[Security Review] Daily Security Review and Threat Modeling – 2026-03-19

[github-actions[bot]]

📊 Executive Summary

This review covers the AWF (Agentic Workflow Firewall) codebase with evidence gathered by direct source inspection. The firewall's defense-in-depth architecture is generally sound, with multiple overlapping layers. No critical vulnerabilities were found. Four medium-severity findings and five low/informational findings are documented below with verifiable evidence.

Security Posture Overview

Layer	Status	Notes
Domain whitelisting (Squid ACL)	✅ Strong	dstdomain + dstdom_regex, ReDoS-safe wildcards
IP-direct bypass prevention	✅ Strong	dst_ipv4/dst_ipv6 ACLs deny raw IP CONNECTs
Container network isolation	✅ Good	Fixed subnet, DOCKER-USER chain, FW_WRAPPER chain
IPv4 egress filtering (container)	✅ Good	TCP/UDP DROP at OUTPUT filter; DNAT to Squid
Privilege dropping	✅ Good	capsh --drop before user code; UID ≠ 0 enforced
IPv6 egress filtering	⚠️ Gap	Container OUTPUT chain drops IPv4 only
AppArmor	⚠️ Gap	apparmor:unconfined to permit procfs mount
ICMP filtering	⚠️ Gap	Not blocked in OUTPUT filter chain
DLP (credential leak)	⚠️ Opt-in	Not enabled by default

---

🔍 Findings from Previous Security Workflow Runs

The security-review and secret-digger-* workflows are all compiled and active, but log downloads were unavailable in this run due to the environment not having git-based remote access. Findings below are based entirely on static source analysis.

---

🛡️ Architecture Security Analysis

Network Security Assessment

Squid ACL rule ordering is correct. Evidence from src/squid-config.ts:541–565:

# Block raw IP CONNECT (no domain name)
http_access deny dst_ipv4
http_access deny dst_ipv6

# [DLP rules, blocked domain rules, allow rules]

# Deny rule (non-allowlisted domains)
http_access deny !allowed_domains !allowed_domains_regex

# Then allow localnet (only reached for traffic that passed domain filter)
http_access allow localnet
http_access allow localhost

http_access deny all

Squid evaluates first-match, so non-allowed domains are denied before the allow localnet rule is reached. ✅

Host-level iptables chain is well-structured. src/host-iptables.ts builds a dedicated FW_WRAPPER chain inserted into DOCKER-USER, scoping rules to the specific bridge interface. Order:

1. Allow Squid source IP (unrestricted outbound)
2. Allow ESTABLISHED/RELATED (return traffic)
3. Allow localhost
4. Allow DNS to whitelisted upstream servers
5. Allow traffic to Squid proxy port
6. Block multicast and link-local (169.254.0.0/16, 224.0.0.0/4)
7. LOG + REJECT UDP
8. LOG + REJECT everything else

Finding (Medium) — IPv6 container OUTPUT chain lacks DROP rules

containers/agent/setup-iptables.sh ends with:

# Drop all other TCP and UDP traffic (default deny policy)
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -p udp -j DROP

There are no corresponding ip6tables OUTPUT DROP rules. Also, in src/host-iptables.ts, the CHAIN_NAME_V6 chain is created only when IPv6 DNS servers are configured (hasIpv6Dns && ip6tablesAvailable) and is never inserted into ip6tables DOCKER-USER:

// Only IPv4 DOCKER-USER insertion (src/host-iptables.ts)
await execa('iptables', [
  '-t', 'filter', '-I', 'DOCKER-USER', '1',
  '-i', bridgeName,
  '-j', CHAIN_NAME,
]);
// No corresponding ip6tables DOCKER-USER insertion

If a Docker network is created with IPv6 support, IPv6 TCP/UDP from the agent container would be unfiltered. Docker disables IPv6 on user-defined bridge networks by default, limiting practical risk, but this is a defense-in-depth gap.

Finding (Low) — ICMP not blocked in container OUTPUT chain

containers/agent/setup-iptables.sh drops tcp and udp but not icmp/icmpv6. Raw ICMP packets (ping, unreachable messages) from the container are not filtered. While ICMP cannot carry application-layer payloads directly, ICMP tunneling tools (e.g., ptunnel) can encapsulate TCP over ICMP. The host-level chain also does not explicitly drop ICMP:

// src/host-iptables.ts — REJECT rules
'-j', 'REJECT', '--reject-with', 'icmp-port-unreachable'
// Only applies to multicast and link-local matches, not general ICMP OUTPUT

Recommendation: Add iptables -A OUTPUT -p icmp -j DROP and ip6tables -A OUTPUT -p icmpv6 -j DROP in setup-iptables.sh after the TCP/UDP DROP rules (or use a policy drop on the OUTPUT chain).

Container Security Assessment

Capabilities: partially hardened, with a necessary window.

The agent container is granted SYS_CHROOT and SYS_ADMIN for startup operations, then drops them via capsh before executing user code (containers/agent/entrypoint.sh:307, src/docker-manager.ts:1012). NET_ADMIN is deliberately withheld from the agent; a separate init container (awf-iptables-init) handles iptables setup via shared network namespace.

# src/docker-manager.ts:1012-1015
cap_add: ['SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: ['NET_RAW', 'SYS_PTRACE', 'SYS_MODULE', 'SYS_RAWIO', 'MKNOD'],

The ptrace/process_vm_readv/process_vm_writev syscalls are explicitly blocked in the seccomp profile at containers/agent/seccomp-profile.json.

Finding (Medium) — AppArmor disabled for agent container

// src/docker-manager.ts:1025-1028
security_opt: [
  'no-new-privileges:true',
  `seccomp=\$\{config.workDir}/seccomp-profile.json`,
  'apparmor:unconfined',   // <-- disabled
],

The rationale (procfs mounting for .NET CLR) is documented, but apparmor:unconfined removes Docker's default AppArmor policy, which normally blocks:

• Arbitrary mounts
• Write access to /proc/sysrq-trigger, /proc/kcore
• Access to host devices
• Some ptrace vectors

Combined with SYS_ADMIN being temporarily available during startup and seccomp allowing mount/unshare/setns, this creates an elevated container escape window.

Finding (Medium) — open_by_handle_at in seccomp allowlist

// containers/agent/seccomp-profile.json (in the SCMP_ACT_ALLOW block)
"open_by_handle_at",

This syscall was exploited in CVE-2014-5155 ("Shocker" container escape), allowing processes to open host filesystem files by inode handle even when path-based access is restricted. When SYS_ADMIN is held (startup window) AND AppArmor is unconfined, open_by_handle_at can open inodes on any mounted filesystem. Modern kernel mitigations (fsopen, mount namespaces) reduce but don't eliminate this risk. Recommendation: explicitly deny open_by_handle_at in seccomp (add to SCMP_ACT_ERRNO block alongside ptrace).

Seccomp: unshare, mount, setns allowed

// SCMP_ACT_ALLOW list includes: "mount", "unshare", "setns"
```

`mount` is needed for procfs. `unshare` is needed by some tools (sandboxed builds). `setns` is needed by some container runtimes. These are difficult to remove without breaking legitimate use cases, but they represent container escape primitives that rely on capability checks for safety. The seccomp profile's `SCMP_ACT_ERRNO` block correctly blocks `kexec_load`, `init_module`, `pivot_root`, `add_key`, `keyctl`, which are the most dangerous escalation paths.

### Domain Validation Assessment

**Domain validation is robust.** `src/domain-patterns.ts` validates against:
- Empty patterns
- Bare wildcard `*`
- Overly broad `*.*`
- Patterns with only wildcards and dots
- Double-dot sequences
- Multiple wildcard segments

Wildcard conversion uses character class `[a-zA-Z0-9.-]*` instead of `.*` (ReDoS mitigation), anchored with `^` and `$`. Input length is capped at 512 characters before regex execution.

Protocol-specific allowlisting (`(domain/redacted) vs `(domain/redacted)`) is implemented with separate Squid ACLs and correct `!CONNECT`/`CONNECT` rule selection.

**Raw IP bypass is blocked.** Squid config generates:
```
acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
acl dst_ipv6 dstdom_regex ^\[?[0-9a-fA-F:]+\]?$
http_access deny dst_ipv4
http_access deny dst_ipv6

Input Validation Assessment

Shell escaping is correct. src/cli.ts:862–876:

export function escapeShellArg(arg: string): string {
  if (/^[a-zA-Z0-9_\-./=:]+$/.test(arg)) {
    return arg;
  }
  return `'\$\{arg.replace(/'/g, "'\\''")}'`;
}

Single-quote wrapping with escaped inner single-quotes is safe against shell injection.

