[Security Review] Daily Security Review and Threat Modeling – 2026-03-20

[github-actions[bot]]

📊 Executive Summary

Deep evidence-based security review of the gh-aw-firewall codebase (2,513 lines of security-critical code analyzed across 5 core files). The overall security posture is strong. No critical vulnerabilities were found, and no npm dependency vulnerabilities exist. Three low/medium findings were identified, all of which are defense-in-depth gaps rather than direct exploitable issues.

Severity	Count
Critical	0
High	0
Medium	1
Low	2
Informational	3

---

🔍 Findings from Firewall Escape Test

Workflow logs for the security-review workflow could not be fetched in this run (GitHub CLI git discovery issue in sandbox). Analysis is based entirely on static source code review below.

---

🛡️ Architecture Security Analysis

Network Security Assessment ✅ (with caveats)

The firewall implements a layered defense using two independent enforcement points:

Layer 1 – Host-level (FORWARD chain, src/host-iptables.ts)

• A dedicated FW_WRAPPER chain is inserted at position 1 of DOCKER-USER
• Allows: DNS to whitelisted upstream servers, traffic to Squid (TCP 3128), API proxy ports
• Blocks multicast (224.0.0.0/4) and link-local (169.254.0.0/16) ranges
• Final REJECT catches all remaining traffic (UDP → REJECT, then catch-all → REJECT with icmp-port-unreachable)

# src/host-iptables.ts:380-417 (final deny rules in FW_WRAPPER chain)
'-j', 'REJECT', '--reject-with', 'icmp-port-unreachable'  # for UDP
'-j', 'REJECT', '--reject-with', 'icmp-port-unreachable'  # catch-all

Layer 2 – Container-level (OUTPUT chain, containers/agent/setup-iptables.sh)

• DNAT redirects port 80/443 → Squid at 172.30.0.10:3128
• Dangerous ports RETURN from NAT (preventing redirect to Squid) and are then dropped
• Final deny: iptables -A OUTPUT -p tcp -j DROP and iptables -A OUTPUT -p udp -j DROP

L7 – Squid Proxy (src/squid-config.ts)

• Domain ACL with exact + subdomain matching (dstdomain) and wildcard regex (dstdom_regex)
• Direct-IP CONNECT blocked: acl dst_ipv4 dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
• ICMP/pinger disabled: pinger_enable off
• Topology hiding: forwarded_for delete + via off
• Caching disabled: cache deny all (prevents cross-request side-channel via cache)
• Port allowlist enforced: http_access deny !Safe_ports

Container Security Assessment ✅

# containers/agent/entrypoint.sh – capability drop (chroot mode)
CAPS_TO_DROP="cap_sys_chroot,cap_sys_admin"
exec capsh --drop=\$\{CAPS_TO_DROP} --user=\$\{HOST_USER} -- -c 'exec \$\{SCRIPT_FILE}'

# Non-chroot mode: gosu switches to unprivileged awfuser
gosu awfuser "$@"

• NET_ADMIN is never granted to the agent container (only to the ephemeral init container awf-iptables-init)
• UID/GID validated to prevent root: if [ "$HOST_UID" -eq 0 ]; then … exit 1
• Seccomp profile blocks: ptrace, process_vm_readv, process_vm_writev, kexec_load, reboot, kernel module operations, pivot_root, key management syscalls (add_key, request_key, keyctl)
• One-shot-token library (LD_PRELOAD) prevents multiple reads of sensitive env vars
• 5-second delay before unset_sensitive_tokens allows agent to cache tokens via the library

Domain Validation Assessment ✅

# src/domain-patterns.ts – ReDoS-safe wildcard conversion
const DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*';
# * → [a-zA-Z0-9.-]* (bounded character class, not .*)

# Input length check before regex (defense-in-depth)
const MAX_DOMAIN_LENGTH = 512;
if (domainEntry.domain.length > MAX_DOMAIN_LENGTH) return false;

• * and *.* explicitly rejected
• Patterns where all-but-one segment is * rejected
• Double-dots, leading/trailing lone dots, *. and .* rejected
• Protocol-specific restrictions supported ((redacted) https://` prefixes)

Input Validation Assessment ✅

# src/squid-config.ts:480-495 – port injection prevention
const sanitizedPort = port.replace(/[^0-9-]/g, '');
portAclsSection += `\nacl Safe_ports port \$\{sanitizedPort}`
# Integer validation and range checks precede sanitization

• Port ranges validated as integers (1–65535 bounds checked)
• Dangerous ports cannot be unlocked via --allow-host-ports (enforced in both Squid config and iptables)
• AWF_USER_UID/GID validated as numeric and non-zero before use

