diff --git a/.devcontainer/README.md b/.devcontainer/README.md index a6bfb3ff26..4c4a2f2316 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -28,7 +28,6 @@ This is a Codex-focused devcontainer setup adapted for this monorepo. - applies firewall rules through `init-firewall.sh` - enforces IPv6 default-deny so strict mode cannot be bypassed over IPv6 - optionally adds GitHub CIDR ranges from `api.github.com/meta` - - optionally adds Cloudflare IPv4 CIDR ranges for CDN-backed endpoints ## Firewall modes @@ -38,7 +37,6 @@ This is a Codex-focused devcontainer setup adapted for this monorepo. Optional strict-mode enhancement: - `CODEX_INCLUDE_GITHUB_META_RANGES=1` (default) hydrates GitHub CIDRs into the allowlist. -- `CODEX_INCLUDE_CLOUDFLARE_RANGES=1` (default) hydrates Cloudflare IPv4 CIDRs into the allowlist. To run in permissive mode during a session: diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a3b9c2132d..a6e5bd2b41 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -33,7 +33,6 @@ "CODEX_UNSAFE_ALLOW_NO_SANDBOX": "1", "CODEX_ENABLE_FIREWALL": "1", "CODEX_INCLUDE_GITHUB_META_RANGES": "1", - "CODEX_INCLUDE_CLOUDFLARE_RANGES": "1", "OPENAI_ALLOWED_DOMAINS": "api.openai.com auth.openai.com github.com api.github.com codeload.github.com raw.githubusercontent.com objects.githubusercontent.com crates.io index.crates.io static.crates.io static.rust-lang.org registry.npmjs.org", "CARGO_TARGET_DIR": "/workspace/codex-rs/target/devcontainer", "GIT_CONFIG_GLOBAL": "/home/vscode/.gitconfig.local", diff --git a/.devcontainer/init-firewall.sh b/.devcontainer/init-firewall.sh index e637e19a2e..9275724473 100644 --- a/.devcontainer/init-firewall.sh +++ b/.devcontainer/init-firewall.sh @@ -4,7 +4,6 @@ IFS=$'\n\t' allowed_domains_file="/etc/codex/allowed_domains.txt" include_github_meta_ranges="${CODEX_INCLUDE_GITHUB_META_RANGES:-1}" -include_cloudflare_ranges="${CODEX_INCLUDE_CLOUDFLARE_RANGES:-1}" if [ -f "$allowed_domains_file" ]; then mapfile -t allowed_domains < <(sed '/^\s*#/d;/^\s*$/d' "$allowed_domains_file") @@ -121,21 +120,6 @@ if [ "$include_github_meta_ranges" = "1" ]; then done < <(echo "$github_meta" | jq -r '((.web // []) + (.api // []) + (.git // []))[]' | sort -u) fi -if [ "$include_cloudflare_ranges" = "1" ]; then - echo "Fetching Cloudflare IPv4 ranges" - cloudflare_ranges="$(curl -fsSL --connect-timeout 10 https://www.cloudflare.com/ips-v4)" - - if [ -z "$(echo "$cloudflare_ranges" | sed '/^\s*#/d;/^\s*$/d')" ]; then - echo "ERROR: Cloudflare range response was empty" - exit 1 - fi - - while IFS= read -r cidr; do - [ -z "$cidr" ] && continue - add_ipv4_cidr_to_allowlist "Cloudflare" "$cidr" - done < <(echo "$cloudflare_ranges" | sed '/^\s*#/d;/^\s*$/d' | sort -u) -fi - host_ip="$(ip route | awk '/default/ {print $3; exit}')" if [ -z "$host_ip" ]; then echo "ERROR: Failed to detect host IP" diff --git a/.devcontainer/post-start.sh b/.devcontainer/post-start.sh index a86957a11c..fcc42ad145 100644 --- a/.devcontainer/post-start.sh +++ b/.devcontainer/post-start.sh @@ -33,4 +33,4 @@ sudo chmod 0444 /etc/codex/allowed_domains.txt rm -f "$tmp_file" echo "[devcontainer] Applying firewall policy for domains: ${domains[*]}" -sudo --preserve-env=CODEX_INCLUDE_GITHUB_META_RANGES,CODEX_INCLUDE_CLOUDFLARE_RANGES /usr/local/bin/init-firewall.sh +sudo --preserve-env=CODEX_INCLUDE_GITHUB_META_RANGES /usr/local/bin/init-firewall.sh