core: resolve host_executable() rules during preflight (#13065)

## Why [#12964](https://github.com/openai/codex/pull/12964) added `host_executable()` support to `codex-execpolicy`, and [#13046](https://github.com/openai/codex/pull/13046) adopted it in the zsh-fork interception path. The remaining gap was the preflight execpolicy check in `core/src/exec_policy.rs`. That path derives approval requirements before execution for `shell`, `shell_command`, and `unified_exec`, but it was still using the default exact-token matcher. As a result, a command that already included an absolute executable path, such as `/usr/bin/git status`, could still miss a basename rule like `prefix_rule(pattern = ["git"], ...)` during preflight even when the policy also defined a matching `host_executable(name = "git", ...)` entry. This PR brings the same opt-in `host_executable()` resolution to the preflight approval path when an absolute program path is already present in the parsed command. ## What Changed - updated `ExecPolicyManager::create_exec_approval_requirement_for_command()` in `core/src/exec_policy.rs` to use `check_multiple_with_options(...)` with `MatchOptions { resolve_host_executables: true }` - kept the existing shell parsing flow for approval derivation, but now allow basename rules to match absolute executable paths during preflight when `host_executable()` permits it - updated requested-prefix amendment evaluation to use the same host-executable-aware matching mode, so suggested `prefix_rule()` amendments are checked consistently for absolute-path commands - added preflight coverage for: - absolute-path commands that should match basename rules through `host_executable()` - absolute-path commands whose paths are not in the allowed `host_executable()` mapping - requested prefix-rule amendments for absolute-path commands ## Verification - `just fix -p codex-core` - `cargo test -p codex-core --lib exec_policy::tests::`
2026-05-03 10:56:37 +00:00 · 2026-02-28 09:25:30 -08:00
parent 74e5150b1e
commit 6a673e7339
3 changed files with 175 additions and 7 deletions
--- a/codex-rs/shell-command/src/command_safety/is_dangerous_command.rs
+++ b/codex-rs/shell-command/src/command_safety/is_dangerous_command.rs
@@ -1,4 +1,5 @@
 use crate::bash::parse_shell_lc_plain_commands;
+use std::path::Path;
 #[cfg(windows)]
 #[path = "windows_dangerous_commands.rs"]
 mod windows_dangerous_commands;
@@ -52,6 +53,32 @@ fn is_git_global_option_with_inline_value(arg: &str) -> bool {
    ) || ((arg.starts_with("-C") || arg.starts_with("-c")) && arg.len() > 2)
 }

+pub(crate) fn executable_name_lookup_key(raw: &str) -> Option<String> {
+    #[cfg(windows)]
+    {
+        Path::new(raw)
+            .file_name()
+            .and_then(|name| name.to_str())
+            .map(|name| {
+                let name = name.to_ascii_lowercase();
+                for suffix in [".exe", ".cmd", ".bat", ".com"] {
+                    if let Some(stripped) = name.strip_suffix(suffix) {
+                        return stripped.to_string();
+                    }
+                }
+                name
+            })
+    }
+
+    #[cfg(not(windows))]
+    {
+        Path::new(raw)
+            .file_name()
+            .and_then(|name| name.to_str())
+            .map(std::borrow::ToOwned::to_owned)
+    }
+}
+
 /// Find the first matching git subcommand, skipping known global options that
 /// may appear before it (e.g., `-C`, `-c`, `--git-dir`).
 ///
@@ -61,7 +88,7 @@ pub(crate) fn find_git_subcommand<'a>(
    subcommands: &[&str],
 ) -> Option<(usize, &'a str)> {
    let cmd0 = command.first().map(String::as_str)?;
-    if !cmd0.ends_with("git") {
+    if executable_name_lookup_key(cmd0).as_deref() != Some("git") {
        return None;
    }