fix(codex): guard sandbox http requests

[eleqtrizit]

Summary

Harden the Codex sandbox exec-server HTTP bridge so sandbox http/request rejects private/internal HTTP targets before dispatch and keeps the in-sandbox request path bound to validated DNS results.

Changes

• Add TypeScript-side URL scheme and host/IP preflight before buffered or streaming sandbox HTTP execution starts.
• Add in-sandbox Python checks for blocked hostnames, private/internal/special-use resolved addresses, redirect targets, cloud metadata literals, CGNAT/RFC2544 IPv4 ranges, deprecated site-local IPv6, and embedded IPv4 transition forms.
• Disable environment proxy handling for the bridge and pin validated DNS answers for the actual socket connection to avoid validation/connect drift.
• Cover blocked private, metadata-style, and Python-helper protected IP targets in the focused Codex sandbox HTTP tests.

Validation

• corepack pnpm install --frozen-lockfile
• corepack pnpm exec oxfmt --write --threads=1 extensions/codex/src/app-server/sandbox-exec-server/http.ts extensions/codex/src/app-server/sandbox-exec-server.http.test.ts
• node scripts/run-vitest.mjs extensions/codex/src/app-server/sandbox-exec-server.http.test.ts - passed, 1 file / 7 tests.
• git diff --check - passed.
• node scripts/check-src-extension-import-boundary.mjs --json - passed, [].
• node scripts/check-sdk-package-extension-import-boundary.mjs --json - passed, [].
• node scripts/check-test-helper-extension-import-boundary.mjs --json - passed, [].
• .agents/skills/autoreview/scripts/autoreview --mode local - clean, no accepted/actionable findings.

Real behavior proof:

• Behavior addressed: sandbox http/request blocks protected metadata/internal targets before backend execution, and the embedded sandbox HTTP helper independently blocks the same protected target class.
• Real environment tested: local OpenClaw checkout on branch 734, Node/Vitest test harness plus the generated shell/Python helper executed by bash and python3.
• Exact steps or command run after this patch: manual JSON-RPC bridge probe sent http/request for http://100.100.100.200/; manual embedded-helper probe executed SANDBOX_HTTP_REQUEST_SCRIPT with the same URL.
• Evidence after fix: JSON-RPC bridge probe returned blocked: true, backendCalls: 0, and Blocked hostname or private/internal IP in sandbox http/request: 100.100.100.200.
• Observed result after fix: embedded-helper probe exited with code 1, produced no stdout, and stderr ended with ValueError: Blocked hostname or private/internal/special-use IP address.
• What was not tested: a full remote Docker/SSH sandbox session with live external networking was not run; the focused bridge and helper proofs exercise the patched blocking paths directly without contacting the protected endpoint.

Notes

AI-assisted security hardening PR by @eleqtrizit. The related private tracking context is intentionally not expanded in this public PR body.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 3:22 PM ET / 19:22 UTC.

Summary
The PR adds Codex sandbox http/request host preflight, in-sandbox URL/DNS/redirect/IP checks, proxy disabling, DNS pinning, and focused blocked-target tests.

PR surface: Source +148, Tests +109. Total +257 across 2 files.

Reproducibility: yes. Current main source shows the sandbox HTTP helper accepts any HTTP(S) URL and calls urllib.request.urlopen after only a scheme check, so the unguarded private/internal target path is source-reproducible without running a live protected endpoint.

Review metrics: 2 noteworthy metrics.

• Sandbox HTTP guard layers: 2 added. The PR adds both TypeScript pre-dispatch blocking and an in-sandbox Python DNS/redirect/IP guard, which is the core boundary maintainers must validate.
• Proxy behavior: 1 changed. The embedded helper disables environment proxy handling, which matters because proxy env could otherwise bypass local target validation.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Get maintainer/security-owner approval for the fail-closed private/internal target policy and upgrade impact.
• [P2] Consider adding redacted remote Docker or SSH sandbox proof that a protected target is blocked and an ordinary public HTTP target still succeeds.

Risk before merge

• [P1] Merging intentionally makes Codex sandbox HTTP fail closed for private, internal, special-use, metadata, and proxy-mediated targets, so any existing sandbox MCP/OAuth flow that relied on those targets would stop working unless maintainers accept that as the desired boundary.
• [P1] The PR carries the protected maintainer label and references private tracking context, so final policy scope should be accepted by a maintainer/security owner before merge.
• [P1] The PR body has focused bridge/helper proof, but it does not include a full remote Docker or SSH sandbox session with live external networking.

Maintainer options:

1. Owner-accept fail-closed sandbox HTTP (recommended)
   A maintainer/security owner can approve the PR as a deliberate security-boundary hardening after confirming private/internal sandbox HTTP targets should now fail closed.
2. Require remote sandbox proof first
   Before merge, ask for a redacted Docker or SSH sandbox run that shows a blocked protected target and a normal public HTTP target still working through the real remote path.
3. Pause if private-network HTTP remains supported
   If maintainers want existing private/internal sandbox HTTP workflows to keep working, pause this PR and design an explicit policy/opt-in path instead of merging the unconditional block.

Next step before merge

• [P2] The remaining action is maintainer/security-owner review of the protected security boundary and compatibility impact, not an automated repair.

Security
Cleared: The diff narrows sandbox HTTP egress and does not add dependency, workflow, secret, package, or supply-chain changes; the remaining security item is owner acceptance of the boundary policy.

Review details

Best possible solution:

Land the fail-closed sandbox HTTP guard only after owner review confirms the protected-target policy and upgrade impact, keeping the bridge aligned with shared OpenClaw net-policy and the Codex http/request contract.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main source shows the sandbox HTTP helper accepts any HTTP(S) URL and calls urllib.request.urlopen after only a scheme check, so the unguarded private/internal target path is source-reproducible without running a live protected endpoint.

Is this the best way to solve the issue?

Yes, with owner approval. The best fix layer is the OpenClaw sandbox exec-server bridge because Codex forwards executor HTTP through http/request; the remaining decision is accepting the fail-closed compatibility impact for private/internal targets.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5b9cb3bd3a36.

Label changes

Label changes:

• add merge-risk: 🚨 compatibility: Existing setups that relied on private, internal, special-use, or proxy-mediated sandbox HTTP targets may fail closed after merge.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes copied after-fix live output from a manual JSON-RPC bridge probe and embedded-helper probe showing a protected metadata target is blocked; no contributor action is required for this gate.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body now includes copied after-fix live output from a manual JSON-RPC bridge probe and embedded-helper probe showing a protected metadata target is blocked; no contributor action is required for this gate.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: This hardens an active Codex sandbox security boundary that can affect real remote HTTP tool traffic.
• merge-risk: 🚨 security-boundary: The diff changes which HTTP targets sandboxed Codex requests are allowed to reach and prevents private/internal target access.
• merge-risk: 🚨 compatibility: Existing setups that relied on private, internal, special-use, or proxy-mediated sandbox HTTP targets may fail closed after merge.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body now includes copied after-fix live output from a manual JSON-RPC bridge probe and embedded-helper probe showing a protected metadata target is blocked; no contributor action is required for this gate.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes copied after-fix live output from a manual JSON-RPC bridge probe and embedded-helper probe showing a protected metadata target is blocked; no contributor action is required for this gate.

Evidence reviewed

PR surface:

Source +148, Tests +109. Total +257 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	154	6	+148
Tests	1	110	1	+109
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	264	7	+257

What I checked:

• Current main sandbox HTTP gap: Current main builds a sandbox HTTP request from the JSON-RPC URL and the embedded Python helper only checks the scheme before calling urllib.request.urlopen, so host/IP/DNS/redirect targets are not guarded on main. (extensions/codex/src/app-server/sandbox-exec-server/http.ts:276, 5b9cb3bd3a36)
• PR head adds host-side and in-sandbox guards: The PR head calls assertSandboxHttpRequestTargetAllowed before backend dispatch and adds Python-side hostname/IP checks, DNS resolution validation, redirect validation, proxy disabling, and pinned getaddrinfo for the actual socket path. (extensions/codex/src/app-server/sandbox-exec-server/http.ts:58, 469c26c2ede2)
• PR head test coverage: The PR adds tests for host-side blocking before buffered and streaming backends start, plus direct execution of the embedded helper against metadata and IPv6 transition forms. (extensions/codex/src/app-server/sandbox-exec-server.http.test.ts:104, 469c26c2ede2)
• Shared SSRF policy contract: OpenClaw's shared SSRF helpers classify private/internal/special-use hosts and resolved addresses through isBlockedHostnameOrIp, backed by net-policy handling for metadata IPs, deprecated site-local IPv6, and embedded IPv4 transition forms. (src/infra/net/ssrf.ts:300, 5b9cb3bd3a36)
• Codex dependency contract checked: Sibling Codex source defines http/request as the executor-side HTTP RPC and its reqwest runner validates method/scheme but otherwise sends the request, so OpenClaw's external sandbox bridge is the right place to enforce OpenClaw-specific target policy. (../codex/codex-rs/exec-server/src/protocol.rs:330, 99da697e4c5c)
• Codex caller path checked: Codex's RMCP streamable HTTP adapter sends MCP POST/GET/DELETE traffic through HttpRequestParams, confirming this bridge is used for remote HTTP rather than a one-off unused method. (../codex/codex-rs/rmcp-client/src/http_client_adapter.rs:128, 99da697e4c5c)

