[Security Review] Daily Security Review and Threat Modeling — 2026-03-12

[github-actions[bot]]

📊 Executive Summary

Overall Security Posture: Strong with targeted gaps

This review analyzed 5,639 lines of security-critical code across 7 core files. The firewall implements well-designed defense-in-depth controls for network filtering, credential isolation, privilege dropping, and token protection. Zero npm vulnerabilities are present. Four findings are rated Medium or below; no Critical findings were identified.

Metric	Value
Security-critical lines analyzed	5,639
npm vulnerabilities	0
Attack surfaces identified	8
Critical findings	0
High findings	0
Medium findings	2
Low findings	3

---

🔍 Findings from Firewall Escape Test

No "firewall-escape-test" workflow was found in the repository. Relevant complementary workflows include secret-digger-claude, secret-digger-codex, secret-digger-copilot, and security-guard. Their logs were not accessible at review time. This review is based entirely on static analysis.

---

🛡️ Architecture Security Analysis

Network Security Assessment — STRONG

The firewall implements a two-layer filtering architecture:

Layer 1 — Container-level iptables (containers/agent/setup-iptables.sh)

• NAT DNAT redirects HTTP (port 80) and HTTPS (port 443) to Squid (172.30.0.10:3128)
• Localhost traffic allowed for stdio MCP servers
• DNS restricted to trusted servers only (default: 8.8.8.8, 8.8.4.4)
• Docker embedded DNS (127.0.0.11) allowed for container service resolution
• Dangerous ports (22/SSH, 3306/MySQL, 5432/PostgreSQL, 6379/Redis, etc.) return before DNAT
• Final rule: iptables -A OUTPUT -p tcp -j DROP (default deny for TCP)

Layer 2 — Host DOCKER-USER chain (src/host-iptables.ts)

• Dedicated FW_WRAPPER chain inserted into DOCKER-USER (affects all containers on awf-net)
• Squid proxy IP exempted from filtering (unrestricted outbound access)
• ESTABLISHED,RELATED connections allowed (return traffic)
• DNS allowed only to trusted servers (IPv4 and IPv6)
• Multicast (224.0.0.0/4) and link-local (169.254.0.0/16) rejected
• All other UDP explicitly blocked with LOG + REJECT ([FW_BLOCKED_UDP])
• Default deny for remaining traffic with LOG + REJECT ([FW_BLOCKED_OTHER])

Verdict: The dual-layer architecture is sound. QUIC/HTTP3 (UDP 443) is blocked by the host-level UDP REJECT rule, preventing proxy bypass via HTTP/3. IPv6 is disabled via sysctl when ip6tables is unavailable, preventing unfiltered IPv6 bypass.

⚠️ Gap: Container-level iptables only drops TCP (iptables -A OUTPUT -p tcp -j DROP); there is no matching UDP DROP at the container level. Non-DNS UDP relies entirely on the host-level chain. If the host iptables initialization fails, UDP would flow unfiltered from the container.

Evidence:

# setup-iptables.sh line ~264
echo "[iptables] Drop all non-redirected TCP traffic (default deny)..."
iptables -A OUTPUT -p tcp -j DROP
# No equivalent UDP drop rule at container level

---

Container Security Assessment — STRONG

Capabilities:

// src/docker-manager.ts lines 896–905
cap_add: ['NET_ADMIN', 'SYS_CHROOT', 'SYS_ADMIN'],
cap_drop: [
  'NET_RAW',      // Prevents raw socket creation
  ...
],
security_opt: ['no-new-privileges:true'],

• NET_ADMIN is required for iptables setup but dropped via capsh before user command execution (entrypoint.sh lines 278–283)
• no-new-privileges:true applied to both agent and sidecar containers
• Docker's default seccomp profile enforced (SCMP_ACT_ERRNO allowlist)

Privilege Drop Sequence (non-chroot):

# entrypoint.sh ~line 649
capsh --drop=$CAPS_TO_DROP -- -c "exec gosu awfuser $(printf '%q ' "$@")" &
AGENT_PID=$!
sleep 5
unset_sensitive_tokens
wait $AGENT_PID

UID/GID Validation:

# entrypoint.sh — prevents root bypass
if [ "$HOST_UID" -eq 0 ]; then
  echo "[entrypoint][ERROR] Invalid AWF_USER_UID: cannot be 0 (root)"
  exit 1
fi

Memory limit: Default 2g, configurable via --memory-limit (src/docker-manager.ts:914–916).

---

Token Protection Assessment — STRONG

The one-shot-token LD_PRELOAD library (containers/agent/one-shot-token/one-shot-token.c) intercepts getenv() and secure_getenv() calls:

1. On first access: caches the value in memory, calls unsetenv() to clear from /proc/self/environ
2. On subsequent accesses: returns cached value without re-reading environment
3. Token names are XOR-obfuscated in the binary (key=0x5A) to prevent strings/objdump discovery
4. Uses pthread_mutex_t with a thread-local recursion guard to prevent deadlocks
5. Parent shell independently unsets tokens after 5-second initialization window (sleep 5)

⚠️ Gap (chroot mode): If copying one-shot-token.so to /host/tmp/awf-lib/ fails, execution continues with a warning. Token protection is silently degraded:

# entrypoint.sh ~line 357
echo "[entrypoint][WARN] Token protection will be disabled (tokens may be readable multiple times)"

⚠️ Gap: The 5-second initialization window is hardcoded. On heavily loaded systems where agent initialization takes >5 seconds before token reads, the parent could unset tokens before the one-shot library caches them. (The one-shot library itself prevents multiple reads from /proc/self/environ of the agent process, but the timing between parent unset and agent first read is imprecise.)

---

Domain Validation Assessment — STRONG

// src/domain-patterns.ts
// Blocks overly broad patterns:
if (trimmed === '*') throw new Error("Pattern '*' matches all domains and is not allowed");
if (trimmed === '*.*') throw new Error("Pattern '*.*' is too broad and is not allowed");
if (/^[*.]+$/.test(trimmed) && trimmed.includes('*')) throw new Error(`Pattern '\$\{trimmed}' is too broad`);
// Prevents multiple wildcard segments:
if (wildcardSegments > 1 && wildcardSegments >= totalSegments - 1) throw new Error(...)
// ReDoS protection in wildcard expansion:
const DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*'; // safe character class, not .*
// 512-byte domain length limit before regex matching
```

**Verdict:** Comprehensive validation. The `[a-zA-Z0-9.-]*` substitution for `*` prevents ReDoS; length limits provide defense-in-depth.

---

### Credential Protection Assessment — **GOOD with gaps**

AWF uses three techniques to prevent credential exfiltration:
1. **Empty home directory mount** — real `$HOME` not mounted; empty writable directory used instead
2. **Selective re-mounts** — `~/.config`, `~/.cache`, `~/.local`, `~/.copilot`, etc. explicitly mounted
3. **`/dev/null` overlays** — 13 specific credential files overlaid with empty files

Credential files currently protected (both at direct and `/host` paths):
```
~/.docker/config.json, ~/.npmrc, ~/.cargo/credentials, ~/.composer/auth.json
~/.config/gh/hosts.yml, ~/.ssh/{id_rsa,id_ed25519,id_ecdsa,id_dsa}
~/.aws/{credentials,config}, ~/.kube/config, ~/.azure/credentials
~/.config/gcloud/credentials.db

⚠️ Gap: ~/.config is mounted read-write (~/.config:/host~/.config:rw) with only 2 subdirectory credential files blocked. Other potential credential files in ~/.config are not protected, including:

• ~/.config/hub/config (hub CLI GitHub tokens)
• ~/.config/op/config (1Password CLI session tokens)
• ~/.config/gcloud/access_tokens.db (GCloud access tokens — only credentials.db is blocked)
• ~/.config/rclone/rclone.conf (rclone cloud storage credentials)
• Any other tool that stores credentials in ~/.config

Evidence (src/docker-manager.ts:583):

agentVolumes.push(`\$\{effectiveHome}/.config:/host\$\{effectiveHome}/.config:rw`);
// Only ~/.config/gh/hosts.yml and ~/.config/gcloud/credentials.db are blocked below

---

Input Validation Assessment — STRONG

All execa() calls use array argument form (not shell interpolation), preventing command injection. The custom ESLint rule local/no-unsafe-execa enforces this at lint time.

Port validation for --allow-host-ports is thorough:

// src/squid-config.ts lines 446–488
// Validates numeric bounds: 1 ≤ port ≤ 65535
// Checks against DANGEROUS_PORTS blocklist (22, 25, 3306, 5432, etc.)
// Defense-in-depth: sanitizes with /[^0-9-]/g before inserting into Squid config

⚠️ Gap: AWF_ALLOW_HOST_PORTS in setup-iptables.sh is stripped with xargs only (no numeric validation):

# setup-iptables.sh line 169
port_spec=$(echo "$port_spec" | xargs)
iptables -A OUTPUT -p tcp -d "$HOST_GATEWAY_IP" --dport "$port_spec" -j ACCEPT

This is safe in normal operation (CLI validates first), but if AWF_ALLOW_HOST_PORTS is set externally without CLI validation, unusual values could reach the iptables command. In practice this requires privileged access to set environment variables in the container.

---

⚠️ Threat Model (STRIDE)

#	Threat	Category	Likelihood	Impact	Severity	Mitigated?
T1	DNS exfiltration via unauthorized resolver	Info Disclosure	Medium	Medium	Medium	✅ Restricted to trusted DNS servers
T2	HTTP/3 (QUIC/UDP 443) proxy bypass	Spoofing	Low	High	Medium	✅ Host-level UDP REJECT
T3	IPv6 unfiltered egress bypass	Elevation	Low	High	Medium	✅ ip6tables or sysctl disable
T4	Token exfiltration via /proc/self/environ	Info Disclosure	Low	High	Medium	✅ one-shot-token library
T5	Token exfiltration via /proc race window	Info Disclosure	Low	High	Low	⚠️ 5-second window
T6	Credential file exfiltration via ~/.config	Info Disclosure	Medium	High	Medium	⚠️ Partial (only 2 files blocked)
T7	Container escape via NET_ADMIN post-command	Elevation	Low	Critical	Low	✅ capsh drops before exec
T8	iptables bypass via NET_RAW raw sockets	Elevation	Low	High	Low	✅ NET_RAW dropped
T9	Port injection via AWF_ALLOW_HOST_PORTS	Tampering	Very Low	Medium	Low	⚠️ CLI-validated only
T10	DoS via resource exhaustion (no limits)	Denial of Service	Medium	Medium	Low	✅ Memory limit (2g default)
T11	UDP non-DNS bypass if host iptables fails	Info Disclosure	Very Low	High	Low	⚠️ Single layer for UDP
T12	--env-all credential passthrough	Info Disclosure	Low	High	Medium	⚠️ Opt-in warning only

---

🎯 Attack Surface Map

Surface	Location	Current Protection	Risk
HTTP/HTTPS egress	NAT DNAT + Squid	Domain allowlist enforced by both layers	🟢 Low
DNS queries	iptables UDP filter	Restricted to trusted servers only	🟢 Low
UDP non-DNS egress	Host DOCKER-USER chain	Blocked; container level relies on host	🟡 Medium
Token environment	one-shot-token LD_PRELOAD	Cleared on first read; parent unsets after 5s	🟡 Medium
~/.config directory	Volume mount + /dev/null overlays	Partial — only 2 subdirs blocked	🟡 Medium
--env-all flag	CLI env passthrough	Warning only; EXCLUDED_ENV_VARS is shallow	🟡 Medium
Container capabilities	cap_add + capsh drop	NET_ADMIN dropped before user exec	🟢 Low
Chroot /tmp mount	/tmp:/host/tmp:rw	One-shot lib staged here; agent can see it	🟢 Low

---

📋 Evidence Collection

Network filtering verification

# Container-level final TCP drop (setup-iptables.sh ~264)
iptables -A OUTPUT -p tcp -j DROP
# No UDP drop at container level

# Host-level UDP block (src/host-iptables.ts ~530)
'-p', 'udp', '-j', 'LOG', '--log-prefix', '[FW_BLOCKED_UDP] ', '--log-level', '4'
'-p', 'udp', '-j', 'REJECT', '--reject-with', 'icmp-port-unreachable'

