[Security Review] Daily Security Review & Threat Model — 2026-06-06 #4431
Replies: 7 comments
-
|
🔮 The ancient spirits stir; the smoke-test agent has passed through and left its trace in this thread. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir. The smoke-test agent passed through this discussion and left only verified traces. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke-test agent has passed through this thread. The run has begun; may the firewall hold, and may the build reveal its true shape. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir. The smoke test agent passed through this discussion, leaving a brief oracle mark in the logs. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke-test agent has walked this discussion. The omens are recorded, and the build is still being judged. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir. The smoke test agent passed through this chamber, leaving a brief omen of validation in its wake. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
This discussion was automatically closed because it expired on 2026-06-13T12:54:11.566Z.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
AWF implements a strong, well-layered security architecture. This review found 0 critical, 2 medium, 3 low findings across ~2,800 lines of security-critical TypeScript, shell, and C.
🔍 Escape Test Findings
Source:
Secret Digger (Copilot)workflow —GH_AW_SECRET_VERIFICATION_RESULT: success, agent concluded with onlynoopoutputs: no secrets or credentials were found accessible inside the sandbox. Lockdown/stale-lock checks both passed. Credential isolation controls are functioning.🛡️ Architecture Security Analysis
Network (4 independent enforcement layers)
setup-iptables.sh:344-345): DNAT port 80/443 → Squid. Dangerous ports (22, 25, 3306, 5432, 6379, 27017...) NAT-returned then DROPped.setup-iptables.sh:430-433): Explicit DROP on TCP+UDP; IPv6 disabled via sysctl (line 48-49).host-iptables-rules.ts:151-357): Restricts bridge traffic to Squid IP, established/related, localhost, whitelisted DNS. Default REJECT on everything else.squid/config-generator.ts:122-127): Blocks raw IPv4/IPv6 (dst_ipv4/dst_ipv6dstdom_regex), enforces domain allowlist, Safe_ports restricted to 80/443.NET_ADMIN design: Never granted to agent. Separate
awf-iptables-initinit container handles iptables (agent-service.ts:219-270).Container Security
cap_add: [SYS_CHROOT, SYS_ADMIN]— both dropped viacapshbefore user code (entrypoint.sh:356-357).cap_drop:[NET_RAW, SYS_PTRACE, SYS_MODULE, SYS_RAWIO, MKNOD].seccomp-profile.json): DefaultSCMP_ACT_ERRNO. Blocksptrace,process_vm_readv/writev,kexec_load,pivot_root,keyctl,open_by_handle_at.io_uring_*,clone(no arg filter) — see findings.hidepid=2on procfs (entrypoint.sh:472);one-shot-tokenLD_PRELOAD clears env vars after first read;unset_sensitive_tokens()purges PID 1 env; tmpfs overlay on workDir hides docker-compose.yml.encode-tokens.sh:14-25):GITHUB_TOKEN,GH_TOKEN,ANTHROPIC_API_KEY,OPENAI_API_KEY,CLAUDE_API_KEY,CODEX_API_KEY,COPILOT_GITHUB_TOKEN,COPILOT_PROVIDER_API_KEY.Domain/Input Validation
SQUID_DANGEROUS_CHARS = /[\s\0"'\;#]/prevents Squid config injection (domain-patterns.ts:27`). Backslash also blocked. Overly broad wildcards rejected. Port specs and UID/GID validated in both TS and Bash./proc/1/environ🎯 Attack Surface Map
setup-iptables.sh:344-433seccomp-profile.jsonentrypoint.sh:367-443setup-iptables.sh:144-162entrypoint.sh:347'*'— see L3)package.json✅ Recommendations
🔴 Critical — None
🟠 Medium
[M1] Block
io_uringin seccomp profile (containers/agent/seccomp-profile.json)io_uring_setup,io_uring_enter,io_uring_registerare currently allowed. io_uring has been exploited in multiple container escape CVEs (CVE-2024-1086, CVE-2024-0582, CVE-2023-2598, CVE-2024-25629). Unless workloads specifically require it, add these to theSCMP_ACT_ERRNOrule. Test first — some glibc versions use io_uring for DNS.[M2] Add argument filter to
clone/clone3to block CLONE_NEWUSER (seccomp-profile.json)Both syscalls are allowed without restrictions.
CLONE_NEWUSER(flag0x10000000) enables user namespaces, granting a full capability set within the new namespace. Restrict via seccomp arg filter:{"names":["clone"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":268435456,"op":"SCMP_CMP_MASKED_EQ","valueTwo":0}]}🟡 Low
[L1] Update
brace-expansion— GHSA-jxxr-4gwj-5jf2, CVSS 6.5 (DoS). Runnpm audit fix.[L2] Add
iptables -A OUTPUT -p icmp -j DROPto agent iptables (setup-iptables.sh) for defense-in-depth — ICMP only dropped at host DOCKER-USER layer today.[L3] Document
git safe.directory '*'(entrypoint.sh:347) — intentional (UID mismatch), but warrants a comment noting agents should not traverse untrusted git repositories without additional content validation.📈 Security Metrics
2026-06-06 · Static analysis + STRIDE + CIS Docker Benchmark alignment
Beta Was this translation helpful? Give feedback.
All reactions