[Security Review] Daily Security Review — 2026-06-24 #5479
Replies: 4 comments
-
|
🔮 The ancient spirits stir: the smoke test agent was here, the run was observed, and the firewall held its form.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir. The smoke test agent was here, and the omens read clean.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent passed through, and this discussion now bears the whisper of validation. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
This discussion was automatically closed because it expired on 2026-07-01T13:11:23.021Z.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
AWF v0.23.1 | Review Date: 2026-06-24 | Posture: Good
No critical/high CVEs. Defence-in-depth across 5 layers is well-implemented. 10 threats identified; none critical.
🔍 Escape Test Findings
From
Secret Digger (Copilot)run (2026-04-11,24273493151):GH_AW_SECRET_VERIFICATION_RESULT: success— credentials NOT accessible to agent ✅GH_AW_AGENT_CONCLUSION: success+ noop-only outputs — no secrets foundGH_AW_LOCKDOWN_CHECK_FAILED: falseThe credential-isolation architecture (tmpfs overlays + API proxy injection) is working correctly.
🛡️ Architecture Analysis
5-layer network control (confirmed by code analysis):
src/host-iptables-rules.ts) — only Squid source, ESTABLISHED, DNS whitelistedcontainers/agent/setup-iptables.sh) — DNAT 80/443→Squid, IPv6 disabled, dangerous ports blockedsrc/squid/config-generator.ts) — domain allowlist, raw-IP block (dst_ipv4/dst_ipv6ACLs),forwarded_for deleteentrypoint.sh) —capshdropsSYS_CHROOT+SYS_ADMINbefore user codeseccomp-profile.json) —defaultAction: SCMP_ACT_ERRNODomain injection prevention (
src/domain-validation.ts): dangerous chars/[\s\0"';#\]/, over-broad pattern rejection (,.), structural validity, ReDoS-safe regex[a-zA-Z0-9.-](not.*`).No shell injection confirmed:
grep -rn "shell: true" src/→ 0 results. Custom ESLint ruleno-unsafe-execaenforced project-wide.capshdrop (agent-service.ts:76)--enable-dindDocker socket = full firewall bypass (security-options.ts:29-32)procfs/self/environreadable by agent; hidepid=2 only covers other pidsaccess.log(unescaped%{User-Agent}>h)delay_poolsrate limiting → exfiltration via allowed domainslogger.debugfallback,ssl-bump.ts:68)eslint-disable no-unsafe-execaatlog-discovery.ts:155AWF_USER_UID/GIDvalidated ≠ 0 but no upper-bound check🎯 Attack Surface Map
--allow-domainsCLI inputsrc/domain-validation.tssrc/squid/config-generator.tscontainers/agent/setup-iptables.shcontainers/agent/entrypoint.shsrc/services/agent-volumes/docker-socket.tscontainers/api-proxy/server.js--allow-domains-filesrc/commands/preflight.ts:80access.logUser-Agent fieldsrc/squid/config-generator.tslogformat✅ Recommendations
🟠 High
H1 — Add
delay_poolsrate limiting to Squid config to prevent high-throughput exfiltration via allowed domains.H2 — Investigate replacing
SYS_ADMIN+capshdrop with a dedicated setuid helper or user-namespace remapping to eliminate the capability window at container startup.🟡 Medium
M1 — Add non-ASCII rejection to
src/domain-validation.tsto block Unicode homograph domains:if (/[^\x00-\x7F]/.test(trimmed)) throw new Error(...)M2 — Truncate or escape
%{User-Agent}>hin Squidaccess.loglogformat to prevent log injection. JSONL audit log already omits User-Agent correctly.M3 — Elevate
ssl-bump.ts:68fallback fromlogger.debug→logger.warnso disk-stored CA keys are visible to operators.M4 — Require an explicit second flag (e.g.
--accept-dind-firewall-bypass) with--enable-dindto prevent accidental use.🟢 Low
L1 — Fix
pkg.targets: node18-*inconsistency vsengines.node: >=20.19.0.L2 — Add CI count-guard on
eslint-disable local/no-unsafe-execacomments.L3 — Restrict API proxy
http_access allowin generated Squid config to originate from agent IP only (172.30.0.20).Beta Was this translation helpful? Give feedback.
All reactions