feat(docker): propagate host.docker.internal DNS to spawned containers

[Copilot]

• Understand the issue: When --enable-host-access is used, spawned containers via docker-wrapper need host.docker.internal DNS resolution
• Pass AWF_ENABLE_HOST_ACCESS environment variable to agent container
• Modify docker-wrapper.sh to:
  • Allow --add-host host.docker.internal:host-gateway specifically when AWF_ENABLE_HOST_ACCESS=true
  • Inject --add-host host.docker.internal:host-gateway to spawned containers when enabled
• Add unit tests for the new functionality
• Run existing tests to ensure no regressions
• Run code review and security check
• Fix security vulnerability: Make AWF_ENABLE_HOST_ACCESS readonly in entrypoint.sh to prevent malicious code from tampering with the variable

Security Summary: Fixed environment variable tampering vulnerability identified by Security Guard. The AWF_ENABLE_HOST_ACCESS variable is now declared readonly in entrypoint.sh, preventing malicious code from enabling host access when it wasn't authorized.

Original prompt

configure Docker's /etc/hosts when --enable-host-access is used. The changes in this PR are a prerequisite (firewall allowlist), but the DNS resolution fix needs to be in AWF.

Custom agent used: create-agentic-workflow
Design agentic workflows using GitHub Agentic Workflows (gh-aw) extension with interactive guidance on triggers, tools, and security best practices.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	77.19%	77.22%	📈 +0.03%
Statements	77.27%	77.30%	📈 +0.03%
Functions	77.17%	77.17%	➡️ +0.00%
Branches	69.76%	69.81%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	75.9% → 76.0% (+0.15%)	75.2% → 75.4% (+0.15%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Security Review: PR #210

I've reviewed this PR for security implications. Overall, the changes are well-designed with appropriate security controls, but there is one security concern that should be addressed:

---

⚠️ Security Concern: Environment Variable Can Be Manipulated by Malicious Code

File: containers/agent/docker-wrapper.sh
Lines: 14, 118, 122

Issue:
The docker-wrapper script checks the AWF_ENABLE_HOST_ACCESS environment variable to decide whether to allow --add-host host.docker.internal:host-gateway. However, this environment variable is accessible to user code running inside the agent container, which means malicious code could potentially manipulate it.

Code snippet:

validate_add_host() {
  local value="$1"
  if [[ "$value" == "host.docker.internal:host-gateway" ]] && [[ "$AWF_ENABLE_HOST_ACCESS" == "true" ]]; then
    return 0  # Allowed
  fi
  return 1  # Blocked
}

Attack scenario:

1. User runs: awf --allow-domains example.com -- 'malicious-script.sh'
2. Malicious script sets: export AWF_ENABLE_HOST_ACCESS=true
3. Malicious script spawns container with: docker run --add-host host.docker.internal:host-gateway ...
4. This bypasses the intended restriction since the environment variable check passes

Impact:
This allows malicious code to enable host access even when the user didn't specify --enable-host-access, potentially allowing access to sensitive services on the host machine.

Suggested mitigation:
Make the environment variable read-only by exporting it as readonly in the agent container entrypoint, or use a different mechanism that cannot be modified by user code:

# In containers/agent/entrypoint.sh or docker-manager.ts
readonly AWF_ENABLE_HOST_ACCESS="${AWF_ENABLE_HOST_ACCESS:-false}"
export AWF_ENABLE_HOST_ACCESS

Alternatively, write the flag value to a file that's only writable by root and read it from there instead of using an environment variable.

---

✅ Security Controls Working Correctly

The following security controls are properly implemented:

1. Strict validation of --add-host values (lines 12-18, 40-60): Only allows host.docker.internal:host-gateway, blocks all other values
2. Conditional auto-injection (lines 118-136): Only auto-injects when the flag is enabled AND not already present
3. Proper logging (lines 98-101, 119): All security decisions are logged for audit
4. Defense-in-depth: The user still needs to explicitly allow host.docker.internal in --allow-domains for this to be useful

📝 Non-Security Observations

• Documentation updates appropriately warn users about the security implications (docs/usage.md lines 296-301)
• Unit tests verify the environment variable propagation behavior (src/docker-manager.test.ts)
• The feature is opt-in and requires explicit user action

---

Recommendation: Fix the environment variable manipulation vulnerability before merging. Consider using a read-only flag or file-based mechanism instead of a mutable environment variable.

