update sandbox and approvals for review #5945
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| sub_agent_config.sandbox_policy = SandboxPolicy::ReadOnly; | ||
| sub_agent_config.approval_policy = AskForApproval::Never; |
There was a problem hiding this comment.
Setting the review delegate’s config to AskForApproval::Never removes all approval prompts for shell/apply_patch/tool executions. The delegate still has access to the regular shell tool (we only disable StreamableShell), and even under a read‑only sandbox it can read the entire filesystem. Before this change, the user’s existing policy (default OnRequest) caused ShellRuntime::wants_initial_approval and the orchestrator to route every shell/run approval through Session::request_command_approval, so the user had to consent before any command ran. After this change the reviewer can invoke exec_command/shell calls without any user approval and can exfiltrate sensitive data in its review output. That’s a security regression.
Useful? React with 👍 / 👎.
External (non-OpenAI) Pull Request Requirements
Before opening this Pull Request, please read the dedicated "Contributing" markdown file or your PR may be closed:
https://github.com/openai/codex/blob/main/docs/contributing.md
If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.