Evidence:

# File: containers/agent/setup-iptables.sh (lines 283-285)
# DROP rules are IPv4-only:
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# No corresponding ip6tables DROP rules exist

# File: src/host-iptables.ts (lines 293-326)
# FW_WRAPPER_V6 is only created when IPv6 DNS servers are configured:
const hasIpv6Dns = upstreamDns.some(s => s.includes(':'));
if (hasIpv6Dns && ip6tablesAvailable) {
  // creates FW_WRAPPER_V6, adds DNS-only ACCEPT rules
}
# FW_WRAPPER_V6 is NEVER inserted into ip6tables DOCKER-USER
# There is no: ip6tables -I DOCKER-USER 1 -i (bridge) -j FW_WRAPPER_V6

Impact: When ip6tables is available on the host (common on modern Linux), IPv6 traffic originating from the agent container is not filtered by either the container-level OUTPUT chain or the host-level DOCKER-USER chain. The NAT table has no IPv6 DNAT redirect either, so IPv6 HTTP/HTTPS traffic bypasses Squid entirely. An agent that can resolve IPv6 addresses for target services could potentially exfiltrate data or reach external servers unfiltered.

Mitigation:

1. Add ip6tables -A OUTPUT -p tcp -j DROP and ip6tables -A OUTPUT -p udp -j DROP at the end of setup-iptables.sh when IP6TABLES_AVAILABLE=true.
2. Insert FW_WRAPPER_V6 into ip6tables DOCKER-USER unconditionally when ip6tables is available (not just when IPv6 DNS servers are configured), with a default-REJECT policy.

---

Container Security Assessment

✅ Strengths

• Agent container uses a two-phase init: init container handles iptables setup with NET_ADMIN + NET_RAW, agent container never receives NET_ADMIN (line 958, docker-manager.ts): "SECURITY: NET_ADMIN is NOT granted to the agent container."
• cap_drop: ALL applied to agent container with only required capabilities added back.
• no-new-privileges:true via security_opt prevents SUID escalation.
• Custom seccomp profile (containers/agent/seccomp-profile.json) with defaultAction: SCMP_ACT_ERRNO.
• AWF_USER_UID/AWF_USER_GID validated: non-empty, numeric, and non-zero (root) before use (entrypoint.sh lines 15-37).
• Privilege dropped via capsh --drop=... before user command execution.

⚠️ Finding 2 (Medium): Seccomp Profile Allows mount, unshare, setns

Evidence:

$ python3 -c "
import json
with open('containers/agent/seccomp-profile.json') as f:
    d = json.load(f)
for s in d.get('syscalls', []):
    if s.get('action') == 'SCMP_ACT_ALLOW':
        names = s.get('names', [])
        if 'mount' in names: print('mount: ALLOWED')
        if 'unshare' in names: print('unshare: ALLOWED')
        if 'setns' in names: print('setns: ALLOWED')
"
mount: ALLOWED
unshare: ALLOWED
setns: ALLOWED

Impact:

• mount is allowed — while CAP_SYS_ADMIN is needed for most mounts, bind mounts and certain filesystem operations are possible without it in some kernel configurations.
• unshare (specifically CLONE_NEWUSER) can create unprivileged user namespaces, which when combined with CLONE_NEWNET creates a new network namespace potentially bypassing container network rules. This is a known container escape vector (userspace network namespace → fresh route table).
• setns can move the process into an existing namespace if a file descriptor to it is available.

Note: CAP_SYS_ADMIN is dropped via cap_drop: ALL + selective add-back, which limits damage. In chroot mode, CAP_SYS_ADMIN and CAP_SYS_CHROOT are explicitly dropped.

Mitigation: Consider adding unshare, mount, and setns to the seccomp DENY list (SCMP_ACT_ERRNO) if these syscalls are not needed by agent workloads.

