Normalize PowerShell execpolicy prefixes on Windows

2026-04-27 01:41:01 +03:00 · 2026-03-22 21:53:08 -07:00
2 changed files with 60 additions and 0 deletions
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@@ -33,9 +33,11 @@ use tracing::instrument;
 use crate::bash::parse_shell_lc_plain_commands;
 use crate::bash::parse_shell_lc_single_command_prefix;
 use crate::config::Config;
+use crate::powershell::extract_powershell_command;
 use crate::sandboxing::SandboxPermissions;
 use crate::tools::sandboxing::ExecApprovalRequirement;
 use codex_utils_absolute_path::AbsolutePathBuf;
+use shlex::split as shlex_split;
 use shlex::try_join as shlex_try_join;

 const PROMPT_CONFLICT_REASON: &str =
@@ -631,9 +633,28 @@ fn commands_for_exec_policy(command: &[String]) -> (Vec<Vec<String>>, bool) {
        return (vec![single_command], true);
    }

+    if let Some(single_command) = parse_powershell_single_command_prefix(command) {
+        return (vec![single_command], false);
+    }
+
    (vec![command.to_vec()], false)
 }

+fn parse_powershell_single_command_prefix(command: &[String]) -> Option<Vec<String>> {
+    let (_, script) = extract_powershell_command(command)?;
+    let trimmed = script.trim();
+    if trimmed.is_empty() {
+        return None;
+    }
+
+    if trimmed.contains(['\n', '\r', ';', '|', '&', '<', '>', '(', ')', '{', '}', '`']) {
+        return None;
+    }
+
+    let words = shlex_split(trimmed)?;
+    (!words.is_empty()).then_some(words)
+}
+
 /// Derive a proposed execpolicy amendment when a command requires user approval
 /// - If any execpolicy rule prompts, return None, because an amendment would not skip that policy requirement.
 /// - Otherwise return the first heuristics Prompt.
--- a/codex-rs/core/src/exec_policy_tests.rs
+++ b/codex-rs/core/src/exec_policy_tests.rs
@@ -1413,6 +1413,45 @@ async fn proposed_execpolicy_amendment_is_suppressed_when_policy_matches_allow()
    );
 }

+#[tokio::test]
+async fn powershell_wrapped_single_command_matches_inner_prefix_rule() {
+    let policy_src = r#"prefix_rule(pattern=["git", "add"], decision="allow")"#;
+    let mut parser = PolicyParser::new();
+    parser
+        .parse("test.rules", policy_src)
+        .expect("parse policy");
+    let policy = Arc::new(parser.build());
+    let command = vec_str(&[
+        "pwsh",
+        "-NoProfile",
+        "-Command",
+        "git add -A",
+    ]);
+
+    let manager = ExecPolicyManager::new(policy);
+    let requirement = manager
+        .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+            command: &command,
+            approval_policy: AskForApproval::OnRequest,
+            sandbox_policy: &SandboxPolicy::WorkspaceWrite {
+                network_access: false,
+                writable_roots: vec![],
+            },
+            file_system_sandbox_policy: &read_only_file_system_sandbox_policy(),
+            sandbox_permissions: SandboxPermissions::UseDefault,
+            prefix_rule: None,
+        })
+        .await;
+
+    assert_eq!(
+        requirement,
+        ExecApprovalRequirement::Skip {
+            bypass_sandbox: true,
+            proposed_execpolicy_amendment: None,
+        }
+    );
+}
+
 fn derive_requested_execpolicy_amendment_for_test(
    prefix_rule: Option<&Vec<String>>,
    matched_rules: &[RuleMatch],