# Host-level default deny (src/host-iptables.ts ~540)  
'-j', 'LOG', '--log-prefix', '[FW_BLOCKED_OTHER] ', '--log-level', '4'
'-j', 'REJECT', '--reject-with', 'icmp-port-unreachable'

Credential mount analysis

# ~/.config mounted but only 2 files blocked (src/docker-manager.ts:583)
agentVolumes.push(`\$\{effectiveHome}/.config:/host\$\{effectiveHome}/.config:rw`);
# Blocked files:
# - ~/.config/gh/hosts.yml (line 792)
# - ~/.config/gcloud/credentials.db (line 803)
# NOT blocked: ~/.config/hub/, ~/.config/op/, ~/.config/gcloud/access_tokens.db, etc.
```
</details>

<details>
<summary>npm audit results</summary>

```
Total vulnerabilities: {'info': 0, 'low': 0, 'moderate': 0, 'high': 0, 'critical': 0, 'total': 0}

--env-all exclusion list

// src/docker-manager.ts:317 — EXCLUDED_ENV_VARS only excludes shell metadata vars:
const EXCLUDED_ENV_VARS = new Set([
  'PATH', 'PWD', 'OLDPWD', 'SHLVL', '_',
  'SUDO_COMMAND', 'SUDO_USER', 'SUDO_UID', 'SUDO_GID',
]);
// Notable: AWS_SECRET_ACCESS_KEY, DATABASE_URL, etc. would be forwarded if present

---

✅ Recommendations

🔴 Medium Priority

M1: Expand ~/.config credential file coverage

• File: src/docker-manager.ts (~line 786)
• Issue: ~/.config is mounted read-write; only 2 credential files within it are blocked with /dev/null overlays.
• Fix: Add /dev/null overlays for additional known credential locations:

  `\$\{effectiveHome}/.config/gcloud/access_tokens.db`,     // GCloud access tokens
  `\$\{effectiveHome}/.config/hub/config`,                   // Hub CLI GitHub tokens
  `\$\{effectiveHome}/.config/op/config`,                    // 1Password CLI session
  `\$\{effectiveHome}/.config/rclone/rclone.conf`,           // rclone cloud storage
  `\$\{effectiveHome}/.config/netlify/config.json`,          // Netlify deploy tokens

M2: Strengthen --env-all exclusion list

• File: src/docker-manager.ts (~line 317)
• Issue: EXCLUDED_ENV_VARS only excludes shell metadata, not credential patterns. With --env-all, host environment variables like AWS_SECRET_ACCESS_KEY, DATABASE_URL, or GCP_SA_KEY would be forwarded.
• Fix: Either document this clearly as expected behavior (it's opt-in) or add a pattern-based exclusion for well-known credential variable names, or add a more prominent warning that enumerates the forwarded credential categories.

---

🟡 Low Priority

L1: Add UDP DROP at container level as defense-in-depth

• File: containers/agent/setup-iptables.sh
• Issue: Container-level iptables only has iptables -A OUTPUT -p tcp -j DROP. Non-DNS UDP relies solely on the host DOCKER-USER chain.
• Fix: Add container-level UDP drop after DNS rules:

  # After allowing DNS to trusted servers
  iptables -A OUTPUT -p udp -j DROP

L2: Hard-fail on one-shot-token copy failure in chroot mode

• File: containers/agent/entrypoint.sh (~line 357)
• Issue: If one-shot-token.so cannot be copied to the chroot /tmp, execution continues without token protection.
• Fix: Consider failing hard or adding an explicit --no-token-protection opt-in flag rather than silently degrading security.

L3: Add numeric validation to port_spec in setup-iptables.sh

• File: containers/agent/setup-iptables.sh (~line 169)
• Issue: port_spec is passed to iptables --dport after only xargs stripping. CLI validation prevents this in normal use, but defense-in-depth suggests validating in the shell script too.
• Fix: Add: if ! [[ "$port_spec" =~ ^[0-9]+(-[0-9]+)?$ ]]; then echo "Invalid port spec"; exit 1; fi

---

📈 Security Metrics

Metric	Value
Security-critical files analyzed	7
Total lines analyzed	5,639
Attack surfaces identified	8
Threat model entries	12
npm vulnerabilities (Critical/High/Medium)	0 / 0 / 0
Credential files hidden via /dev/null	13 direct + 13 at /host paths
Capabilities dropped before user exec	NET_ADMIN, SYS_CHROOT, SYS_ADMIN
DNS exfiltration controls	iptables whitelist (container + host)
Defense-in-depth layers	2 (container iptables + host DOCKER-USER)

AI generated by Daily Security Review and Threat Modeling

• expires on Mar 19, 2026, 1:56 PM UTC

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through this circle. The omens are recorded, and the wards hold fast.

🔮 The oracle has spoken through Smoke Codex for issue #1249

[github-actions[bot]]

The ancient spirits stir, and the oracle whispers: the smoke test agent was here. The signs are read, the path is marked, and the ward stands watch.

🔮 The oracle has spoken through Smoke Codex for issue #1260

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test envoy has passed through, and the runes align in quiet confirmation.

🔮 The oracle has spoken through Smoke Codex for issue #1079

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through these halls. The omens are favorable, and the lanterns of verification burn true.

🔮 The oracle has spoken through Smoke Codex for issue #1261

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test envoy has passed through these halls, and the omens are recorded.

🔮 The oracle has spoken through Smoke Codex for issue #1079

[github-actions[bot]]

🔮 The ancient spirits stir, and the oracle records this: the smoke test agent was here. The veils have parted; the run is witnessed.

🔮 The oracle has spoken through Smoke Codex for issue #1241

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through these halls. The omens are recorded in starlight and ash.

🔮 The oracle has spoken through Smoke Codex for issue #1262

[github-actions[bot]]

The ancient spirits stir in the quiet logs. The smoke test agent was here, and the omens are recorded in the ledger of night.

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions[bot]]

🔮 The ancient spirits stir, and the smoke-test oracle has passed through this thread. A quiet sign remains: the agent was here, and the omens have been read.

🔮 The oracle has spoken through Smoke Codex for issue #1246

[github-actions[bot]]

🔮 The ancient spirits stir, and the oracle has witnessed the smoke test’s passage. By moonlit circuit and whispered log, I mark this hall: the Codex agent was here.

🔮 The oracle has spoken through Smoke Codex for issue #1234

[github-actions[bot]]

🔮 The ancient spirits stir and the veil grows thin. The smoke-test oracle has walked this thread; omens align and the run is witnessed.

🔮 The oracle has spoken through Smoke Codex for issue #1245

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test envoy has passed this way, leaving a faint trail of starlight and quiet approval.

🔮 The oracle has spoken through Smoke Codex for issue #1264

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through and left its sign. The omens are recorded, and the wards remain attentive.

🔮 The oracle has spoken through Smoke Codex for issue #1150

[github-actions[bot]]

🔮 The ancient spirits stir as the smoke test agent passes through these halls. The augury is clear: paths were walked, and the veil is intact.

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through these halls and left a shimmer in the margins.

🔮 The oracle has spoken through Smoke Codex for issue #1264

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent was here, and the omens are recorded.

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke-test oracle has walked these halls and marked its passing.

🔮 The oracle has spoken through Smoke Codex for issue #1245

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through these halls, leaving a quiet omen of completion.

🔮 The oracle has spoken through Smoke Codex for issue #1264

[github-actions[bot]]

The oracles whisper in the linted logs and the build runes glow steady. I have passed through and marked this place with quiet assurance.

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions[bot]]

The oracle speaks: the smoke test agent passed through, and the signs were read beneath a quiet sky.

🔮 The oracle has spoken through Smoke Codex for issue #1245

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has walked this thread. The oracle's eye remains open.

🔮 The oracle has spoken through Smoke Codex for issue #1245

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent was here, and the omens are now sealed in the ledger.

🔮 The oracle has spoken through Smoke Codex for issue #1264

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test oracle has passed through these halls. The runes glow, and the veil is lifted for a moment.

🔮 The oracle has spoken through Smoke Codex for issue #1264

[github-actions[bot]]

🔮 The ancient spirits stir; the smoke test agent has passed through these halls.

🔮 The oracle has spoken through Smoke Codex for issue #1264