Skip to content

adds a windows-specific method to check if a command is safe #4119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Sep 24, 2025
+38 −2
Merged

adds a windows-specific method to check if a command is safe #4119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
3175f2b
refactor command safety into a module. Add a dummy one for Windows.
iceweasel-oai Sep 24, 2025
ed1cdf1
add a test for windows commands.
iceweasel-oai Sep 24, 2025
5988041
fix some lint errors.
iceweasel-oai Sep 24, 2025
ac4989e
another lint issue
iceweasel-oai Sep 24, 2025
26ab571
only use bash files in non-windows
iceweasel-oai Sep 24, 2025
2f5e161
command is currently unused in windows implementation.
iceweasel-oai Sep 24, 2025
8c5455e
fix return value
iceweasel-oai Sep 24, 2025
5f1178d
move non-windows into a new file as well.
iceweasel-oai Sep 24, 2025
798eba8
Revert "move non-windows into a new file as well."
iceweasel-oai Sep 24, 2025
4dce8f4
call existing safe logic after Windows specific version
iceweasel-oai Sep 24, 2025
d2b4835
lint fix
iceweasel-oai Sep 24, 2025
92c7705
better test name
iceweasel-oai Sep 24, 2025
3c36d04
lint fix
iceweasel-oai Sep 24, 2025
13f0876
lint fix
iceweasel-oai Sep 24, 2025
23dbb6f
add a commenting indicating WIP-ness of windows safe commands.
iceweasel-oai Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion codex-rs/core/src/is_safe_command.rs → ...ore/src/command_safety/is_safe_command.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@ use crate::bash::try_parse_bash;
use crate::bash::try_parse_word_only_commands_sequence;

pub fn is_known_safe_command(command: &[String]) -> bool {
#[cfg(target_os = "windows")]
{
use super::windows_safe_commands::is_safe_command_windows;
if is_safe_command_windows(command) {
return true;
}
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is making me question whether we should be doing is_safe_to_call_with_exec() as it works today on Windows. Possibly only if you have Git Bash enabled or whatever it is on Windows and we're actually going to run the command through it? What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally had a version where only the new windows function is called and nothing after it. But there are some tests that are depending on the other safety checks being called (ie, Windows tests that use commands such as "ls"). I'm not sure if those tests are valid, but I left this for now to be conservative and not regress anything until I can learn more

Copy link
Collaborator

@bolinfest bolinfest Sep 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ls works in PowerShell by default, apparently. It works in cmd.exe on my machine, but probably due to Git Bash.

if is_safe_to_call_with_exec(command) {
return true;
}
Expand All @@ -24,7 +32,6 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
{
return true;
}

false
}

Expand Down
3 changes: 3 additions & 0 deletions codex-rs/core/src/command_safety/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
pub mod is_safe_command;
#[cfg(target_os = "windows")]
pub mod windows_safe_commands;
25 changes: 25 additions & 0 deletions codex-rs/core/src/command_safety/windows_safe_commands.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// This is a WIP. This will eventually contain a real list of common safe Windows commands.
pub fn is_safe_command_windows(_command: &[String]) -> bool {
false
}

#[cfg(test)]
mod tests {
use super::is_safe_command_windows;

fn vec_str(args: &[&str]) -> Vec<String> {
args.iter().map(ToString::to_string).collect()
}

#[test]
fn everything_is_unsafe() {
for cmd in [
vec_str(&["powershell.exe", "-NoLogo", "-Command", "echo hello"]),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is a WIP, but wouldn't this be safe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, this is more just meant to test the current "everything is unsafe" behavior. It'll change shortly

vec_str(&["copy", "foo", "bar"]),
vec_str(&["del", "file.txt"]),
vec_str(&["powershell.exe", "Get-ChildItem"]),
] {
assert!(!is_safe_command_windows(&cmd));
}
}
}
3 changes: 2 additions & 1 deletion codex-rs/core/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ pub mod codex;
mod codex_conversation;
pub mod token_data;
pub use codex_conversation::CodexConversation;
mod command_safety;
pub mod config;
pub mod config_edit;
pub mod config_profile;
Expand All @@ -29,7 +30,6 @@ pub mod exec_env;
mod flags;
pub mod git_info;
pub mod internal_storage;
mod is_safe_command;
pub mod landlock;
mod mcp_connection_manager;
mod mcp_tool_call;
Expand Down Expand Up @@ -80,6 +80,7 @@ mod user_notification;
pub mod util;

pub use apply_patch::CODEX_APPLY_PATCH_ARG1;
pub use command_safety::is_safe_command;
pub use safety::get_platform_sandbox;
// Re-export the protocol types from the standalone `codex-protocol` crate so existing
// `codex_core::protocol::...` references continue to work across the workspace.
Expand Down
Loading