Likely related people:

• vincentkoc: Local blame and history show vincentkoc carrying the current sandbox exec-server HTTP helper and recent Codex sandbox HTTP hardening work. (role: recent area contributor; confidence: high; commits: 1727ec7b2dca, 7b5f0c23e54d; files: extensions/codex/src/app-server/sandbox-exec-server/http.ts, extensions/codex/src/app-server/sandbox-exec-server.http.test.ts)
• steipete: GitHub path history shows repeated recent work on SSRF, net-policy extraction, and Codex sandbox HTTP documentation, which is directly adjacent to this policy decision. (role: adjacent security policy owner; confidence: high; commits: 29e9625b18cd, 53aa5232bc00, f4c6c0aec49e; files: src/infra/net/ssrf.ts, packages/net-policy/src/ip.ts, extensions/codex/src/app-server/sandbox-exec-server/http.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

Behavioral proof for ClawSweeper

This is the follow-up proof for ClawSweeper's remaining P2 suggestion: show a real http/request bridge run where a protected target is blocked and an ordinary public HTTP target still succeeds.

Behavior addressed: Codex sandbox exec-server http/request now fails closed for protected private/internal/special-use targets before backend execution, while still allowing ordinary public HTTP(S) requests through the sandbox HTTP helper.

Real environment tested: local OpenClaw checkout on branch 734 at 469c26c2ede2eea185a8a0a022dd316abc30eb81, Node v22.22.2, Python 3.12.3. The probe started the OpenClaw sandbox exec-server, connected over its live WebSocket JSON-RPC URL, and used a backend implementation that actually executed the embedded SANDBOX_HTTP_REQUEST_SCRIPT through bash/python3.

Exact steps or command run after this patch:

• node scripts/run-vitest.mjs extensions/codex/src/app-server/sandbox-exec-server.http.test.ts
• Manual WebSocket JSON-RPC probe:
  • initialize
  • http/request for https://example.com/
  • http/request for http://100.100.100.200/
• Manual embedded-helper probe:
  • https://example.com/
  • http://100.100.100.200/
  • http://metadata.google.internal/

Evidence after fix:

{
  "execServerUrlProtocol": "ws://127.0.0.1:34145/<auth-path>",
  "allowed": {
    "status": 200,
    "bodyBytes": 559
  },
  "blocked": {
    "error": "Blocked hostname or private/internal IP in sandbox http/request: 100.100.100.200"
  },
  "backendRunCount": 1,
  "backendRuns": [
    {
      "code": 0,
      "elapsedMs": 5111,
      "stdoutBytes": 1278,
      "stderrTail": [""]
    }
  ]
}

Observed result after fix:

• The public request succeeded through the live JSON-RPC bridge with HTTP 200 and a non-empty body.
• The protected metadata-style IP was rejected at the TypeScript pre-dispatch guard.
• backendRunCount stayed 1, proving the blocked request did not start the backend helper; the only backend execution was the allowed public request.
• The embedded helper independently allowed https://example.com/ and rejected protected destinations:

{"label":"allowed-public","url":"https://example.com/","code":0,"elapsedMs":5129,"status":200,"bodyBytes":559,"stdoutBytes":1275,"stderrTail":[""]}
{"label":"blocked-metadata-ip","url":"http://100.100.100.200/","code":1,"elapsedMs":41,"status":null,"bodyBytes":0,"stdoutBytes":0,"stderrTail":["    raise ValueError(\"Blocked hostname or private/internal/special-use IP address\")","ValueError: Blocked hostname or private/internal/special-use IP address"]}
{"label":"blocked-metadata-host","url":"http://metadata.google.internal/","code":1,"elapsedMs":43,"status":null,"bodyBytes":0,"stdoutBytes":0,"stderrTail":["    raise ValueError(\"Blocked hostname or private/internal/special-use IP address\")","ValueError: Blocked hostname or private/internal/special-use IP address"]}

Validation:

[test] starting test/vitest/vitest.extension-codex.config.ts
Test Files  1 passed (1)
Tests       7 passed (7)
[test] passed 1 Vitest shard in 6.32s

Shipped/current behavior proof:

• Latest published npm version checked: openclaw@2026.6.5.
• Tag v2026.6.5 still accepts record.url and passes it into runShellCommand without host/IP validation in extensions/codex/src/app-server/sandbox-exec-server/http.ts:23-64.
• Tag v2026.6.5 Python helper still checks only http/https before urllib.request.urlopen in extensions/codex/src/app-server/sandbox-exec-server/http.ts:276-297.
• PR head adds assertSandboxHttpRequestTargetAllowed before buffered or streaming backend execution in extensions/codex/src/app-server/sandbox-exec-server/http.ts:24-75, then adds Python DNS/IP/redirect/proxy/pinned-address validation in extensions/codex/src/app-server/sandbox-exec-server/http.ts:255-443.