---

Domain Validation Assessment

✅ Strengths

• validateDomainOrPattern() correctly blocks *, *.*, and /^[*.]+$/ (all-wildcard) patterns.
• Wildcard-to-regex conversion uses [a-zA-Z0-9.-]* character class instead of .* — prevents ReDoS attacks.
• Domain length limited to 512 characters before regex matching.
• Double-dots, leading/trailing patterns, and incomplete domains are rejected.
• Protocol-specific allowlisting ((redacted) https://`) supported and enforced separately.

⚠️ Finding 3 (Medium): Multi-Wildcard Segment Threshold May Be Too Permissive

Evidence (src/domain-patterns.ts lines 163-177):

const wildcardSegments = segments.filter(s => s === '*').length;
const totalSegments = segments.length;
// If more than half the segments are pure wildcards...
if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) {
  throw new Error(`Pattern '\$\{trimmed}' has too many wildcard segments...`);
}

Pattern like *.*.github.com (2 wildcards, 4 segments) passes validation since 2 < 4-1=3. This results in the regex ^[a-zA-Z0-9.-]*\.[a-zA-Z0-9.-]*\.github\.com$ which matches arbitrary two-level subdomains. While this is technically correct for matching api.v2.github.com, it's more permissive than likely intended and could be confusing. The validation check wildcardSegments >= totalSegments - 1 would need wildcardSegments = 3 before rejecting a 4-segment pattern.

Mitigation: Document the intended semantics clearly. Consider adding a warning (not error) when more than one wildcard segment is used, since *.github.com covers 99% of use cases.

---

Input Validation Assessment

✅ Strengths

• escapeShellArg() in cli.ts (line 679) wraps args in single quotes and escapes embedded single quotes.
• agentCommand.replace(/\$/g, '$$$$') in docker-manager.ts (line 1003) escapes $ for Docker Compose interpolation prevention.
• DNS server IP addresses validated against IP regex before use.
• AWF_USER_UID/AWF_USER_GID validated as numeric non-zero before usermod/groupmod.
• Port ranges validated: 1 <= START <= END <= 65535, checked against DANGEROUS_PORTS.

⚠️ Finding 4 (Medium): DANGEROUS_PORTS List Inconsistency Between Components

Evidence:

# squid-config.ts DANGEROUS_PORTS (21 ports, line 14):
# Includes: 5984 (CouchDB), 6984 (CouchDB SSL), 8086 (InfluxDB), 8088 (InfluxDB RPC),
#           9200 (Elasticsearch HTTP), 9300 (Elasticsearch transport)

# setup-iptables.sh DANGEROUS_PORTS (15 ports):
# MISSING: 5984, 6984, 8086, 8088, 9200, 9300

Impact: The NAT-level pre-blocking in setup-iptables.sh is a defense-in-depth measure that prevents dangerous ports from even being redirected to Squid. The 6 missing ports are still protected by the final iptables -A OUTPUT -p tcp -j DROP rule, but the inconsistency creates a maintenance risk: future changes to one list may not be reflected in the other. Additionally, Squid's Safe_ports ACL also enforces these, but the multiple-layer validation is desirable.

Mitigation: Synchronize both DANGEROUS_PORTS lists and add a comment referencing squid-config.ts from setup-iptables.sh.

---

⚠️ Threat Model (STRIDE)

#	Category	Threat	Evidence Location	Likelihood	Impact	Severity
T1	Spoofing	Agent resolves IPv6 addresses for allowlisted services and communicates directly, bypassing Squid domain filtering	setup-iptables.sh:283-285, host-iptables.ts:293-326	Medium	High	High
T2	Tampering	Agent uses `unshare(CLONE_NEWUSER	CLONE_NEWNET)` to create a new network namespace with own routing, bypassing iptables OUTPUT rules in original namespace	seccomp-profile.json (allows unshare)	Low	High
T3	Repudiation	DLP disabled by default — credential tokens in URL query params not logged or blocked; attacker could exfiltrate token via allowed domain URL	src/dlp.ts, src/cli.ts:1343-1346	Medium	Medium	Medium
T4	Information Disclosure	One-shot token LD_PRELOAD may not protect tokens accessible via /proc/self/environ if agent runs as root or same UID (mitigated by privilege drop)	containers/agent/one-shot-token/	Low	High	Medium
T5	Denial of Service	Squid connection exhaustion: no per-client connection limits configured; an agent could open many CONNECT tunnels to allowed domains	src/squid-config.ts	Low	Medium	Low
T6	Elevation of Privilege	mount syscall allowed in seccomp + if CAP_SYS_ADMIN not fully dropped, agent may perform bind-mounts over sensitive paths	seccomp-profile.json, entrypoint.sh:305-311	Low	High	Medium

