Windows: flag some invocations that launch browsers/URLs as dangerous (#7111)

Prevent certain Powershell/cmd invocations from reaching the sandbox when they are trying to launch a browser, or run a command with a URL, etc.
2026-04-24 22:54:54 +00:00 · 2025-11-21 13:36:17 -08:00
parent a0434bbdb4
commit 3bdcbc7292
6 changed files with 336 additions and 3 deletions
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -1131,11 +1131,13 @@ dependencies = [
 "libc",
 "maplit",
 "mcp-types",
+ "once_cell",
 "openssl-sys",
 "os_info",
 "predicates",
 "pretty_assertions",
 "rand 0.9.2",
+ "regex",
 "regex-lite",
 "reqwest",
 "seccompiler",
@@ -1161,6 +1163,7 @@ dependencies = [
 "tracing-test",
 "tree-sitter",
 "tree-sitter-bash",
+ "url",
 "uuid",
 "walkdir",
 "which",