Skip to content

fix: harden arg0 helper PATH handling #8766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bolinfest merged 12 commits into from
Jan 9, 2026
Merged

fix: harden arg0 helper PATH handling #8766

bolinfest merged 12 commits into from
Jan 9, 2026
+31 −1

Conversation

@viyatb-oai
Copy link
Contributor

@viyatb-oai viyatb-oai commented Jan 5, 2026
edited
Loading

Motivation

  • Avoid placing PATH entries under the system temp directory by creating the helper directory under CODEX_HOME instead of std::env::temp_dir().
  • Fail fast on unsafe configuration by rejecting CODEX_HOME values that live under the system temp root to prevent writable PATH entries.

Testing

  • Ran just fmt, which completed with a non-blocking imports_granularity warning.
  • Ran just fix -p codex-arg0 (Clippy fixes) which completed successfully.
  • Ran cargo test -p codex-arg0 and the test run completed successfully.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@viyatb-oai viyatb-oai changed the title Append arg0 helper PATH entry and harden helper directory under CODEX_HOME Harden arg0 helper PATH handling Jan 5, 2026
@viyatb-oai viyatb-oai changed the title Harden arg0 helper PATH handling fix: harden arg0 helper PATH handling Jan 5, 2026
@viyatb-oai
Copy link
Contributor Author

viyatb-oai commented Jan 5, 2026

I have read the CLA Document and I hereby sign the CLA

github-actions bot added a commit that referenced this pull request Jan 5, 2026
@github-actions
@viyatb-oai has signed the CLA in #8766
9aaf976
@viyatb-oai viyatb-oai marked this pull request as ready for review January 6, 2026 00:04
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 062b2cdc8b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@bolinfest
Copy link
Collaborator

bolinfest commented Jan 6, 2026

It looks like command_execution_notifications_include_process_id failed on both Linux builds.

bolinfest
bolinfest reviewed Jan 6, 2026
View reviewed changes
bolinfest
bolinfest reviewed Jan 6, 2026
View reviewed changes
bolinfest
bolinfest reviewed Jan 9, 2026
View reviewed changes
@bolinfest bolinfest merged commit bc28466 into main Jan 9, 2026
37 of 38 checks passed
@bolinfest bolinfest deleted the codex/fix-sandbox-bypass-vulnerability-in-codex branch January 9, 2026 20:35
@github-actions github-actions bot locked and limited conversation to collaborators Jan 9, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@bolinfest bolinfest bolinfest approved these changes

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@viyatb-oai @bolinfest