---

🎯 Attack Surface Map

Surface	Location	Current Protection	Risk Level
Agent user command	cli.ts:1166, docker-manager.ts:1003	escapeShellArg(), Docker Compose $$ escaping	Low
Domain allowlist input	domain-patterns.ts:validateDomainOrPattern()	Multi-layer validation, ReDoS-safe regex	Low
IPv4 network egress	setup-iptables.sh, host-iptables.ts	NAT DNAT + filter DROP + Squid ACL	Low
IPv6 network egress	setup-iptables.sh, host-iptables.ts	sysctl disable if no ip6tables; if ip6tables present → no filter chain	High
DNS resolution	entrypoint.sh:68-86, docker-manager.ts:511-516	Only 127.0.0.11 in resolv.conf, upstream restricted	Low
Container capabilities	docker-manager.ts:967-981	cap_drop: ALL + seccomp + no-new-privileges	Low
Seccomp boundary	seccomp-profile.json	SCMP_ACT_ERRNO default, explicit allow-list	Medium (unshare/mount/setns)
API proxy token injection	containers/api-proxy/server.js	Client-supplied auth headers stripped (line 32-37)	Low
Credential leakage in URLs	src/dlp.ts, src/squid-config.ts	DLP opt-in only via --enable-dlp	Medium

---

📋 Evidence Collection

IPv6 Container-Level Filter Gap (setup-iptables.sh:283-285)

# Lines 280-285 of setup-iptables.sh
echo "[iptables] Drop all non-allowed TCP and UDP traffic (default deny)..."
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP
# No ip6tables equivalent — IPv6 TCP/UDP not blocked at container OUTPUT level

IPv6 Host-Level Gap (host-iptables.ts:293-326)

// Lines 293-326 of src/host-iptables.ts
const hasIpv6Dns = upstreamDns.some(s => s.includes(':'));
if (hasIpv6Dns && ip6tablesAvailable) {
  // FW_WRAPPER_V6 created ONLY for IPv6 DNS config
  await execa('ip6tables', ['-t', 'filter', '-N', CHAIN_NAME_V6]);
  // ...adds DNS-only ACCEPT rules to FW_WRAPPER_V6...
}
// MISSING: ip6tables -I DOCKER-USER 1 -i (bridge) -j FW_WRAPPER_V6
// The IPv6 chain is never attached to ip6tables DOCKER-USER
```
</details>

<details>
<summary>Seccomp allows mount/unshare/setns</summary>

```
$ python3 -c "import json; d=json.load(open('containers/agent/seccomp-profile.json')); 
  allowed=[n for s in d['syscalls'] if s['action']=='SCMP_ACT_ALLOW' for n in s['names']];
  print('mount' in allowed, 'unshare' in allowed, 'setns' in allowed)"
True True True
```
</details>

<details>
<summary>DANGEROUS_PORTS inconsistency</summary>

```
squid-config.ts includes (21 ports): 22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 5432, 
  5984(CouchDB), 6379, 6984(CouchDB-SSL), 8086(InfluxDB), 8088(InfluxDB-RPC), 
  9200(Elasticsearch), 9300(ES-transport), 27017, 27018, 28017

setup-iptables.sh includes (15 ports): 22, 23, 25, 110, 143, 445, 1433, 1521, 3306, 3389, 
  5432, 6379, 27017, 27018, 28017
  
Missing from setup-iptables.sh: 5984, 6984, 8086, 8088, 9200, 9300
```
</details>

<details>
<summary>npm audit results</summary>

```
4 moderate vulnerabilities in devDependencies (js-yaml, markdown-it, markdownlint, markdownlint-cli2)
All fixable by upgrading markdownlint-cli2 to 0.21.0 (major version bump)
No production dependency vulnerabilities found.

---

✅ Recommendations

🔴 High Priority

H1: Plug IPv6 Egress Gap

Two-part fix:

1. containers/agent/setup-iptables.sh — Add IPv6 DROP rules when ip6tables is available:

   if [ "$IP6TABLES_AVAILABLE" = true ]; then
     echo "[iptables] Drop all non-allowed IPv6 TCP and UDP traffic..."
     ip6tables -A OUTPUT -p tcp -j DROP
     ip6tables -A OUTPUT -p udp -j DROP
   fi

2. src/host-iptables.ts — Create and attach FW_WRAPPER_V6 unconditionally when ip6tables is available (not only when IPv6 DNS servers are configured), with a default-REJECT rule:

   if (ip6tablesAvailable) {
     // Create chain, add ESTABLISHED/RELATED ACCEPT, add default REJECT
     // Insert: ip6tables -I DOCKER-USER 1 -i (bridge) -j FW_WRAPPER_V6
   }

🟠 Medium Priority

M1: Restrict unshare/setns in Seccomp Profile

Add to containers/agent/seccomp-profile.json deny list:

{ "names": ["unshare", "setns"], "action": "SCMP_ACT_ERRNO" }

Note: Verify no legitimate agent workload needs these syscalls. mount can remain if bind-mounts are needed for certain tools, but should be documented.

M2: Enable DLP by Default (or Warn)

The --enable-dlp flag should be on by default or at least emit a warning when not set. Credential patterns in URLs represent an undetected exfiltration vector in standard deployments.

M3: Synchronize DANGEROUS_PORTS Lists

Add the 6 missing ports (5984, 6984, 8086, 8088, 9200, 9300) to containers/agent/setup-iptables.sh DANGEROUS_PORTS array to match squid-config.ts. Add a comment in setup-iptables.sh noting it must stay in sync with src/squid-config.ts.

🟡 Low Priority

L1: Squid Connection Limits

Add client_ip_max_connections and server_ip_max_connections directives to the generated Squid config to prevent connection exhaustion DoS.

L2: Update markdownlint-cli2 DevDependency

npm install --save-dev markdownlint-cli2@0.21.0

(Resolves 4 moderate npm audit findings in devDependencies.)

L3: Document mount/unshare/setns Seccomp Intent

Add inline comments in seccomp-profile.json explaining why these syscalls are allowed, to prevent future accidental tightening without understanding the impact.

L4: Multi-Wildcard Pattern Warning

Consider emitting a warning (not error) to stderr when --allow-domains includes patterns with more than one wildcard segment, as these may be broader than intended.

---

📈 Security Metrics

Metric	Value
Security-critical files analyzed	7
Lines of security-critical code	6,165
Attack surfaces identified	9
STRIDE threats documented	6
Critical findings	0
High findings	1 (IPv6 egress gap)
Medium findings	3
Low findings	4
Production npm vulnerabilities	0
Dev npm vulnerabilities	4 moderate
Defense-in-depth layers (network)	3 (host iptables + container iptables + Squid ACL)

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 20, 2026, 1:55 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through these halls.

🔮 The oracle has spoken through Smoke Codex for issue #1290

[github-actions[bot]]

🔮 The ancient spirits stir, and the oracle marks this hall: the smoke test agent was here. The omens are read, the runes recorded, and the veil remains unbroken.

🔮 The oracle has spoken through Smoke Codex for issue #1290

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-03-20T13:55:07.613Z.

Closed by Workflow