UID/GID validation is present. containers/agent/entrypoint.sh:10–29 validates that AWF_USER_UID/GID are numeric and non-zero (prevents root mapping):

if ! [[ "$HOST_UID" =~ ^[0-9]+$ ]]; then exit 1; fi
if [ "$HOST_UID" -eq 0 ]; then exit 1; fi

---

⚠️ Threat Model (STRIDE)

#	Category	Threat	Evidence	Likelihood	Impact	Severity
T1	Information Disclosure	IPv6 egress bypass if Docker IPv6 bridge enabled	setup-iptables.sh: no ip6tables OUTPUT DROP; host-iptables.ts: no ip6tables DOCKER-USER insertion	Low (Docker IPv6 off by default)	High	Medium
T2	Elevation of Privilege	Container escape via open_by_handle_at + SYS_ADMIN window + AppArmor unconfined	seccomp-profile.json allows open_by_handle_at; docker-manager.ts:1028 apparmor:unconfined	Low (narrow window, needs privileged process)	Critical	Medium
T3	Information Disclosure	ICMP covert channel / ICMP tunneling	setup-iptables.sh: only drops tcp/udp; no icmp DROP rule	Low (requires cooperative receiver)	Low	Low
T4	Information Disclosure	Credential leakage via URL (DLP opt-in)	src/dlp.ts; --enable-dlp not default; src/redact-secrets.ts only covers command strings	Medium (human error)	Medium	Low
T5	Information Disclosure	API proxy port 10003 unintentionally reachable	src/host-iptables.ts:365–373: minPort:maxPort = 10000:10004 (contiguous range includes 10003)	Negligible (no listener)	Negligible	Informational
T6	Tampering	Dangerous port lists inconsistent between Squid and iptables	squid-config.ts DANGEROUS_PORTS includes 5984,6984,8086,8088,9200,9300; setup-iptables.sh does not	Low (covered by final DROP)	Low	Informational
T7	Spoofing	Agent bypasses Squid domain filter via host gateway when --enable-host-access	setup-iptables.sh:170–210: host gateway and network gateway bypass Squid for ports 80/443	Low (opt-in feature)	Medium	Low
T8	Denial of Service	Squid timeout misconfiguration for non-streaming workloads	src/squid-config.ts: read_timeout 30 minutes, connect_timeout 30s — very long timeouts	Low	Low	Informational

---

🎯 Attack Surface Map

Entry Point	File:Line	Function	Current Protections	Weaknesses
CLI --allow-domains	src/cli.ts:1318	Domain whitelisting	validateDomainOrPattern(), ReDoS-safe wildcards	None identified
CLI --env/-e	src/docker-manager.ts:373	Env var injection	EXCLUDED_ENV_VARS list strips secrets	--env-all copies entire process.env minus exclusions
CLI --allow-host-ports	src/squid-config.ts:460	Host port allowlisting	DANGEROUS_PORTS validation	Mismatch with iptables list
Agent container network	containers/agent/setup-iptables.sh	Egress control	TCP/UDP DROP; DNAT to Squid	ICMP unfiltered; IPv6 container OUTPUT unfiltered
Squid proxy ACLs	src/squid-config.ts:240	Domain filtering	dstdomain/dstdom_regex; deny raw IPs	-
API proxy credential injection	containers/api-proxy/server.js:28	API key isolation	Strips auth headers before injection	-
Agent container startup	containers/agent/entrypoint.sh:303	Privilege dropping	capsh drop; UID≠0 check	SYS_ADMIN window; AppArmor unconfined
Seccomp syscall filter	containers/agent/seccomp-profile.json	Syscall restriction	Default ERRNO; ptrace/kexec blocked	open_by_handle_at allowed; unshare/mount/setns allowed
Docker image pull	src/docker-manager.ts:850	Image integrity	Tagged images from GHCR	No image digest pinning (SHA256)

---

📋 Evidence Collection

IPv6 container OUTPUT chain – missing DROP rules

$ grep -n "iptables.*OUTPUT.*DROP\|ip6tables.*OUTPUT.*DROP" containers/agent/setup-iptables.sh
319:iptables -A OUTPUT -p tcp -j DROP
320:iptables -A OUTPUT -p udp -j DROP
# No ip6tables OUTPUT DROP rules found

AppArmor disabled in docker-manager.ts

$ grep -n "apparmor" src/docker-manager.ts
1022:    // AppArmor is set to unconfined to allow mounting procfs at /host/proc
1028:      'apparmor:unconfined',

open_by_handle_at in seccomp allowlist

import json
with open('containers/agent/seccomp-profile.json') as f:
    d = json.load(f)
allowed = set()
for s in d['syscalls']:
    if s['action'] == 'SCMP_ACT_ALLOW':
        allowed.update(s['names'])
# output:
# open_by_handle_at: ALLOWED
# mount: ALLOWED
# unshare: ALLOWED
# setns: ALLOWED

API proxy port range (10000:10004 includes 10003)