Ahoy! This treasure was crafted by 🏴‍☠️ Security Guard fer issue #210 🗺️

[Mossaka]

@copilot please address the comments from the security guard #210 (comment)

[Copilot]

@copilot please address the comments from the security guard #210 (comment)

Fixed in commit a27a2f8. Made AWF_ENABLE_HOST_ACCESS readonly in containers/agent/entrypoint.sh to prevent malicious code from tampering with the variable. The fix:

readonly AWF_ENABLE_HOST_ACCESS="${AWF_ENABLE_HOST_ACCESS:-false}"
export AWF_ENABLE_HOST_ACCESS

This prevents the attack scenario where malicious code could export AWF_ENABLE_HOST_ACCESS=true before spawning containers with --add-host host.docker.internal:host-gateway.

[github-actions]

🔒 Security Review: Critical Vulnerability Found

After reviewing this PR, I've identified a critical security vulnerability that must be fixed before merging.

❌ Critical Issue: Readonly Protection Can Be Bypassed in Subshells

Location: containers/agent/entrypoint.sh:104

The Problem:

The readonly declaration in entrypoint.sh does not protect against malicious code that runs in a subshell:

readonly AWF_ENABLE_HOST_ACCESS="${AWF_ENABLE_HOST_ACCESS:-false}"
export AWF_ENABLE_HOST_ACCESS

Why this is vulnerable:

Bash's readonly attribute does NOT inherit to subshells. While export makes the variable available to child processes, the readonly protection is lost when code creates a new shell.

Proof of Concept Attack:

# Attacker's malicious code inside the agent container:
bash -c 'AWF_ENABLE_HOST_ACCESS=true docker run alpine ping host.docker.internal'

This works because:

1. The subshell (bash -c) creates a new shell environment
2. The readonly attribute from the parent doesn't apply
3. The attacker overrides AWF_ENABLE_HOST_ACCESS=true
4. docker-wrapper.sh sees the fake "true" value and allows --add-host host.docker.internal:host-gateway
5. Result: Unauthorized host access enabled

✅ Recommended Fix

Replace the environment variable check with a filesystem-based check:

In containers/agent/entrypoint.sh (lines 101-106):

# Make host access configuration immutable via filesystem
# AWF_ENABLE_HOST_ACCESS controls host.docker.internal access in docker-wrapper.sh
if [ "$AWF_ENABLE_HOST_ACCESS" = "true" ]; then
  mkdir -p /etc/awf
  touch /etc/awf/host-access-enabled
  chmod 444 /etc/awf/host-access-enabled
  chown root:root /etc/awf/host-access-enabled
  echo "[entrypoint] Host access enabled (file marker created at /etc/awf/host-access-enabled)"
else
  echo "[entrypoint] Host access disabled"
fi

In containers/agent/docker-wrapper.sh (lines 12-18):

validate_add_host() {
  local value="$1"
  # Check for immutable file marker instead of environment variable
  if [[ "$value" == "host.docker.internal:host-gateway" ]] && [ -f "/etc/awf/host-access-enabled" ]; then
    return 0  # Allowed
  fi
  return 1  # Blocked
}

Also update line 118:

if [ -f "/etc/awf/host-access-enabled" ] && [ "$has_host_docker_internal" = false ]; then

This is secure because:

• The file is created as root in entrypoint.sh
• awfuser (non-root) cannot modify or create /etc/awf/host-access-enabled (chmod 444, chown root:root)
• Subshells cannot bypass filesystem permissions
• The check happens in docker-wrapper.sh which runs as the same user

Additional Notes

The rest of the PR implementation looks good:

• ✅ Strict validation only allows host.docker.internal:host-gateway
• ✅ Proper blocking of unsafe --add-host values
• ✅ No weakening of other security restrictions
• ✅ Unit tests added

Please apply the recommended fix to close this security vulnerability.

Ahoy! This treasure was crafted by 🏴‍☠️ Security Guard fer issue #210 🗺️

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results (Claude)

Last 2 Merged PRs:

• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security
• chore(deps): bump the github-actions group with 8 updates #284: chore(deps): bump the github-actions group with 8 updates

Test Results:

• ✅ GitHub MCP: Retrieved PR data
• ✅ Playwright: Navigated to github.com, title verified ("GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ File Write: Created test file with timestamp
• ✅ Bash: Verified file contents

Overall: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security
• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests

Test Results:

• ✅ GitHub MCP: Retrieved PR history
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-21092109370.txt
• ✅ Bash Tool: File verification successful
• ❌ Playwright: Installation timeout

Status: FAIL (Playwright timeout)

cc: @Mossaka

AI generated by Smoke Copilot

[Mossaka]

Closing PR to reduce backlog. Created issue #422 to track this work. Will fix it later.