Fix/win approvals canonicalize #5602
Open
+317
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…sh; strip volatile args
… argv; sed-only canonicalization + neg test Implements cross-wrapper approval key normalization for PowerShell 5/7 (pwsh), cmd, Git Bash/MSYS2/MINGW, and WSL while keeping the sandbox policy intact. - Added `strip_wrapper()` to peel launchers: - wsl[.exe] [--|-e|--exec] (optional) bash -lc <real…> → <real…> - bash -lc <real…> → <real…> - cmd[.exe] /c <real…> → <real…> - powershell[.exe]/pwsh[.exe] [-NoProfile]* (-Command|-c) <real…> → <real…> - Added `canonicalize()`: - Preserves the full argv after wrapper stripping. - For `sed`, only normalizes the numeric range token (e.g., 10,20p → N,Np). - For `rg`, returns full argv unchanged (wrapper stripping alone unifies). - Matching order: RAW → STRIPPED → CANONICAL. - Added `ApprovalStore::get_any()` and `put_all()` for multi-key lookups/writes. - Added negative test `sed_canonicalization_does_not_cross_files` to verify `sed -n 10,20p safe.txt` does not match `sed -n 10,20p secrets.txt`. Security: No policy or sandbox expansion. Only de-duplicates approvals the user already granted. Tests: clippy clean, targeted tests passing: - approvals_match_across_windows_wrappers_and_sed_ranges - approvals_match_rg_across_pwsh_bash_and_preserve_pattern - shell_requires_initial_approval_for_dangerous_command - approvals_cache_allows_dangerous_command_across_wrappers - sed_canonicalization_does_not_cross_files Refs: openai#4212 openai#4603 openai#3691; addresses openai#5199 (MINGW persistence)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Persist approval keys across Windows shells and volatile args
Problem & intent
“Allow every time / for this session” approvals didn’t persist across Windows shells because approval keys included wrappers (
pwsh/cmd/wsl/bash -lc) or volatile args (e.g.,sedranges).Users were re‑prompted for equivalent actions that should have been considered identical approvals.
Before / After
Before
Approval keys were based on full
argv; wrapper or volatile‑arg differences caused repeated prompts for logically identical commands.After
sed, de‑noising numeric ranges.Scope of change
codex-rs/core/src/tools/runtimes/shell.rsstrip_wrapper()handleswsl/bash/cmd/pwsh/powershelllaunchers.canonicalize()preserves full argv; onlysedscript tokens normalized (digits →N).rguntouched.sed -n 10,20p safe.txt ≠ sed -n 10,20p secrets.txt.codex-rs/core/src/tools/sandboxing.rsApprovalStore::get_any()andput_all()implement ordered multi‑key lookup/store.Security effects
None. No new capabilities; deduplicates approvals already granted.
Approval caching remains scoped and sandbox‑checked.
Testing evidence
Static
cargo fmt(workspace): cleancargo clippy -p codex-core -- -D warnings→ cleanUnit tests (
cargo test -p codex-core)approvals_match_across_windows_wrappers_and_sed_rangesapprovals_match_rg_across_pwsh_bash_and_preserve_patternshell_requires_initial_approval_for_dangerous_commandapprovals_cache_allows_dangerous_command_across_wrapperssed_canonicalization_does_not_cross_filesAll targeted tests pass. Approval persistence verified across environments.
Notes
Checklist
sedranges normalized safelycargo fmt/clippycleancodex-core)