fix: unsafe auto-approval of git commands #10258
Merged
+468
−13
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Diagnosis: Although the bug report specifically mentioned worktrees, this problm isn't worktree-specific. `git branch -d/-D/--delete` isn’t treated as dangerous, and git branch is currently treated as “safe,” so it won’t prompt under on-request. In a worktree, that’s extra risky because branch deletion writes to the common gitdir outside the workdir. * Classify git branch -d/-D/--delete as dangerous to force approval under on-request. * Restrict git branch “safe” classification to read-only forms (e.g., --show-current, --list). * Add focused safety tests for branch deletion and read-only branch queries. This addresses #10160
joshka-oai
reviewed
Jan 30, 2026
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f881a4c3c0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
joshka-oai
approved these changes
Jan 30, 2026
Collaborator
joshka-oai
left a comment
joshka-oai
left a comment
There was a problem hiding this comment.
General approval with the approach.
I think simplifying this code with nom / winow might be worth considering (but I'd add significant characterization tests before we do that on this code to prevent regression)
Comment on lines
+68
to
+69
| let mut skip_next = false; | ||
| for (idx, arg) in command.iter().enumerate().skip(1) { |
Collaborator
There was a problem hiding this comment.
(not blocking) observation.
I wonder if it's worth refactoring this code using nom / winow instead of this sort of fragile parsing logic that's difficult to understand and easy to hide bugs in? Given a good enough set of tests I expect codex might do the refactor pretty well.
| } | ||
|
|
||
| #[cfg(test)] | ||
| mod tests { |
Collaborator
There was a problem hiding this comment.
A way to make these tests more succinct would be to use parameterized tests with rstest. Not a blocker though, but useful as a way to have a large amount of tested surface on this (generated obv.)
viyatb-oai
changed the title
pakrym-oai
added a commit
that referenced
this pull request
Feb 4, 2026
- Added `codex app <path>` on macOS to launch Codex Desktop from the CLI, with automatic DMG download if it is missing. (#10418) - Added personal skill loading from `~/.agents/skills` (with `~/.codex/skills` compatibility), plus app-server APIs/events to list and download public remote skills. (#10437, #10448) - `/plan` now accepts inline prompt arguments and pasted images, and slash-command editing/highlighting in the TUI is more polished. (#10269) - Shell-related tools can now run in parallel, improving multi-command execution throughput. (#10505) - Shell executions now receive `CODEX_THREAD_ID`, so scripts and skills can detect the active thread/session. (#10096) - Added vendored Bubblewrap + FFI wiring in the Linux sandbox as groundwork for upcoming runtime integration. (#10413) ## Bug Fixes - Hardened Git command safety so destructive or write-capable invocations no longer bypass approval checks. (#10258) - Improved resume/thread browsing reliability by correctly showing saved thread names and fixing thread listing behavior. (#10340, #10383) - Fixed first-run trust-mode handling so sandbox mode is reported consistently, and made `$PWD/.agents` read-only like `$PWD/.codex`. (#10415, #10524) - Fixed `codex exec` hanging after interrupt in websocket/streaming flows; interrupted turns now shut down cleanly. (#10519) - Fixed review-mode approval event wiring so `requestApproval` IDs align with the corresponding command execution items. (#10416) - Improved 401 error diagnostics by including server message/body details plus `cf-ray` and `requestId`. (#10508) ## Documentation - Expanded TUI chat composer docs to cover slash-command arguments and attachment handling in plan/review flows. (#10269) - Refreshed issue templates and labeler prompts to better separate CLI/app bug reporting and feature requests. (#10411, #10453, #10548, #10552) ## Chores - Completed migration off the deprecated `mcp-types` crate to `rmcp`-based protocol types/adapters, then removed the legacy crate. (#10356, #10349, #10357) - Updated the `bytes` dependency for a security advisory and cleaned up resolved advisory configuration. (#10525) ## Changelog Full Changelog: rust-v0.94.0...rust-v0.95.0 - #10340 Session picker shows thread_name if set @pap-openai - #10381 chore: collab experimental @jif-oai - #10231 feat: experimental flags @jif-oai - #10382 nit: shell snapshot retention to 3 days @jif-oai - #10383 fix: thread listing @jif-oai - #10386 