From 0bd34c28c768fce784d0648fe45e651b9a9b37d4 Mon Sep 17 00:00:00 2001 From: evawong-oai Date: Thu, 26 Mar 2026 10:53:31 -0700 Subject: [PATCH] Add wildcard in the middle test coverage (#15813) ## Summary Add a focused codex network proxy unit test for the denylist pattern with wildcard in the middle `region*.some.malicious.tunnel.com`. This does not change how existing code works, just ensure that behavior stays the same and we got CI guards to guard existin behavior. ## Why The managed Codex denylist update relies on this mid label glob form, and the existing tests only covered exact hosts, `*.` subdomains, and `**.` apex plus subdomains. ## Validation `cargo test -p codex-network-proxy compile_globset_supports_mid_label_wildcards` `cargo test -p codex-network-proxy` `./tools/argument-comment-lint/run-prebuilt-linter.sh -p codex-network-proxy` --- codex-rs/network-proxy/src/policy.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/codex-rs/network-proxy/src/policy.rs b/codex-rs/network-proxy/src/policy.rs index c586ee9c1..40e71caf3 100644 --- a/codex-rs/network-proxy/src/policy.rs +++ b/codex-rs/network-proxy/src/policy.rs @@ -367,6 +367,16 @@ mod tests { assert_eq!(false, set.is_match("example.com")); } + #[test] + fn compile_globset_supports_mid_label_wildcards() { + let set = compile_denylist_globset(&["region*.v2.argotunnel.com".to_string()]).unwrap(); + + assert_eq!(true, set.is_match("region1.v2.argotunnel.com")); + assert_eq!(true, set.is_match("region.v2.argotunnel.com")); + assert_eq!(false, set.is_match("xregion1.v2.argotunnel.com")); + assert_eq!(false, set.is_match("foo.region1.v2.argotunnel.com")); + } + #[test] fn compile_globset_normalizes_apex_and_subdomains() { let set = compile_denylist_globset(&["**.Example.COM.".to_string()]).unwrap();