Skip to content

[network-proxy] Cover DNS timeout blocking#21105

Merged
evawong-oai merged 1 commit intomainfrom
codex/bugb15982-dns-timeout-test
May 5, 2026
Merged

[network-proxy] Cover DNS timeout blocking#21105
evawong-oai merged 1 commit intomainfrom
codex/bugb15982-dns-timeout-test

Conversation

@evawong-oai
Copy link
Copy Markdown
Contributor

@evawong-oai evawong-oai commented May 4, 2026

Summary

  • Add a testable DNS lookup helper for the local or private host precheck while preserving production lookup_host behavior.
  • Add deterministic coverage for DNS timeout, lookup error, private resolution, and public resolution decisions.
  • Keep BUGB 15982 guarded without relying on ambient DNS timing or resolver behavior.

Why

BUGB 15982 was fixed by failing closed on DNS lookup errors and timeouts. The existing regression covered lookup failure through real DNS, but did not deterministically exercise the timeout branch. This PR adds a small injection point so CI can cover that branch without standing up slow authoritative DNS.

Validation

  • cargo test -p codex-network-proxy host_resolves_to_non_public_ip -- --nocapture
  • cargo test -p codex-network-proxy host_blocked_rejects_allowlisted_hostname_when_dns_lookup_fails -- --nocapture
  • cargo test -p codex-network-proxy
  • just fmt
  • just fix -p codex-network-proxy
  • git diff --check

Tickets

@evawong-oai evawong-oai marked this pull request as ready for review May 4, 2026 23:40
@evawong-oai evawong-oai requested a review from viyatb-oai May 4, 2026 23:42
viyatb-oai
viyatb-oai requested changes May 5, 2026
View reviewed changes
Comment thread codex-rs/network-proxy/src/runtime.rs Outdated
}

async fn host_resolves_to_non_public_ip(host: &str, port: u16) -> bool {
host_resolves_to_non_public_ip_with_lookup(
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you make this into one function? this could be inlined instead of a function for a single function

Copy link
Copy Markdown
Contributor Author

@evawong-oai evawong-oai May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I collapsed this into one function and kept the production lookup at the call site.

@evawong-oai evawong-oai force-pushed the codex/bugb15982-dns-timeout-test branch from 09aa423 to 378dc03 Compare May 5, 2026 01:22
@evawong-oai evawong-oai merged commit d857839 into main May 5, 2026
26 of 27 checks passed
@evawong-oai evawong-oai deleted the codex/bugb15982-dns-timeout-test branch May 5, 2026 02:03
@github-actions github-actions Bot locked and limited conversation to collaborators May 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@viyatb-oai viyatb-oai viyatb-oai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@evawong-oai @viyatb-oai