// src/host-iptables.ts:365-373
const allPorts = Object.values(API_PROXY_PORTS); // [10000, 10001, 10002, 10004]
const minPort = Math.min(...allPorts);   // 10000
const maxPort = Math.max(...allPorts);   // 10004
// iptables rule: --dport 10000:10004  (includes 10003)

Dangerous ports mismatch

squid_ports = [22,23,25,110,143,445,1433,1521,3306,3389,5432,5984,6379,6984,8086,8088,9200,9300,27017,27018,28017]
iptables_ports = [22,23,25,110,143,445,1433,1521,3306,3389,5432,6379,27017,27018,28017]
# In squid but not iptables (no explicit NAT RETURN rule): [5984, 6984, 8086, 8088, 9200, 9300]
# Blocked by final OUTPUT DROP, not by explicit RETURN rule
```

</details>

<details>
<summary>npm audit results</summary>

```
vulnerabilities: { info: 0, low: 0, moderate: 4, high: 0, critical: 0 }
MODERATE: js-yaml
MODERATE: markdown-it
MODERATE: markdownlint
MODERATE: markdownlint-cli2

All moderate — only affect dev/docs tooling, not runtime security.

---

✅ Recommendations

🔴 Medium Priority

M1. Add IPv6 DROP rules in container OUTPUT chain (containers/agent/setup-iptables.sh)

Add after the existing TCP/UDP DROP rules:

# Drop all IPv6 traffic (defense-in-depth; IPv6 is not used in AWF network)
if [ "$IP6TABLES_AVAILABLE" = true ]; then
  ip6tables -A OUTPUT -p tcp -j DROP
  ip6tables -A OUTPUT -p udp -j DROP
  ip6tables -A OUTPUT -p icmpv6 -j DROP
fi

Also insert CHAIN_NAME_V6 into ip6tables DOCKER-USER in src/host-iptables.ts for host-level coverage.

M2. Deny open_by_handle_at in seccomp (containers/agent/seccomp-profile.json)

Move open_by_handle_at from the ALLOW block to the explicit ERRNO block (alongside ptrace):

{
  "names": ["open_by_handle_at", "name_to_handle_at"],
  "action": "SCMP_ACT_ERRNO",
  "errnoRet": 1,
  "comment": "Block file-handle syscalls used in Shocker-style container escapes (CVE-2014-5155)"
}

Verify that no agent use case requires this syscall before applying.

🟡 Low Priority

L1. Block ICMP in container OUTPUT (containers/agent/setup-iptables.sh)

iptables -A OUTPUT -p icmp -j DROP

Add before the final TCP/UDP DROP rules. This prevents ICMP tunneling and reduces the covert channel surface.

L2. Enable DLP by default for sensitive deployments

Consider making --enable-dlp default-on for CI/CD environments where credential leakage is a high-risk scenario. The current opt-in model relies on operators knowing to enable it.

L3. Fix API proxy iptables port range (src/host-iptables.ts:365–373)

Replace contiguous range with discrete multiport rules:

const allPorts = Object.values(API_PROXY_PORTS); // [10000, 10001, 10002, 10004]
await execa('iptables', [
  '-t', 'filter', '-A', CHAIN_NAME,
  '-p', 'tcp', '-d', apiProxyIp,
  '-m', 'multiport', '--dports', allPorts.join(','),
  '-j', 'ACCEPT',
]);

L4. Sync dangerous ports lists (containers/agent/setup-iptables.sh)

Add ports 5984, 6984, 8086, 8088, 9200, 9300 to the DANGEROUS_PORTS array in setup-iptables.sh to match squid-config.ts. Currently these are only blocked by the final OUTPUT DROP rule rather than the explicit RETURN-then-DROP path.

🟢 Informational

I1. Consider image digest pinning — GHCR images are pulled by tag (latest or version). Pinning to SHA256 digest would prevent tag mutation attacks.

I2. Document AppArmor trade-off — The reason for apparmor:unconfined (procfs mount for .NET CLR) is documented in code comments but could benefit from a dedicated security decision record.

---

📈 Security Metrics

Metric	Value
Security-critical source files analyzed	8 (cli.ts, docker-manager.ts, host-iptables.ts, squid-config.ts, domain-patterns.ts, setup-iptables.sh, entrypoint.sh, seccomp-profile.json)
Total findings	9 (0 critical, 2 medium, 3 low, 4 informational)
npm audit vulnerabilities (critical/high)	0
Attack surfaces identified	9
Threat model entries	8
DefenseInDepth layers active	5 (iptables, Squid ACL, seccomp, capsh privilege drop, container isolation)
DefenseInDepth layers with gaps	2 (IPv6 filtering, AppArmor)

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 26, 2026, 1:56 PM UTC