[Security Review] Daily Security Review & Threat Model — 2026-07-07 #5978
Replies: 8 comments
-
|
🔮 The ancient spirits stir around this discussion; the smoke test agent was here, and the omens were observed. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke-test agent has passed through this hall. The omens are favorable. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir. The smoke test agent was here, and the omens are green. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir. The smoke test agent was here, and the omens were read. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent was here. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent was here. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent passed through GitHubs veil, and this discussion bears witness. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
Evidence-based daily security review of
gh-aw-firewallv0.23.1 (commit5160f8f). Overall posture is strong — well-implemented defense-in-depth with L7 Squid + L3/L4 iptables + container capability restrictions + seccomp + procfs isolation. No critical or high severity findings. 0 npm vulnerabilities.Escape-test context: The pre-fetched
/tmp/gh-aw/escape-test-summary.txtcontained a "Secret Digger (Copilot)" workflow conclusion log (2026-04-11).GH_AW_SECRET_VERIFICATION_RESULT: success,GH_AW_AGENT_CONCLUSION: successwith onlynoopoutput — no credentials found, no escapes.🔍 Findings
Medium Severity
M1 — ICMP not blocked in OUTPUT filter chain (
setup-iptables.sh:459-462)iptables -A OUTPUT -p tcp -j DROP iptables -A OUTPUT -p udp -j DROP # MISSING: iptables -A OUTPUT -p icmp -j DROPAllows ICMP covert-channel exfiltration (ping tunneling, ICMP echo payload encoding). Recommendation: Add:
iptables -A OUTPUT -p icmp -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix "[FW_BLOCKED_ICMP] " --log-level 4 --log-uid iptables -A OUTPUT -p icmp -j DROPM2 —
unsharesyscall allowed in seccomp (containers/agent/seccomp-profile.json:338)unshareis in theSCMP_ACT_ALLOWgroup. On kernels withkernel.unprivileged_userns_clone=1, an agent can callunshare --userto create a user namespace and gain a full capability set within it, potentially enabling namespace-based escalation.no-new-privileges:truelimits but does not fully eliminate this path. Recommendation: Removeunsharefrom the ALLOW group.M3 — AppArmor disabled (
apparmor:unconfined) (src/services/agent-service.ts:97)Required because Docker's default AppArmor profile blocks
mount, which is needed for procfs setup (entrypoint.sh:521). Disabling AppArmor removes a defense layer — a regressedcapshcapability drop could be exploited without AppArmor confinement. Recommendation: Create a minimal custom AppArmor profile permitting onlymount fstype=proc.M4 — Agent↔API-proxy channel is unencrypted HTTP (
containers/api-proxy/)The agent calls
(172.30.0.30/redacted) with no auth; the sidecar injects real keys and forwards via Squid. Whileawf-netis isolated, a compromised Squid container could observe/inject plaintext traffic on this channel. **Recommendation:** Add mTLS using per-session ephemeral certs (reusesrc/ssl-bump.ts` CA infrastructure).Low Severity
L1 — IPv4 DNS validation allows octets > 255 (
setup-iptables.sh:14)Matches
999.999.999.999. Doesn't enable injection (iptables rejects it) but causes confusing failures. Add numerical bounds checking per-octet.L2 —
chmod 666on Claude config files (entrypoint.sh:232,237,262)World-writable API config files. Change to
chmod 640withawfuserownership.L3 — One-shot token library disabled on musl/Alpine (
entrypoint.sh:553)On incompatible hosts,
[WARN] Token protection will be disabled— tokens remain in/proc/1/environfor a ~1s race window.hidepid=2mitigates but doesn't fully close this. Upgrade to a security-audit-level log entry so operators detect degraded token protection.L4 — ReDoS risk in
--allow-urlsregex patterns (src/squid/ssl-bump.ts:37)Only
assertSafeForSquidConfig()(injection chars) applied to URL patterns. Nested quantifiers (e.g.,(a+)+) could trigger ReDoS in Squid's regex engine under high traffic. Add complexity heuristics.--allow-urlsunshare --user+ user namespace escalation--allow-urlspatternsmount+ no AppArmor after capsh regression📈 Security Metrics
Review date: 2026-07-07 | v0.23.1 @ 5160f8f
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions