[Security Review] Daily Security Review: Threat Model & Architecture Analysis (2026-07-02) #5813
Replies: 8 comments
-
|
🔮 The ancient spirits stir: the smoke test agent was here, and the omens read PASS. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent was here and the omens were observed. Warning Firewall blocked 8 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "awmgmcpg"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "images.ctfassets.net"
- "redirector.gvt1.com"
- "registry.npmjs.org"
- "www.google.com"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent passed through the halls, and this discussion is marked by a clean omen. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through with a clean omen. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent was here, and the omens read clean. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir; the smoke test agent was here. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent was here, and the omens remain in motion. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent was here. Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
Date: 2026-07-02 | Version: v0.23.1 | Scope:
@github/agentic-workflow-firewallDefense-in-depth architecture with overlapping layers: iptables NAT+filter, Squid domain ACLs, capability dropping, procfs isolation, one-shot token library. Overall posture is strong. Key gaps: opt-in DLP,
--enable-dindescape hatch, and three IP env vars used in iptables without theis_valid_ipv4()guard applied to other IPs.🔍 Escape Test Results
Escape test summary (
Secret Digger (Copilot), ~2026-04-11):GH_AW_SECRET_VERIFICATION_RESULT: success— secret correctly isolated, not exfiltratednoop(703 bytes) — could not reach disallowed targetsCheckout PR success: true— code access worked; network exfiltration did notResult: Firewall contained the agent successfully.
🛡️ Architecture Security Analysis
Network (setup-iptables.sh, host-iptables-rules.ts)
Two-tier enforcement: host
DOCKER-USERchain + container NAT+filter.Strengths: IPv6 disabled via sysctl (lines 110–111); raw-IP blocked in Squid (
acl dst_ipv4 dstdom_regex); 15 dangerous ports blocked (SSH:22, DB, Redis:6379, MongoDB, RDP:3389, SMB:445, mail); DNS restricted to whitelisted servers only.AWF_API_PROXY_IP,AWF_CLI_PROXY_IP,AWF_DOH_PROXY_IPare passed directly toiptables -t nat -A OUTPUT -d "$VAR"withoutis_valid_ipv4()validation.AWF_HOST_GATEWAY_IP(line 297) uses the check; these three do not. These are CLI-set values (not agent-controlled), but consistent validation is a defence-in-depth best practice.i️ Low — Non-standard port audit gap: HTTP on ports like 8080 hits the filter DROP (blocked) but bypasses Squid's domain ACL, creating an audit gap in access.log.
Container (entrypoint.sh, seccomp-profile.json)
Strengths: NET_ADMIN never granted to agent (delegated to init container); SYS_CHROOT+SYS_ADMIN dropped before user code; proxy sidecars
cap_drop: ALL; Docker socket behind/dev/nulloverlay when DinD off; seccomp blocks ptrace, process_vm_readv/writev, kexec, reboot, umount; procfshidepid=2(line 521); UID/GID validated non-zero (lines 18–37).🔴 High — DinD firewall bypass (docker-socket.ts:27):
--enable-dindmounts the Docker socket R/W into the agent container. The agent can rundocker run --network host, completely bypassing all AWF egress controls. Documented warning but represents a complete bypass.On Alpine/musl hosts, the LD_PRELOAD library silently fails. API keys can be read multiple times (no single-read guarantee). hidepid=2 partially mitigates.
Tokens exist in
/proc/1/environfor up to ~1 second (10×100ms polling loop). hidepid=2 prevents cross-user reads, but the window exists beforeunset_sensitive_tokensruns.Domain Validation (domain-validation.ts, domain-acl.ts)
No significant findings.
SQUID_DANGEROUS_CHARS = /[\s\0"';#]/prevents injection. Over-broad wildcards rejected. ReDoS mitigated (→[a-zA-Z0-9.-]`, length capped at 512).(L=Likelihood: VL=Very Low, L=Low, M=Medium; I=Impact: M=Medium, H=High, C=Critical)
🎯 Attack Surface Map
domain-validation.ts:1setup-iptables.sh:371setup-iptables.sh:460docker-socket.ts:27setup-iptables.sh:234config-sections.tsentrypoint.sh:521src/dlp.ts✅ Recommendations
🔴 H1 — Add
is_valid_ipv4forAWF_API_PROXY_IP,AWF_CLI_PROXY_IP,AWF_DOH_PROXY_IP— apply the same guard used forAWF_HOST_GATEWAY_IP(setup-iptables.sh line 297) consistently.🔴 H2 — Add runtime confirmation gate for
--enable-dind— require a--confirm-dind-bypasscompanion flag; log activation to audit.jsonl.🟠 M1 — Default DLP to
warnmode — credential URL exfiltration is a realistic agent threat; opt-out is safer than opt-in.🟠 M2 — Warn on one-shot-token Alpine/musl failure — emit
[SECURITY WARNING]if API keys are set and the library fails to load.🟠 M3 — Scope API proxy Squid access — replace
http_access allow from_api_proxy(unrestricted) with a known upstream domain list.🟠 M4 — Reduce token race window to 100ms — one-shot-token caches in ~100ms per code comments; reduce polling from 10× to 1–2 iterations.
🟡 L1 — Add LOG rule for non-standard port DROP to close audit gap.
🟡 L2 — Align
allow_service_ports_to_ipport-range handling withis_valid_port_spec.🟡 L3 — Use TCP REJECT (faster feedback) instead of DROP for default-deny rule.
🟡 L4 — Document recommended memory limits for small workloads.
📈 Security Metrics
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
awmgmcpgSee Network Configuration for more information.
Beta Was this translation helpful? Give feedback.
All reactions