Summary

AWF (Agent Workflow Firewall) enforces domain allowlists for HTTPS CONNECT traffic but does not block direct plain-HTTP connections to numeric IP addresses. In a compiled workflow restricted to network.allowed: [defaults, github], a curl request to an external numeric IP (e.g., 8.8.8.8) succeeded — TCP connected and the remote host returned HTTP 400 — confirming egress bypassed AWF. Additionally, the web-fetch MCP tool appears to use an independent HTTP path not routed through AWF, enabling access to non-allowlisted domains. Both gaps contradict the documented deny-by-default enforcement model.

Affected Area

Network egress trust boundary — AWF domain allowlist enforcement (plain-HTTP path and MCP web-fetch path)

Reproduction Outline

1. Compile a workflow with network.allowed: [defaults, github], Codex engine, and web-fetch MCP tool enabled.
2. Run the compiled workflow in GitHub Actions.
3. Execute curl -sS -m 5 -w 'http=%{http_code} remote=%{remote_ip}\n' (8.8.8.8/redacted) — observe exit=0 remote=8.8.8.8`, confirming TCP egress to an off-allowlist numeric IP succeeded.
4. Resolve an allowed domain to its IP (e.g., api.github.com → 140.82.113.6) and repeat; HTTPS CONNECT to that IP is blocked by AWF, but plain-HTTP is not intercepted.
5. Use the web-fetch tool to fetch example.com directly and via a redirect chain (e.g., httpbin.org/redirect → example.com) — observe content returned from the non-allowlisted destination.

Observed Behavior

• curl (8.8.8.8/redacted) exits 0 with http=400 remote=8.8.8.8`, confirming TCP connection to an off-allowlist numeric IP was not blocked.
• AWF blocks HTTPS CONNECT to example.com (confirmed in AWF warning output) but plain-HTTP connections are not intercepted.
• web-fetch to example.com and redirect chains to example.com return page content (Example Domain), indicating web-fetch HTTP traffic is not routed through AWF.

Expected Behavior

All outbound TCP connections — regardless of protocol (HTTP vs HTTPS) and whether the destination is expressed as a domain name or numeric IP — should be blocked unless explicitly allowlisted. MCP tool egress (including web-fetch) should be subject to the same enforcement policy as shell-level egress.

Security Relevance

An attacker who can influence workflow execution (e.g., via prompt injection) can exfiltrate data or reach internal/external services by using plain-HTTP to numeric IPs or by directing the web-fetch MCP tool to non-allowlisted destinations. Because HTTPS CONNECT blocking is visibly working, the AWF warning output creates a false impression that all non-allowlisted egress is blocked. Reproducing the numeric-IP plain-HTTP path requires only shell access, which is available in any workflow with bash tools enabled.

gh-aw version: v0.63.0 (AWF v0.25.0)

Original finding: https://github.com/githubnext/gh-aw-security/issues/1522

Generated by File gh-aw Issue · ◷