[Security Review] Daily Security Review & Threat Model — 2026-06-17 #5155
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir; the smoke test agent was here. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-24T13:40:04.129Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
Overall security posture is strong, with defence-in-depth consistently applied. The most recent Secret Digger run (
/tmp/gh-aw/escape-test-summary.txt) concludedsuccesswithGH_AW_SECRET_VERIFICATION_RESULT: success— credentials remained isolated.🔍 Escape Test Context
The summary file contained CI metadata, not detailed test output. Outcome:
success, noreport_incompleteevents, no issue-creation errors. Credential isolation controls (one-shot-token, procfs hidepid=2) are functional per codebase evidence.🛡️ Architecture Assessment
Network Security
iptables design (
setup-iptables.sh): DNAT redirects 80/443 → Squid172.30.0.10:3128. Dangerous ports (22/25/3306/5432/6379/27017) get NAT-RETURN then fall to final DROP. UDP dropped entirely except DNS to configured servers. IPv6 disabled viasysctl(line 48).Finding (Medium): ICMP is not blocked. An agent can perform network reconnaissance (
ping,traceroute) within the Docker subnet. No data exfiltration vector, but violates default-deny intent.Container Security
Capabilities (
src/services/agent-service.ts:94):SYS_CHROOT+SYS_ADMINadded for procfs mount;NET_RAW,SYS_PTRACE,SYS_MODULE,SYS_RAWIOdropped. Both elevated caps are dropped viacapshatentrypoint.sh:376before user code runs.Finding (High) — SYS_ADMIN race window: The entrypoint runs lines 1–376 as root with
SYS_ADMINbefore capability drop. Any attacker-controlled exec path in that window could leverage the elevated capability. Risk is low due to strictAWF_*env var validation, but the architectural exposure exists.Procfs isolation:
entrypoint.sh:491mounts procfs withhidepid=2— prevents cross-process/proc/[pid]/environreads, closing the token-extraction race against PID 1.tmpfs overlays (
agent-service.ts): workDir (containingdocker-compose.ymlwith plaintext API keys) is shadowed by tmpfs in both/tmp/awf-*and/host/tmp/awf-*paths.One-shot token fallback (
entrypoint.sh:519): Whenone-shot-token.sofails on musl/Alpine, tokens remain readable multiple times — logged as WARN, not fatal.Domain Validation
src/domain-validation.ts: 5-layer validation: (1) empty check, (2) dangerous char check/[\s\0"';#\]/to prevent Squid config injection, (3) over-broad pattern rejection (,.*`), (4) structural validity, (5) wildcard segment limits.src/domain-patterns.ts:80: ReDoS prevention — wildcard*→[a-zA-Z0-9.-]*(bounded char class, not.*).Finding (Medium):
--allow-urlspasses raw regex to Squidurl_regexACL. While dangerous chars are checked, a complex crafted regex could cause Squid ReDoS. This is operator-only input, not user-controlled.Input Validation
src/parsers/shell-utils.ts: Safe fast-path for alphanumeric args; single-quote escaping for all others. Port validation rejects leading zeros, matching container-side bash validation.✅ Recommendations
🔴 High
H1 — Narrow SYS_ADMIN window: Split entrypoint into privileged init (mount, drop caps) + unprivileged runner. The procfs mount could be moved to
awf-iptables-initor a dedicated init container, eliminating SYS_ADMIN from the agent entirely.H2 — Block ICMP egress: Add
iptables -A OUTPUT -p icmp -j DROPto the default-deny block insetup-iptables.sh. Consistent with existing TCP/UDP DROP policy.🟡 Medium
M1 — Tighten Claude config permissions: Replace
chmod 666 "$config_file"(entrypoint.sh:212/216/248) withchmod 640and verifyawfuserownership. World-readable config exposes theapiKeyHelperscript path within the container.M2 — One-shot-token fail-closed option: Add
--strict-token-isolationflag that exits rather than silently degrading whenone-shot-token.sofails to load.M3 — Validate AWF_DOH_PROXY_IP in iptables script:
setup-iptables.sh:124usesAWF_DOH_PROXY_IPin iptables rules with only an existence check. Addis_valid_ipv4validation matching the pattern applied toSQUID_IPandAGENT_IP.🟢 Low
L1 — Add SUID/GUID mount option: System binary mounts (
/usr,/bin,/sbin) are read-only but do not specifynosuid. Add,nosuidto these bind mounts as defense-in-depth against host-side SUID escalation.L2 — Pin execa version:
execa@^5.1.1uses caret constraint. Pin to exact version to prevent supply-chain substitution.📈 Security Metrics
Review date: 2026-06-17 · Model: claude-sonnet-4.6
Beta Was this translation helpful? Give feedback.
All reactions