---

⚠️ Threat Model

#	Category (STRIDE)	Threat	Evidence	Severity	Likelihood
T1	Tampering	Dangerous port list out-of-sync between iptables and Squid	setup-iptables.sh has 15 ports; squid-config.ts has 21	Medium	Low
T2	Information Disclosure	ICMP not explicitly blocked in container OUTPUT chain	No iptables -A OUTPUT -p icmp -j DROP in setup-iptables.sh	Low	Very Low
T3	Elevation of Privilege	API proxy firewall allows unused port 10003 via min-max range	src/host-iptables.ts:371 uses \$\{minPort}:\$\{maxPort} = 10000:10004	Low	Very Low
T4	Information Disclosure	Token unset timing (5s sleep heuristic)	containers/agent/entrypoint.sh:641-689	Informational	Very Low
T5	Tampering	git safe.directory='*' disables ownership protections in container	containers/agent/entrypoint.sh:296	Informational	Low
T6	Information Disclosure	SSL Bump (opt-in) decrypts all HTTPS traffic including credentials	src/squid-config.ts:147-182 – documented but high-impact if misused	Informational	Operator-controlled

---

🎯 Attack Surface Map

Attack Surface	Location	Current Protections	Residual Risk
Egress HTTP/HTTPS	Squid:3128, DNAT rules	Domain ACL, port allowlist, IP-direct blocking, forwarded_for stripped	Low
Egress DNS	UDP/TCP 53 to Docker embedded DNS	Only 127.0.0.11 in resolv.conf; upstream whitelisted; direct DNS blocked	Low
Egress non-TCP/UDP (ICMP, SCTP)	Container OUTPUT / Host FORWARD	Container: not explicitly dropped (see T2); Host FW_WRAPPER: final REJECT catches all	Very Low
API proxy sidecar	172.30.0.30:10000-10004	Host iptables allows 10000-10004 (incl. 10003 gap); agent uses only API calls	Very Low
Dangerous service ports	Setup-iptables NAT RETURN + OUTPUT DROP	15 ports in iptables NAT, 21 in Squid; final DROP catches all TCP anyway	Very Low
Container → Host filesystem	Selective bind mounts	/etc/shadow excluded, home dir allow-list, chroot root is /host	Low
Privilege escalation	Entrypoint capability drops	capsh drops caps, NET_ADMIN not granted to agent, seccomp blocks syscalls	Low
Token leakage via /proc	One-shot-token library + token unset	LD_PRELOAD protects env, 5s sleep before unset	Very Low
IPv6 bypass	ip6tables / sysctl disable fallback	If ip6tables available: rules applied; if not: sysctl disable_ipv6=1	Very Low

---

📋 Evidence Collection

Finding T1: Dangerous Port List Mismatch

# Command run:
diff <(grep -E "^\s+[0-9]+" setup-iptables.sh | grep -oE "[0-9]+") \
     <(grep -E "^\s+[0-9]+," squid-config.ts | grep -oE "[0-9]+")

# Output (ports in squid-config.ts but NOT in setup-iptables.sh):
# 5984   CouchDB
# 6984   CouchDB (SSL)
# 8086   InfluxDB HTTP API
# 8088   InfluxDB RPC
# 9200   Elasticsearch HTTP API
# 9300   Elasticsearch transport

# Relevant code (setup-iptables.sh DANGEROUS_PORTS array):
# 15 ports total – missing: 5984, 6984, 8086, 8088, 9200, 9300

# Relevant code (squid-config.ts DANGEROUS_PORTS):
# 21 ports total – correctly includes all of the above

Impact: Minimal. The container's final iptables -A OUTPUT -p tcp -j DROP catches all TCP regardless of the NAT RETURN list. However, this inconsistency could mislead operators and represents incomplete defense-in-depth documentation.

Finding T2: ICMP Not Explicitly Blocked in Container OUTPUT

# Command run:
grep "iptables -A OUTPUT" containers/agent/setup-iptables.sh | grep -E "\-p (tcp|udp|icmp)"

# Output (only TCP and UDP are dropped – no ICMP rule):
# iptables -A OUTPUT -p tcp -d 127.0.0.11 --dport 53 -j ACCEPT
# iptables -A OUTPUT -p tcp -d "$SQUID_IP" -j ACCEPT
# iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" -j ACCEPT
# iptables -A OUTPUT -p tcp -j DROP
# iptables -A OUTPUT -p udp -j DROP
#
# → No "iptables -A OUTPUT -p icmp -j DROP"

# Host-level mitigation (src/host-iptables.ts:413-417):
# Final catch-all REJECT in FW_WRAPPER does block ICMP via FORWARD chain.
# ICMP to external IPs is therefore blocked at the host level.
# Only ICMP within the 172.30.0.0/24 Docker network is not explicitly restricted.

Impact: Very low. External ICMP exfiltration (ICMP tunneling to internet) is blocked at the host level. Intra-network ICMP (agent→squid pings) is inconsequential.

