Skip to content

fix(core): canonicalize wrapper approvals and support heredoc prefix … #10941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dylan-hurd-oai merged 11 commits into from
Feb 10, 2026
Merged

fix(core): canonicalize wrapper approvals and support heredoc prefix … #10941

dylan-hurd-oai merged 11 commits into from
Feb 10, 2026
+440 −10

Conversation

@viyatb-oai
Copy link
Collaborator

@viyatb-oai viyatb-oai commented Feb 6, 2026

Summary

  • Reduced repeated approvals for equivalent wrapper commands and fixed execpolicy matching for heredoc-style shell invocations, with minimal behavior change and fail-closed defaults.

Fixes

  1. Canonicalized approval matching for wrappers so equivalent commands map to the same approval intent.
  2. Added heredoc-aware prefix extraction for execpolicy so commands like python3 <<'PY' ... PY match rules such as prefix_rule(["python3"], ...).
  3. Kept fallback behavior conservative: if parsing is ambiguous, existing prompt behavior is preserved.

Edge Cases Covered

  • Wrapper path/name differences: /bin/bash vs bash, /bin/zsh vs zsh.
  • Shell modes: -c and -lc.
  • Heredoc forms: quoted delimiter (<<'PY') and unquoted delimiter (<< PY).
  • Multi-command heredoc scripts are rejected by the fallback
  • Non-heredoc redirections (>, etc.) are not treated as heredoc prefix matches.
  • Complex scripts still fall back to prior behavior rather than expanding permissions.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3964f175be

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

codex-rs/core/src/bash.rs
Comment on lines 215 to 219
"word" | "number" => {
words.push(child.utf8_text(src.as_bytes()).ok()?.to_owned());
}
// Allow shell constructs that attach IO to a single command without
// changing argv matching semantics for the executable prefix.
Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Ensure non-heredoc << scripts don’t bypass approvals

This parser accepts any word nodes verbatim, and parse_shell_lc_single_command_prefix is gated only by script.contains("<<"). That combination means scripts that merely contain << (e.g., arithmetic shift echo $((1<<2)) or a here‑string with command substitution like python3 <<< "$(rm -rf /)") can be reduced to a simple argv prefix and matched by prefix_rule, skipping approvals that previously triggered when word‑only parsing failed. This is a regression in safety: << in non‑heredoc contexts can now be used to bypass the intended “complex script” fallback. Consider verifying that the AST actually contains a heredoc redirect, and/or rejecting words that include expansions before returning a prefix.

Useful? React with 👍 / 👎.

dylan-hurd-oai
dylan-hurd-oai reviewed Feb 7, 2026
View reviewed changes
@dylan-hurd-oai dylan-hurd-oai merged commit 62d0f30 into main Feb 10, 2026
30 of 32 checks passed
@dylan-hurd-oai dylan-hurd-oai deleted the codex/viyatb/execpolicy-heredoc-canonicalization branch February 10, 2026 19:46
@github-actions github-actions bot locked and limited conversation to collaborators Feb 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@dylan-hurd-oai dylan-hurd-oai dylan-hurd-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @dylan-hurd-oai