Policy and compatibility note:

This proof supports the hardening/parity fix. It does not change the policy decision ClawSweeper called out: maintainers/security owners still need to accept that sandbox http/request should fail closed for private/internal/special-use and proxy-mediated targets. Under the current OpenClaw trust model, this is still best framed as deliberate boundary hardening/parity unless a separate path is shown where a caller can invoke http/request without equivalent sandbox process/start capability.

Codex dependency note:

The required literal sibling clone ../codex could not be created in this container because /codex is not writable (Permission denied). I inspected a fallback upstream clone at /tmp/codex, commit 99da697e4c5c1fc908732a58b6548bf9cc227f83, as supplemental dependency evidence only. Files checked:

• codex-rs/exec-server/src/protocol.rs:13-36: process/start and http/request are methods on the same exec-server protocol.
• codex-rs/exec-server/src/protocol.rs:330-364: HttpRequestParams is the executor-side HTTP request envelope.
• codex-rs/exec-server/src/client/rpc_http_client.rs:1-88: the orchestrator forwards http/request to the remote runtime over JSON-RPC.
• codex-rs/rmcp-client/src/http_client_adapter.rs:128-138, 235-245, 304-314: Streamable HTTP MCP POST/DELETE/GET traffic uses HttpRequestParams.

[eleqtrizit]

Relevance

The advisory targets a shipped production path in the Codex sandbox exec-server http/request handler. The fix is in-scope hardening that adds SSRF guardrails to a path that previously had only scheme validation before forwarding URLs to urllib.request.urlopen(). All three relevance checks confirmed the issue is in scope, not already fixed on main, and reasonably hardenable without breaking compatibility.

Compatibility

The change is safe from a compatibility standpoint. The TypeScript import uses the existing plugin-safe SDK subpath openclaw/plugin-sdk/ssrf-runtime, which is already exported by the plugin SDK. No public API types, config schemas, CLI flags, gateway protocol messages, or documented behavior changed. The only user-visible runtime change is intentional security hardening — private/internal/special-use destinations now fail before sandbox backend execution. No existing public contract promised that sandbox http/request could reach those destinations.

ClawSweeper

ClawSweeper reviewed the initial commit and identified two P1 blockers: the Python in-sandbox SSRF classifier missed cloud metadata addresses and site-local IPv6 targets that OpenClaw net-policy explicitly blocks, and real behavior proof was missing. Both have been addressed in the current branch head — the Python classifier was extended with comprehensive coverage including cloud metadata literals, CGNAT/RFC2544 ranges, blocked IPv6 special-use ranges, and embedded IPv4 transition form detection, and real behavior proof was posted showing the patched bridge blocking protected targets while ordinary public HTTP still succeeds through the live JSON-RPC bridge.

Code Reviews Completed

Multiple code reviews were completed across the full lifecycle of the PR. All reviews agreed on the architectural soundness of the two-layer defense (TypeScript preflight + Python in-sandbox guard), the correct plugin boundary usage, and the narrow scope. The policy gap identified in the first pass was fixed and confirmed clean in the final code review.

---

Complete Verification Table

Check	Status
Unit tests — 7 tests passing (TypeScript preflight + Python in-sandbox guard)	✅ Passed
Import boundary checks — src, SDK, and test-helper boundaries	✅ All clean
Autoreview — no accepted/actionable findings	✅ Clean
git diff --check — no whitespace errors	✅ Passed
CI — lint	✅ Passed
CI — prod types	✅ Passed
CI — test types	✅ Passed
CI — security-fast	✅ Passed
CI — dependency guard	✅ Passed
CI — OpenGrep	✅ Passed
CI — Real behavior proof	✅ Passed
CI — extension boundary checks	✅ Passed
Relevance checks — in scope, not already fixed, reasonable hardening	✅ All confirmed
Compatibility checks — API, config, CLI, protocol, plugin boundary	✅ All safe
Code reviews — initial pass, policy gap identified and fixed, final clean review	✅ Complete
Real behavior proof — live WebSocket JSON-RPC bridge probe with allowed public request and blocked protected target	✅ Posted on PR
DNS-rebinding defense — DNS pinning via monkey-patched socket.getaddrinfo	✅ Implemented
Redirect validation — GuardedRedirectHandler validates all redirect targets	✅ Implemented
Proxy disabling — ProxyHandler({}) prevents host-side proxy inheritance	✅ Implemented
Python policy parity — cloud metadata, site-local IPv6, CGNAT, RFC2544, embedded IPv4 transition forms	✅ Matches net-policy