mirror of
https://github.com/openai/codex.git
synced 2026-05-03 04:42:20 +03:00
aabe0f259c
Today, there is a single capability SID that allows the sandbox to write to * workspace (cwd) * tmp directories if enabled * additional writable roots This change splits those up, so that each workspace has its own capability SID, while tmp and additional roots, which are installation-wide, are still governed by the "generic" capability SID This isolates workspaces from each other in terms of sandbox write access. Also allows us to protect <cwd>/.codex when codex runs in a specific <cwd>
29 lines
749 B
Rust
29 lines
749 B
Rust
use std::path::Path;
|
|
use std::path::PathBuf;
|
|
|
|
pub fn canonicalize_path(path: &Path) -> PathBuf {
|
|
dunce::canonicalize(path).unwrap_or_else(|_| path.to_path_buf())
|
|
}
|
|
|
|
pub fn canonical_path_key(path: &Path) -> String {
|
|
canonicalize_path(path)
|
|
.to_string_lossy()
|
|
.replace('\\', "/")
|
|
.to_ascii_lowercase()
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::canonical_path_key;
|
|
use pretty_assertions::assert_eq;
|
|
use std::path::Path;
|
|
|
|
#[test]
|
|
fn canonical_path_key_normalizes_case_and_separators() {
|
|
let windows_style = Path::new(r"C:\Users\Dev\Repo");
|
|
let slash_style = Path::new("c:/users/dev/repo");
|
|
|
|
assert_eq!(canonical_path_key(windows_style), canonical_path_key(slash_style));
|
|
}
|
|
}
|