Security: block exec host overrides under auto target

2026-04-03 21:31:26 +00:00 · 2026-04-01 18:13:15 +09:00
parent 5874a387ae
commit dae6632da1
3 changed files with 23 additions and 14 deletions
--- a/docs/internal/codex/2026-03-29-exec-target-override-fix.md
+++ b/docs/internal/codex/2026-03-29-exec-target-override-fix.md
@@ -0,0 +1,19 @@
+---
+title: "Exec target override bypass fix"
+summary: "Hardened exec target resolution so auto defaults no longer allow model-requested host overrides."
+author: "Codex <codex@openai.com>"
+github_username: "codex"
+created: "2026-03-29"
+---
+
+Investigated a high-severity regression in exec target resolution.
+
+What changed:
+
+- Confirmed current behavior allowed `configuredTarget=auto` with `requestedTarget=gateway/node`, which selects host execution even when sandbox is available.
+- Restored fail-closed allowlist behavior by requiring requested target to exactly match configured target.
+- Updated the runtime unit test to verify host overrides are rejected when configured target is `auto`.
+
+Why:
+
+- `auto` should choose runtime host automatically, not grant untrusted host-selection overrides.
--- a/src/agents/bash-tools.exec-runtime.test.ts
+++ b/src/agents/bash-tools.exec-runtime.test.ts
@@ -47,19 +47,15 @@ describe("resolveExecTarget", () => {
    ({ resolveExecTarget } = await import("./bash-tools.exec-runtime.js"));
  });

-  it("treats auto as a default strategy rather than a host allowlist", () => {
-    expect(
+  it("rejects host overrides when configured host is auto", () => {
+    expect(() =>
      resolveExecTarget({
        configuredTarget: "auto",
        requestedTarget: "node",
        elevatedRequested: false,
        sandboxAvailable: false,
      }),
-    ).toMatchObject({
-      configuredTarget: "auto",
-      selectedTarget: "node",
-      effectiveHost: "node",
-    });
+    ).toThrow("exec host not allowed");
  });
 });

--- a/src/agents/bash-tools.exec-runtime.ts
+++ b/src/agents/bash-tools.exec-runtime.ts
@@ -221,13 +221,7 @@ export function isRequestedExecTargetAllowed(params: {
  configuredTarget: ExecTarget;
  requestedTarget: ExecTarget;
 }) {
-  if (params.requestedTarget === params.configuredTarget) {
-    return true;
-  }
-  if (params.configuredTarget === "auto") {
-    return true;
-  }
-  return false;
+  return params.requestedTarget === params.configuredTarget;
 }

 export function resolveExecTarget(params: {