clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-15 08:42:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: keep proxy feature gated by network access

Browse Source 
Co-authored-by: Codex noreply@openai.com
This commit is contained in:
viyatb-oai
2026-05-01 18:11:08 -07:00
parent 17b5bb3fdf
commit 79be3299b3
3 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
codex-rs/core/src/config/config_tests.rs
View File

@@ -839,8 +839,7 @@ async fn permissions_profiles_proxy_policy_does_not_start_managed_network_proxy_
}
#[tokio::test]
async fn network_proxy_feature_starts_proxy_without_enabling_sandbox_network() -> std::io::Result<()>
{
async fn network_proxy_feature_is_no_op_without_sandbox_network() -> std::io::Result<()> {
let codex_home = TempDir::new()?;
let cwd = TempDir::new()?;
let config = Config::load_from_base_config_with_overrides(
@@ -860,13 +859,10 @@ async fn network_proxy_feature_starts_proxy_without_enabling_sandbox_network() -
config.permissions.network_sandbox_policy(),
NetworkSandboxPolicy::Restricted
);
let network = config
.permissions
.network
.as_ref()
.expect("network_proxy should start the managed network proxy");
assert_eq!(network.proxy_host_and_port(), "127.0.0.1:3128");
assert!(network.socks_enabled());
assert!(
config.permissions.network.is_none(),
"network_proxy should not start the managed network proxy while network access is off"
);
Ok(())
}
@@ -1004,7 +1000,7 @@ async fn network_proxy_feature_matrix_preserves_sandbox_network_semantics() -> s
);
assert_eq!(
config.permissions.network.is_some(),
case.proxy_enabled,
case.network_enabled && case.proxy_enabled,
"{}",
case.name
);
@@ -1017,6 +1013,15 @@ async fn network_proxy_feature_matrix_preserves_sandbox_network_semantics() -> s
async fn network_proxy_cli_overrides_merge_toggle_with_proxy_config() -> std::io::Result<()> {
let codex_home = TempDir::new()?;
let cwd = TempDir::new()?;
std::fs::write(
codex_home.path().join(CONFIG_TOML_FILE),
r#"
sandbox_mode = "workspace-write"
[sandbox_workspace_write]
network_access = true
"#,
)?;
let config = ConfigBuilder::without_managed_config_for_tests()
.codex_home(codex_home.path().to_path_buf())
.cli_overrides(vec![
@@ -1024,10 +1029,6 @@ async fn network_proxy_cli_overrides_merge_toggle_with_proxy_config() -> std::io
"features.network_proxy.enabled".to_string(),
toml::Value::Boolean(true),
),
(
"features.network_proxy.proxy_url".to_string(),
toml::Value::String("http://127.0.0.1:43128".to_string()),
),
(
"features.network_proxy.enable_socks5".to_string(),
toml::Value::Boolean(false),
@@ -1042,14 +1043,14 @@ async fn network_proxy_cli_overrides_merge_toggle_with_proxy_config() -> std::io
assert_eq!(
config.permissions.network_sandbox_policy(),
NetworkSandboxPolicy::Restricted
NetworkSandboxPolicy::Enabled
);
let network = config
.permissions
.network
.as_ref()
.expect("network_proxy should start the managed network proxy");
assert_eq!(network.proxy_host_and_port(), "127.0.0.1:43128");
assert_eq!(network.proxy_host_and_port(), "127.0.0.1:3128");
assert!(!network.socks_enabled());
Ok(())
}

2
codex-rs/core/src/config/mod.rs
View File

@@ -2521,7 +2521,7 @@ impl Config {
None,
)
};
if enable_network_proxy {
if enable_network_proxy && permission_profile.network_sandbox_policy().is_enabled() {
if let Some(network_proxy) = network_proxy_toml_config(cfg.features.as_ref()) {
apply_network_proxy_feature_config(
&mut configured_network_proxy_config,

4
codex-rs/core/src/config/permissions.rs
View File

@@ -118,8 +118,8 @@ pub(crate) fn network_proxy_config_from_profile_network(
NetworkToml::to_network_proxy_config,
);
// Profile `network.enabled` controls sandbox network access. Profiles may
// provide proxy settings for the feature gate to consume, but they do not
// start the managed proxy on their own.
// provide proxy settings for the feature gate to consume when that network
// access is enabled, but they do not start the managed proxy on their own.
config.network.enabled = false;
config
}