mirrors/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-05 22:01:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(network-proxy): block CONNECT tunnels to non-443 ports

Browse Source
This commit is contained in:
viyatb-oai
2026-03-03 15:15:49 -08:00
parent 6bee02a346
commit 3e4d071987
5 changed files with 84 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
codex-rs/network-proxy/src/responses.rs
View File

@@ -1,6 +1,7 @@
use crate::network_policy::NetworkDecisionSource;
use crate::network_policy::NetworkPolicyDecision;
use crate::network_policy::NetworkProtocol;
use crate::reasons::REASON_CONNECT_PORT_NOT_ALLOWED;
use crate::reasons::REASON_DENIED;
use crate::reasons::REASON_METHOD_NOT_ALLOWED;
use crate::reasons::REASON_MITM_REQUIRED;
@@ -49,6 +50,7 @@ pub fn json_response<T: Serialize>(value: &T) -> Response {
pub fn blocked_header_value(reason: &str) -> &'static str {
match reason {
REASON_CONNECT_PORT_NOT_ALLOWED => "blocked-by-connect-port-policy",
REASON_NOT_ALLOWED | REASON_NOT_ALLOWED_LOCAL => "blocked-by-allowlist",
REASON_DENIED => "blocked-by-denylist",
REASON_METHOD_NOT_ALLOWED => "blocked-by-method-policy",
@@ -59,6 +61,9 @@ pub fn blocked_header_value(reason: &str) -> &'static str {
pub fn blocked_message(reason: &str) -> &'static str {
match reason {
REASON_CONNECT_PORT_NOT_ALLOWED => {
"Codex blocked this request: CONNECT is only allowed to HTTPS port 443."
}
REASON_NOT_ALLOWED => {
"Codex blocked this request: domain not in allowlist (this is not a denylist block)."
}