[Security Review] Daily Security Review & Threat Model — 2026-06-16 #5113
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir: the smoke test agent was here, and the omens read in favor of a passing run. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-23T14:18:05.409Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Review date: 2026-06-16 | Model: claude-sonnet-4.6 | Scope: Full static analysis
📊 Executive Summary
noop)Overall posture: GOOD. Defence-in-depth is well-implemented across L3/L4 (iptables), L7 (Squid ACL), container capabilities, seccomp, and credential isolation.
🔍 Escape Test Context
The escape-test summary (
/tmp/gh-aw/escape-test-summary.txt) contained workflow infrastructure metadata from the "Secret Digger (Copilot)" run (2026-04-11). It concluded withGH_AW_SECRET_VERIFICATION_RESULT: successandnoop— no secrets exfiltrated, no escape vectors found.🛡️ Architecture Strengths
DOCKER-USERchain (src/host-iptables-rules.ts) + per-container NAT rules (containers/agent/setup-iptables.sh).setup-iptables.sh:47-49) — blocks Happy Eyeballs bypass.NET_ADMINnever granted to agent — held only by short-livedawf-iptables-initinit container.SYS_CHROOT/SYS_ADMINdropped via capsh before user code runs (entrypoint.sh:375-377).SCMP_ACT_ERRNO):ptrace,process_vm_readv/writev,kexec_load,reboot,umountall blocked.hidepid=2on procfs prevents agent reading/proc/[pid]/environof entrypoint (entrypoint.sh:491).unset_sensitive_tokens()clears PID 1 env.SQUID_DANGEROUS_CHARS = /[\s\0"';#]/+ backslash at every Squid config interpolation point;validateApiProxyIp()` strict IPv4 regex.DOMAIN_CHAR_PATTERN = '[a-zA-Z0-9.-]*'— char class not.*.M-1 (Medium) — ICMP not blocked in agent OUTPUT chain
Evidence:
containers/agent/setup-iptables.sh:426-433drops only TCP and UDP. No ICMP rule exists.iptables -A OUTPUT -p tcp -j DROP iptables -A OUTPUT -p udp -j DROP # ICMP missing — covert channel / ping-tunnel possibleRecommendation: Add
iptables -A OUTPUT -p icmp -j DROPafter DNS allow rules insetup-iptables.sh. Mirror insrc/host-iptables-rules.ts:addBlockRules().M-2 (Medium) —
apparmor:unconfinedremoves MAC enforcement on agentEvidence:
src/services/agent-service.ts:111Required to allow
mount()for procfs. However, between container start andcapshexecution, there is no MAC policy. Seccomp provides partial compensation.Recommendation: Develop a minimal custom AppArmor profile permitting only
mount fstype=procwhile blocking other mount types and namespace operations. Current seccomp + capability drop provides adequate interim mitigation.M-3 (Medium) —
git safe.directory '*'global wildcardEvidence:
containers/agent/entrypoint.sh:366runuser -u awfuser -- git config --global --add safe.directory '*'Bypasses git protections against executing
.git/hooksfrom untrusted directory ownership contexts. If the agent clones from an attacker-controlled repo, malicious hooks could execute.Recommendation:
L-1 (Low) — JSONL audit log URL field unescaped
Evidence:
src/squid/config-generator.ts:97%ruis not JSON-escaped. A URL containing","event":"fake_allow"could inject a synthetic log entry. User-Agent was already removed for this reason; URL has the same risk.Recommendation: Treat lines failing JSON parse in
log-parser.tsas tampered/invalid rather than skipped. Long-term: evaluate Squid native JSON escaping.L-2 (Low) — Unencrypted DNS without DoH mode
Without
--doh, DNS queries for every domain the agent resolves are sent unencrypted (default: Google8.8.8.8). A network observer can enumerate the agent's full task scope.Recommendation: Add
logger.warn()when DoH is not enabled. Consider making DoH opt-out rather than opt-in in a future release.L-3 (Low) —
js-yamlmoderate vulnerability in production dependencyEvidence:
npm auditoutput:js-yaml: severity=moderate.Used in
src/compose-sanitizer.tsandsrc/compose-generator.ts. AWF generates YAML programmatically (low exposure), but the advisory should be cleared.Recommendation:
npm audit fixor pin to patched version.L-4 (Low) — JSONL log resilience for URL-encoded newlines
SQUID_DANGEROUS_CHARSblocks literal whitespace but not%0a-encoded newlines in URLs, which Squid may expand when writing%ru. A crafted URL could split a JSONL entry across lines.Recommendation: In
src/logs/log-parser.ts, treat any line not starting with a valid Unix timestamp as a continuation error.📈 Security Metrics
js-yaml)Beta Was this translation helpful? Give feedback.
All reactions