feat: restrict DNS server calls to agent UID

[varunsh-coder]

Summary

• Restricts DNS server (port 443) firewall rules to only apply to the agent's UID in the OUTPUT chain, preventing other processes from using the agent's DNS allow rules
• Adds dist and local directories to .gitignore

Test plan

• Verify DNS resolution works correctly for the agent process
• Verify other processes cannot use the agent's DNS allow rules
• Confirm firewall rules are correctly applied with UID filtering in the OUTPUT chain

[step-security-bot]

Please find StepSecurity AI-CodeWise code comments below.

Code Comments

.gitignore

• [High]Add a newline at the end of the file
  POSIX standards recommend that text files end with a newline character. Many tools expect this, and omitting it can cause unintended behavior or issues in version control and compilation processes. (Source: "The POSIX specification" and Git documentation). Ensure that the '.gitignore' file ends with a single newline character by adding a blank line at the end.
• [Medium]Use consistent directory listing formatting in .gitignore
  Maintain consistent formatting for directory entries in '.gitignore' to improve readability and maintainability. For example, listing directories with trailing slashes clarifies intent. (Source: Git Pro Book - best practices for .gitignore files). Update all directory entries in '.gitignore' to have trailing slashes, e.g., 'vendor/' instead of 'vendor'.

firewall.go

• [High]Validate and handle errors from os.Getuid()
  The code uses os.Getuid() to obtain the user ID for UID filtering but does not handle the case where os.Getuid() might fail or behave unexpectedly (e.g., when running in a non-Unix environment). According to the Go documentation and best practices, system calls or environment-dependent calls should be validated or handled to avoid runtime panics or undefined behavior (https://golang.org/pkg/os/#Getuid). Add checks or abstraction around os.Getuid(), and handle or log the error or unexpected value if needed. For example, verify the UID is non-negative before using it in iptables rules.
• [High]Avoid repeated string formatting in a loop by precomputing agentUID
  In the patch, agentUID is computed as a string once before the loop for dnsServers, which is good. However, this is a general best practice to avoid repeated costly operations in loops, based on performance principles (https://golang.org/doc/effective_go#for). No change needed as the patch already implements this correctly.
• [Medium]Ensure direction and netInterface variables are validated or sanitized before use in iptables rules
  Network interface names and direction parameters are used directly in ipt.Append calls without sanitization. According to OWASP recommendations on injection attacks (https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html), inputs used in commands must be sanitized to prevent injection vulnerabilities. Implement input validation and sanitization for direction and netInterface parameters before using them in iptables commands.
• [Medium]Add comprehensive context to error wrapping
  The patch wraps errors with context describing the DNS server but does not mention the chain or rule details. According to Go error handling best practices (https://blog.golang.org/go1.13-errors), providing rich context in error messages improves debugging and maintenance. Include chain name and rule details in error messages for better observability, e.g. errors.Wrapf(err, "failed to add rule for DNS server %s on chain %s", dnsServer, chain).
• [Low]Use constants or enumerations for chain names and ports
  Hardcoded strings such as the chain name and port numbers reduce maintainability. The use of constants improves readability and reduces typos per Go best practices (https://golang.org/doc/effective_go#constants). Define constants for 'outputChain', port '443', and protocol 'tcp' in the package and use them instead of hardcoded literals.
• [Low]Document the purpose of UID filtering in code comments
  While a comment briefly states the purpose, more detailed explanation would help future maintainers understand the security rationale, which aligns with code maintainability best practices (https://google.github.io/styleguide/go/README.html#comments). Expand comment to explain why UID filtering is applied only to OUTPUT chain and implications for security.
• [Low]Consider adding unit tests for the new UID filtering logic
  New conditional logic for chain-specific UID filtering should be covered by unit or integration tests to ensure correctness and prevent regressions, based on testing best practices (https://testing.googleblog.com/2017/03/testing-on-toilet-best-practices-for.html). Add test cases that mock os.Getuid() and verify the correct addition of iptables rules for OUTPUT chain only.

Feedback

We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.

[codecov]

Codecov Report

❌ Patch coverage is 76.92308% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.74%. Comparing base (1be8ea8) to head (7edc21b).
⚠️ Report is 22 commits behind head on main.

Files with missing lines	Patch %	Lines
firewall.go	76.92%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #469      +/-   ##
==========================================
- Coverage   62.78%   62.74%   -0.05%     
==========================================
  Files          17       18       +1     
  Lines        1932     1970      +38     
==========================================
+ Hits         1213     1236      +23     
- Misses        593      602       +9     
- Partials      126      132       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.