Conversation
This was referenced Jul 28, 2025
bolinfest
added a commit
that referenced
this pull request
Jul 28, 2025
Apparently `std::env::args()` will panic during iteration if any argument to the process is not valid Unicode: https://doc.rust-lang.org/std/env/fn.args.html Let's avoid the risk and just go with `std::env::args_os()`. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1698). * #1705 * #1703 * #1702 * __->__ #1698 * #1697
bolinfest
added a commit
that referenced
this pull request
Jul 28, 2025
This introduces some special behavior to the CLIs that are using the
`codex-arg0` crate where if `arg1` is `--codex-run-as-apply-patch`, then
it will run as if `apply_patch arg2` were invoked. This is important
because it means we can do things like:
```
SANDBOX_TYPE=landlock # or seatbelt for macOS
codex debug "${SANDBOX_TYPE}" -- codex --codex-run-as-apply-patch PATCH
```
which gives us a way to run `apply_patch` while ensuring it adheres to
the sandbox the user specified.
While it would be nice to use the `arg0` trick like we are currently
doing for `codex-linux-sandbox`, there is no way to specify the `arg0`
for the underlying command when running under `/usr/bin/sandbox-exec`,
so it will not work for us in this case.
Admittedly, we could have also supported this via a custom environment
variable (e.g., `CODEX_ARG0`), but since environment variables are
inherited by child processes, that seemed like a potentially leakier
abstraction.
This change, as well as our existing reliance on checking `arg0`, place
additional requirements on those who include `codex-core`. Its
`README.md` has been updated to reflect this.
While we could have just added an `apply-patch` subcommand to the
`codex` multitool CLI, that would not be sufficient for the standalone
`codex-exec` CLI, which is something that we distribute as part of our
GitHub releases for those who know they will not be using the TUI and
therefore prefer to use a slightly smaller executable:
https://github.com/openai/codex/releases/tag/rust-v0.10.0
To that end, this PR adds an integration test to ensure that the
`--codex-run-as-apply-patch` option works with the standalone
`codex-exec` CLI.
---
[//]: # (BEGIN SAPLING FOOTER)
Stack created with [Sapling](https://sapling-scm.com). Best reviewed
with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1702).
* #1705
* #1703
* __->__ #1702
* #1698
* #1697
bolinfest
added a commit
that referenced
this pull request
Jul 28, 2025
#1703) This is a straight refactor, moving apply-patch-related code from `codex.rs` and into the new `apply_patch.rs` file. The only "logical" change is inlining `#[allow(clippy::unwrap_used)]` instead of declaring `#![allow(clippy::unwrap_used)]` at the top of the file (which is currently the case in `codex.rs`). --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/openai/codex/pull/1703). * #1705 * __->__ #1703 * #1702 * #1698 * #1697
be2a1c3 to
a41375c
Compare
Collaborator
Author
|
/recheck |
Collaborator
Author
|
/cla recheck |
pakrym-oai
reviewed
Jul 29, 2025
| let path_to_codex = std::env::current_exe() | ||
| .ok() | ||
| .map(|p| p.to_string_lossy().to_string()); | ||
| let Some(path_to_codex) = path_to_codex else { |
Collaborator
There was a problem hiding this comment.
Should we even be returning to the model in this case?
Collaborator
Author
There was a problem hiding this comment.
I mean, it is possible the user has a non-UTF8 path to codex, so we would get it in our server logs to find out? I think that's better than just panic'ing.
pakrym-oai
reviewed
Jul 29, 2025
| }; | ||
| }; | ||
|
|
||
| let params = ExecParams { |
Collaborator
There was a problem hiding this comment.
Can we abstract this out of codex.rs? to some generic apply path function that does exec internally?
Collaborator
There was a problem hiding this comment.
codex.rs is getting huge
Collaborator
Author
There was a problem hiding this comment.
here, the goal is to generate (params, safety, command_for_display) so that everything else is the same as a normal exec, though
I can look at refactoring this large function in a follow-up though
khai-oai
approved these changes
Jul 29, 2025
pakrym-oai
approved these changes
Jul 30, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Building on the work of #1702, this changes how a shell call to
apply_patchis handled.Previously, a shell call to
apply_patchwas always handled in-process, never leveraging a sandbox. To determine whether theapply_patchoperation could be auto-approved, theis_write_patch_constrained_to_writable_paths()function would check if all the paths listed in the paths were writable. If so, the agent would apply the changes listed in the patch.Unfortunately, this approach afforded a loophole: symlinks!
stat FILEto see if the number of links is greater than 1, but then we would have to do something potentially expensive likefind . -inum <inode_number>to find the other paths forFILE. Further, even if this worked, this approach runs the risk of a TOCTOU race condition, so it is not robust.The solution, implemented in this PR, is to take the virtual execution of the
apply_patchCLI into an actual execution usingcodex --codex-run-as-apply-patch PATCH, which we can run under the sandbox the user specified, just like any othershellcall.This, of course, assumes that the sandbox prevents writing through symlinks as a mechanism to write to folders that are not in the writable set configured by the sandbox. I verified this by testing the following on both Mac and Linux:
Admittedly, this change merits a proper integration test, but I think I will have to do that in a follow-up PR.