Skip to content

[plan] add automated firewall escape tests #309

Closed
Closed
[plan] add automated firewall escape tests#309
Assignees
Mossakacopilot-swe-agent
Labels
ai-generatedenhancementNew feature or requestplansecuritytesting
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 17, 2026

Objective

Create automated test workflow that attempts to bypass the firewall through various attack vectors to validate defense-in-depth architecture.

Context

Current state: No dedicated firewall escape testing exists. Security posture validated through code review only.

Risk: Firewall could have undiscovered bypass vulnerabilities that static analysis doesn't catch.

Risk level: 🟡 MEDIUM - Missing validation of security controls

Implementation Approach

Create new GitHub Actions workflow .github/workflows/firewall-escape-test.yml with test scenarios:

Test Categories

  1. DNS Exfiltration Attempts

    • Try querying unauthorized DNS servers
    • Attempt DNS tunneling to exfiltrate data
    • Expected: All blocked, logged with [FW_BLOCKED_UDP]

  2. Port Scanning Attempts

    • Try connecting to dangerous ports (22, 3306, 5432)
    • Attempt ICMP ping to unauthorized hosts
    • Expected: All blocked by iptables

  3. iptables Rule Modification

    • Try iptables -F to flush rules
    • Attempt to add ACCEPT rule for all traffic
    • Expected: Permission denied (NET_ADMIN dropped)

  4. Container Escape Attempts

    • Try mount to access host filesystem
    • Attempt ptrace on host processes
    • Expected: Blocked by seccomp profile

  5. Protocol Bypass Attempts

    • Try QUIC/HTTP3 to bypass HTTP/HTTPS filtering
    • Attempt raw socket creation
    • Expected: NET_RAW capability missing

  6. Domain Pattern Bypass

    • Try overly broad patterns (*, *.*)
    • Attempt double-dot patterns (example..com)
    • Expected: Validation errors, container not started

Files to Create

  • .github/workflows/firewall-escape-test.yml - Main test workflow
  • tests/security/escape-attempts.ts - Test script with all attack vectors
  • tests/security/expected-blocks.json - Expected block patterns in logs

Files to Modify

  • README.md - Document security testing approach
  • .github/workflows/test-agent-all.yml - Add dependency on escape tests

Testing Strategy

Each test should:

  1. Attempt the bypass technique
  2. Verify it was blocked
  3. Check logs for expected block messages
  4. Report failure if bypass succeeded

Acceptance Criteria

  • All 6 test categories implemented
  • Tests run on every PR to main branch
  • Test failure blocks PR merge
  • Logs show which specific block mechanism prevented each attempt
  • Tests complete in < 5 minutes
  • Documentation explains security testing methodology
    Related to [plan] security improvements from threat model review #306

AI generated by Plan Command for discussion #302

Metadata

Metadata

Assignees

Labels

ai-generatedenhancementNew feature or requestplansecuritytesting

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions