Skip to content

fix: sanitize provider imports from URLs#1418

Open
superman2003 wants to merge 1 commit into
BigPizzaV3:mainfrom
superman2003:codex/fix-provider-import-safety
Open

fix: sanitize provider imports from URLs#1418
superman2003 wants to merge 1 commit into
BigPizzaV3:mainfrom
superman2003:codex/fix-provider-import-safety

Conversation

@superman2003

Copy link
Copy Markdown

Summary

  • ignore untrusted configContents and authContents embedded in provider deep links
  • rebuild relay config and auth files only from the visible structured provider fields
  • strip file payloads from pending imports and explain the behavior in the confirmation dialog

Test plan

  • cargo fmt --all -- --check
  • cargo test -p codex-plus-core provider_import::tests -- --test-threads=1 (5 passed)
  • cargo check -p codex-plus-core -j 1

Environment note

npm run check could not run because this checkout has no node_modules and tsc is not installed locally.

Treat deep-link file payloads as untrusted and rebuild managed relay files from the visible structured fields.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant