[Security Review] π Daily Security Review & Threat Model β 2026-07-04 #5899
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-07-11T07:58:50.892Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Security Review & Threat Model
Date: 2026-07-04 | Repo:
github/gh-aw-firewallv0.23.1π Executive Summary
Overall posture is strong. The firewall implements defense-in-depth: iptables (host + agent), Squid L7 domain-ACL, seccomp, capability drop, tmpfs credential overlays, and one-shot token isolation. 0 critical findings. The escape test (
Secret Digger) confirmed credential isolation works: agent produced onlynoopoutputs β no secrets exposed.Metrics: 5,802 lines security-critical code Β· 4 enforcement layers Β· 0 npm vulns Β· 28 credential overlays Β· 18 STRIDE threats evaluated β 0 critical / 2 high / 3 medium / 3 low
π Escape Test Results
/tmp/gh-aw/escape-test-summary.txt=Secret Digger (Copilot)workflow metadata:GH_AW_AGENT_CONCLUSION: successΒ·GH_AW_SECRET_VERIFICATION_RESULT: successnoopβ no secrets found or filedVerdict: Credential isolation (API proxy placeholder tokens + workDir tmpfs) worked correctly in practice.
π‘οΈ Architecture Analysis
Network (
src/host-iptables-rules.ts,containers/agent/setup-iptables.sh)FW_WRAPPERchain: Squid gets unconditional ACCEPT; DNS whitelisted; IPv6 disabled via sysctl when ip6tables unavailable[FW_BLOCKED_DANGEROUS_PORT],[FW_BLOCKED_TCP],[FW_BLOCKED_UDP_AGENT](rate-limited)NET_ADMINnever granted to agent β isolated toawf-iptables-initinit containerContainer (
src/services/agent-service.ts:68-103)defaultAction: SCMP_ACT_ERRNO(deny-by-default); ptrace/process_vm_readv/pivot_root/keyctl/kexec/umount all ERRNO/dev/nullat container +/host/paths:.aws,.ssh,.kube,.docker,.azure, etc.)docker-compose.ymltokenshidepid=2on procfs β blocks reading/proc/1/environLD_PRELOAD one-shot-token.soon glibc hostsDomain Validation (
src/domain-validation.ts)5-layer Squid injection prevention: empty β dangerous chars
[\s\0"'\;#\]β over-broad patterns (,.*) β structural validity (double-dots, wildcard count) β protocol prefix strip. Direct IP connections blocked viadstdom_regex` in Squid ACL.Input Validation (
src/parsers/)joinShellArgsuses safe'\''escaping; volume mounts require absolute paths; env vars use strictKEY=VALUEregex; UID/GID validated as numeric non-zero.--allow-domainsSquid injection; YAML injection; volume path traversal[FW_BLOCKED_*]kernel logs/proc/1/environtoken race; docker-compose.yml; credential files; musl fallbacksetnsnamespace escape; AppArmor unconfinedβ Recommendations
π High
H1: AppArmor
unconfinedremoves MAC layersrc/services/agent-service.ts:92β required for procfsmountin entrypoint, but removes all MAC enforcementcapsh --print | grep -v sys_adminto detect silent drop failure; or generate a minimal AppArmor profile allowing onlymountof typeprocH2:
setnsallowed in seccomp without namespace type filtercontainers/agent/seccomp-profile.jsonβsetnsinto a network namespace could bypass isolation in DinD/co-tenant environments without requiringSYS_ADMINargsfilter restrictingsetnsto non-network namespace types, or block entirely if no runtime requires itπ‘ Medium
M1:
one-shot-token.somusl/Alpine incompatibilitycontainers/agent/entrypoint.sh:552-558β fallback to 1s timing window on Alpine hosts; fast agent could race/proc/1/environreadexec-ing agentM2: Volume mount path not canonicalized
src/parsers/volume-parsers.tsβ/workspace/../etc/shadowpassesstartsWith('/')checkpath.resolve(hostPath)+ block sensitive prefixes (/etc,/proc,/sys,/dev,/root)M3: Token window in
run_agent_with_token_protectioncontainers/agent/entrypoint.sh:471-493β 0β1s window; primary mitigation ishidepid=2awfusercannot read/proc/1/environ(expect EACCES)π’ Low
L1: Document in
LOGGING.mdthataudit_jsonlomits User-Agent intentionally (JSON injection prevention)L2: Block UIDs 1β99 (system accounts) in addition to UID 0 in
entrypoint.sh:30-37L3: Extend
compose-sanitizer.tsredaction pattern to includePASSWORD|CREDENTIAL|PAT|BEARER|AUTHORIZATIONπ Key Evidence
Automated security review Β· 2026-07-04 Β· v0.23.1
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions