mirror of
https://github.com/openai/codex.git
synced 2026-05-19 02:33:10 +00:00
d85783901c
## Summary - Add a testable DNS lookup helper for the local or private host precheck while preserving production `lookup_host` behavior. - Add deterministic coverage for DNS timeout, lookup error, private resolution, and public resolution decisions. - Keep BUGB 15982 guarded without relying on ambient DNS timing or resolver behavior. ## Why BUGB 15982 was fixed by failing closed on DNS lookup errors and timeouts. The existing regression covered lookup failure through real DNS, but did not deterministically exercise the timeout branch. This PR adds a small injection point so CI can cover that branch without standing up slow authoritative DNS. ## Validation - `cargo test -p codex-network-proxy host_resolves_to_non_public_ip -- --nocapture` - `cargo test -p codex-network-proxy host_blocked_rejects_allowlisted_hostname_when_dns_lookup_fails -- --nocapture` - `cargo test -p codex-network-proxy` - `just fmt` - `just fix -p codex-network-proxy` - `git diff --check` ## Tickets - BUGB 15982 - https://linear.app/openai/issue/BUGB-15982/codex-dns-timeout-fail-open-in-codex-network-proxy-bypasses - Bugcrowd: https://tracker.bugcrowd.com/openai/submissions/b2bf131d-db04-478f-85aa-cdd17ca8f604