Finding T3: API Proxy Port Range Gap (10003)

# Port definition (src/types.ts:16-44):
# OPENAI:    10000
# ANTHROPIC: 10001
# COPILOT:   10002
# OPENCODE:  10004  ← gap at 10003

# Host iptables rule (src/host-iptables.ts:365-373):
const allPorts = Object.values(API_PROXY_PORTS);  // [10000, 10001, 10002, 10004]
const minPort = Math.min(...allPorts);              // 10000
const maxPort = Math.max(...allPorts);              // 10004
// Rule: -p tcp -d $apiProxyIp --dport 10000:10004 -j ACCEPT
# → Port 10003 on 172.30.0.30 is allowed through firewall with no service behind it

Impact: Very low. No service listens on 10003 at the API proxy IP, so connections would be refused by the container. An adversary would need to compromise the API proxy container and bind a service to 10003.

Finding T4: Token Unset Timing Assumption

# containers/agent/entrypoint.sh:641-695
AGENT_PID=$!
# Wait for agent to initialize and cache tokens (5 seconds)
sleep 5
# Unset all sensitive tokens from parent shell environment
unset_sensitive_tokens
wait $AGENT_PID

Design: The one-shot-token library intercepts getenv() via LD_PRELOAD and caches the value. Subsequent calls return the cached value even after the shell unsets the variable. The 5-second window is intentional to allow the library to be loaded and the first read to occur. Tokens are never directly visible in /proc/self/environ after the parent unsets them.

Finding T5: git safe.directory Disabled

# containers/agent/entrypoint.sh:296
runuser -u awfuser -- git config --global --add safe.directory '*' 2>/dev/null || true

Context: This is required because the workspace bind mount may be owned by a different UID than awfuser (before UID/GID remapping takes effect). The risk is limited to the container environment where the operator controls what is mounted.

Positive Finding: Zero npm Vulnerabilities

# Command run:
npm audit --json --prefix /home/runner/work/gh-aw-firewall/gh-aw-firewall 2>/dev/null | python3 -c "..."

# Output:
# Total vulnerabilities: 0

Positive Finding: Squid Security Hardening

# src/squid-config.ts – confirmed positive security controls:
grep "pinger_enable\|forwarded_for\|via off\|cache deny" src/squid-config.ts
# 517: pinger_enable off          ← disables ICMP at L7
# 532: cache deny all             ← no disk caching (cross-request leakage)
# 568: cache deny all             ← duplicate/confirmed in second location
# 574: forwarded_for delete       ← no X-Forwarded-For header
# 575: via off                    ← no Via header (topology hiding)

---

✅ Recommendations

🔴 Critical

None identified.

🟠 High

None identified.

🟡 Medium

M1 – Synchronize Dangerous Port Lists
containers/agent/setup-iptables.sh DANGEROUS_PORTS is missing 6 ports present in src/squid-config.ts: 5984 (CouchDB), 6984 (CouchDB SSL), 8086 (InfluxDB HTTP), 8088 (InfluxDB RPC), 9200 (Elasticsearch HTTP), 9300 (Elasticsearch transport).

While the final iptables -A OUTPUT -p tcp -j DROP catches these, the intent of the NAT RETURN list is explicit defense-in-depth documentation. Add the 6 missing ports to DANGEROUS_PORTS in setup-iptables.sh.

Files: containers/agent/setup-iptables.sh lines 222-249

🔵 Low

L1 – Explicitly Block ICMP in Container OUTPUT Chain
Add iptables -A OUTPUT -p icmp -j DROP to setup-iptables.sh after the UDP DROP rule. While ICMP is blocked at the host level via FW_WRAPPER, adding an explicit container-level rule closes the defense-in-depth gap and prevents any intra-network ICMP leakage.

Files: containers/agent/setup-iptables.sh after line 320

L2 – Use Explicit Port List Instead of min-max Range for API Proxy
Replace the minPort:maxPort range in src/host-iptables.ts with explicit per-port rules matching exactly API_PROXY_PORTS values (10000, 10001, 10002, 10004), eliminating the unintended port 10003 allowance.

Files: src/host-iptables.ts lines 365-374

🟢 Informational

I1 – Document 5-second Token Caching Window
The sleep 5 before unset_sensitive_tokens is correct but worth explicitly documenting the security model: tokens are readable by the agent during the first 5 seconds via direct env read, then only via the one-shot-token library cache. Consider making the delay configurable via an env var for high-security environments.

I2 – Consider Restricting git safe.directory
The global safe.directory='*' is necessary for workspace access but broad. Consider restricting to specific mounted paths (e.g., the workspace directory) rather than all paths.

I3 – SSL Bump Operational Guidance
When --enable-ssl-bump is used, the Squid CA key should be treated as a highly sensitive secret. Consider adding a prominent warning in the CLI output when SSL bump is active, noting that HTTPS credentials will be visible to the Squid proxy.

---

📈 Security Metrics

Metric	Value
Security-critical files analyzed	5
Lines of security-critical code	2,513
npm dependency vulnerabilities	0
Critical/High findings	0
Attack surfaces mapped	8
Positive security controls noted	8
Threat model categories (STRIDE)	6

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 27, 2026, 1:51 PM UTC