fix: don't auto approve git -C ... (#20085)

It's safer to make sure these commands go through approval flows.
2026-05-17 01:32:32 +00:00 · 2026-04-28 15:06:55 -07:00
parent 66b0781502
commit 2e598df6fc
2 changed files with 33 additions and 16 deletions
--- a/codex-rs/shell-command/src/command_safety/is_dangerous_command.rs
+++ b/codex-rs/shell-command/src/command_safety/is_dangerous_command.rs
@@ -58,7 +58,10 @@ fn is_git_global_option_with_inline_value(arg: &str) -> bool {
 pub(crate) fn git_global_option_requires_prompt(arg: &str) -> bool {
    matches!(
        arg,
-        "-c" | "--config-env"
+        // `-C` can redirect Git into a repo whose config runs helpers such as
+        // `core.fsmonitor` during read-only commands like `status`.
+        "-C" | "-c"
+            | "--config-env"
            | "--exec-path"
            | "--git-dir"
            | "--namespace"
@@ -66,7 +69,7 @@ pub(crate) fn git_global_option_requires_prompt(arg: &str) -> bool {
            | "--work-tree"
    ) || matches!(
        arg,
-        s if (s.starts_with("-c") && s.len() > 2)
+        s if ((s.starts_with("-C") || s.starts_with("-c")) && s.len() > 2)
            || s.starts_with("--config-env=")
            || s.starts_with("--exec-path=")
            || s.starts_with("--git-dir=")
@@ -181,4 +184,10 @@ mod tests {
    fn rm_f_is_dangerous() {
        assert!(command_might_be_dangerous(&vec_str(&["rm", "-f", "/"])));
    }
+
+    #[test]
+    fn git_dash_c_requires_prompt() {
+        assert!(git_global_option_requires_prompt("-C"));
+        assert!(git_global_option_requires_prompt("-C/path/to/repo"));
+    }
 }
--- a/codex-rs/shell-command/src/command_safety/is_safe_command.rs
+++ b/codex-rs/shell-command/src/command_safety/is_safe_command.rs
@@ -331,20 +331,19 @@ mod tests {

    #[test]
    fn git_branch_global_options_respect_safety_rules() {
-        use pretty_assertions::assert_eq;
-
-        assert_eq!(
-            is_known_safe_command(&vec_str(&["git", "-C", ".", "branch", "--show-current"])),
-            true
-        );
-        assert_eq!(
-            is_known_safe_command(&vec_str(&["git", "-C", ".", "branch", "-d", "feature"])),
-            false
-        );
-        assert_eq!(
-            is_known_safe_command(&vec_str(&["bash", "-lc", "git -C . branch -d feature",])),
-            false
-        );
+        assert!(is_known_safe_command(&vec_str(&[
+            "git",
+            "branch",
+            "--show-current",
+        ])));
+        assert!(!is_known_safe_command(&vec_str(&[
+            "git", "branch", "-d", "feature",
+        ])));
+        assert!(!is_known_safe_command(&vec_str(&[
+            "bash",
+            "-lc",
+            "git branch -d feature",
+        ])));
    }

    #[test]
@@ -381,6 +380,10 @@ mod tests {

    #[test]
    fn git_global_override_flags_are_not_safe() {
+        assert!(!is_known_safe_command(&vec_str(&[
+            "git", "-C", ".", "status",
+        ])));
+        assert!(!is_known_safe_command(&vec_str(&["git", "-C.", "status",])));
        assert!(!is_known_safe_command(&vec_str(&[
            "git",
            "-c",
@@ -415,6 +418,11 @@ mod tests {
            );
        }

+        assert!(!is_known_safe_command(&vec_str(&[
+            "bash",
+            "-lc",
+            "git -C .project-deps/test-fixtures status",
+        ])));
        assert!(!is_known_safe_command(&vec_str(&[
            "bash",
            "-lc",