Files
Chris Bookholt 27f22b54ae [codex] Reject unlowered PowerShell AST regions (#24092)
## Why

On Windows, Codex uses a PowerShell safe-command classifier to decide
whether a command is read-only enough to run without additional
approval. The classifier lowers `EndBlock.Statements` into argv-like
command words and checks those words against a safelist.

PowerShell can execute code stored elsewhere in the AST. Parameter
defaults, named blocks, `using` preambles, and top-level `trap` handlers
are not represented in the lowered statement list. Ignoring those
regions can make a side-effecting script look like a read-only command.

## What

Fail closed whenever a PowerShell script contains executable AST content
that the current lowering does not represent.

## How

- Return `unsupported` for parameter, dynamic-parameter, begin, process,
and clean blocks.
- Return `unsupported` for `using module` and `using assembly`
preambles.
- Return `unsupported` for non-empty `EndBlock.Traps` collections.
- Preserve compatibility with Windows PowerShell 5.1 by looking up
`CleanBlock` dynamically.
- Treat `unsupported` as a failure to prove that the command is safe,
routing it through the normal approval path.
- Add parser-level and end-to-end regressions for parameter blocks,
named blocks, using statements, and trap handlers.

This does not make these PowerShell forms invalid or prevent them from
running. It prevents automatic safe-command approval when the classifier
cannot account for all executable behavior.

## Testing

- `just test -p codex-shell-command`
- Windows CI exercises the parser and end-to-end safe-command
regressions against a real PowerShell installation.

---------

Co-authored-by: viyatb-oai <viyatb@openai.com>
27f22b54ae ยท 2026-06-23 03:09:20 +00:00
History
..