fix: Rfc3339 casting @jif-oai - #10356 feat: add MCP protocol types and rmcp adapters @bolinfest - #10269 Nicer highlighting of slash commands, /plan accepts prompt args and pasted images @charley-oai - #10274 Add credits tooltip @pakrym-oai - #10394 chore: ignore synthetic messages @jif-oai - #10398 feat: drop sqlx logging @jif-oai - #10281 Select experimental features with space @pakrym-oai - #10402 feat: add `--experimental` to `generate-ts` @jif-oai - #10258 fix: unsafe auto-approval of git commands @viyatb-oai - #10411 Updated labeler workflow prompt to include "app" label @etraut-openai - #10399 emit a separate metric when the user cancels UAT during elevated setup @iceweasel-oai - #10377 chore(tui) /personalities tip @dylan-hurd-oai - #10252 [feat] persist thread_dynamic_tools in db @celia-oai - #10437 feat: Read personal skills from .agents/skills @gverma-openai - #10145 make codex better at git @pash-openai - #10418 Add `codex app` macOS launcher @aibrahim-oai - #10447 Fix plan implementation prompt reappearing after /agent thread switch @charley-oai - #10064 TUI: Render request_user_input results in history and simplify interrupt handling @charley-oai - #10349 feat: replace custom mcp-types crate with equivalents from rmcp @bolinfest - #10415 Fixed sandbox mode inconsistency if untrusted is selected @etraut-openai - #10452 Hide short worked-for label in final separator @aibrahim-oai - #10357 chore: remove deprecated mcp-types crate @bolinfest - #10454 app tool tip @aibrahim-oai - #10455 chore: add phase to message responseitem @sayan-oai - #10414 Require models refresh on cli version mismatch @aibrahim-oai - #10271 [Codex][CLI] Gate image inputs by model modalities @ccy-oai - #10374 Trim compaction input @pakrym-oai - #10453 Updated bug and feature templates @etraut-openai - #10465 Restore status after preamble @pakrym-oai - #10406 fix: clarify deprecation message for features.web_search @sayan-oai - #10474 Ignore remote_compact_trims_function_call_history_to_fit_context_window on windows @pakrym-oai - #10413 feat(linux-sandbox): vendor bubblewrap and wire it with FFI @viyatb-oai - #10142 feat(secrets): add codex-secrets crate @viyatb-oai - #10157 chore: nuke chat/completions API @jif-oai - #10498 feat: drop wire_api from clients @jif-oai - #10501 feat: clean codex-api part 1 @jif-oai - #10508 Add more detail to 401 error @gt-oai - #10521 Avoid redundant transactional check before inserting dynamic tools @jif-oai - #10525 chore: update bytes crate in response to security advisory @bolinfest - #10408 fix WebSearchAction type clash between v1 and v2 @sayan-oai - #10404 Cleanup collaboration mode variants @charley-oai - #10505 Enable parallel shell tools @jif-oai - #10532 feat: `find_thread_path_by_id_str_in_subdir` from DB @jif-oai - #10524 fix: make $PWD/.agents read-only like $PWD/.codex @bolinfest - #10096 Inject CODEX_THREAD_ID into the terminal environment @maxj-oai - #10536 Revert "Load untrusted rules" @viyatb-oai - #10412 fix(app-server): fix TS annotations for optional fields on requests @owenlin0 - #10416 fix(app-server): fix approval events in review mode @owenlin0 - #10545 Improve Default mode prompt (less confusion with Plan mode) @charley-oai - #10289 [apps] Gateway MCP should be blocking. @mzeng-openai - #10189 implement per-workspace capability SIDs for workspace specific ACLs @iceweasel-oai - #10548 Updated bug templates and added a new one for app @etraut-openai - #10531 [codex] Default values from requirements if unset @gt-oai - #10552 Fixed icon for CLI bug template @etraut-openai - #10039 chore(arg0): advisory-lock janitor for codex tmp paths @viyatb-oai - #10448 feat: add APIs to list and download public remote skills @xl-openai - #10519 Handle exec shutdown on Interrupt (fixes immortal `codex exec` with websockets) @rasmusrygaard - #10556 Feat: add upgrade to app server modelList @shijie-oai - #10461 feat(tui): pace catch-up stream chunking with hysteresis @joshka-oai - #10367 chore: add `codex debug app-server` tooling @celia-oai
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #10160 and some more.
Description
Hardens Git command safety to prevent approval bypasses for destructive or write-capable invocations (branch delete, risky push forms, output/config-override flags), so these commands no longer auto-run as “safe.”
git branch -dvariants (especially in worktrees / with global options like -C / -c)git show|diff|log --output... style file-write flags--force*,--delete,+refspec,:refspec)d/D)will fast follow with a common git policy to bring windows to parity.