Skip to content

Restrict wildcard allowlist matching to anonymous callers#617

Merged
winhowes merged 4 commits intomainfrom
codex/fix-wildcard-allowlist-bypass-issue
Apr 13, 2026
Merged

Restrict wildcard allowlist matching to anonymous callers#617
winhowes merged 4 commits intomainfrom
codex/fix-wildcard-allowlist-bypass-issue

Conversation

@winhowes
Copy link
Copy Markdown
Owner

Motivation

  • The allowlist lookup previously applied the wildcard (*) entry as a global fallback after checking caller-specific rules, which allowed identified callers to match permissive wildcard rules and bypass per-caller restrictions.

Description

  • Limit wildcard evaluation in findConstraint so wildcard rules are only considered when the request is anonymous (i.e., callerID == "*" or callerID == "").
  • Preserve existing capability expansion behavior by still expanding capabilities for the wildcard when it is permitted to apply.
  • Update existing tests in app/allowlist_test.go to reflect the intended semantics and add an assertion to prevent wildcard fallback for identified callers.
  • The change is intentionally minimal and keeps the overall lookup logic and APIs unchanged except for the wildcard condition.

Testing

  • Ran go test ./app -run 'TestFindConstraint(Wildcard|ExpandsCallerAndWildcardCapabilities|ExpandsCapabilitiesOnLookup)$' -count=1 and it passed.
  • Ran go test ./app -run 'TestAllowlist|TestConstraintFailureReasonHeader' -count=1 and it passed.
  • Ran the full suite go test ./app which still fails in this environment due to a pre-existing unrelated test failure TestIntegrationPluginTransport (base transport mutated), so the failure is not caused by these changes.

Codex Task

@winhowes
Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Bravo.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@winhowes winhowes merged commit 5f20ad2 into main Apr 13, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant