Issue Station
Sign In
Tools hereToolbox

codex - 💡(How to fix) Fix Security: init_firewall.sh does not re-resolve DNS, allowing DNS rebinding bypass

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

In codex-cli/scripts/init_firewall.sh, the firewall resolves allowed domains to IP addresses once at startup (lines 47-62) and stores them in an ipset:

for domain in "${ALLOWED_DOMAINS[@]}"; do
    ips=$(dig +short A "$domain")
    # ... adds IPs to ipset
done

This creates a DNS rebinding vulnerability:

  1. An attacker-controlled endpoint could return one IP during the initial resolution and a different IP afterward.
  2. The TTL of DNS responses is not checked. If a domain's DNS record changes, the firewall will continue allowing the old IP (which may no longer be the intended service) and block the new IP.
  3. The ipset is never refreshed, so any DNS changes are not reflected.

Root Cause

In codex-cli/scripts/init_firewall.sh, the firewall resolves allowed domains to IP addresses once at startup (lines 47-62) and stores them in an ipset:

for domain in "${ALLOWED_DOMAINS[@]}"; do
    ips=$(dig +short A "$domain")
    # ... adds IPs to ipset
done

This creates a DNS rebinding vulnerability:

  1. An attacker-controlled endpoint could return one IP during the initial resolution and a different IP afterward.
  2. The TTL of DNS responses is not checked. If a domain's DNS record changes, the firewall will continue allowing the old IP (which may no longer be the intended service) and block the new IP.
  3. The ipset is never refreshed, so any DNS changes are not reflected.

Code Example

for domain in "${ALLOWED_DOMAINS[@]}"; do
    ips=$(dig +short A "$domain")
    # ... adds IPs to ipset
done
RAW_BUFFERClick to expand / collapse

Description

In codex-cli/scripts/init_firewall.sh, the firewall resolves allowed domains to IP addresses once at startup (lines 47-62) and stores them in an ipset:

for domain in "${ALLOWED_DOMAINS[@]}"; do
    ips=$(dig +short A "$domain")
    # ... adds IPs to ipset
done

This creates a DNS rebinding vulnerability:

  1. An attacker-controlled endpoint could return one IP during the initial resolution and a different IP afterward.
  2. The TTL of DNS responses is not checked. If a domain's DNS record changes, the firewall will continue allowing the old IP (which may no longer be the intended service) and block the new IP.
  3. The ipset is never refreshed, so any DNS changes are not reflected.

Impact

  • If a previously-resolved IP is reassigned to a malicious service, traffic to that IP would still be allowed through the firewall.
  • If api.openai.com changes its IP addresses, the firewall would block legitimate traffic to the new IPs.

Suggested fix

  1. Periodically re-resolve DNS and update the ipset entries.
  2. Consider using dnsmasq or a similar DNS-aware firewall solution that can match on domain names rather than resolved IPs.
  3. Add TTL-aware DNS resolution that refreshes entries before they expire.

Environment

  • File: codex-cli/scripts/init_firewall.sh, lines 47-62

extent analysis

TL;DR

Periodically re-resolve DNS and update the ipset entries to mitigate the DNS rebinding vulnerability.

Guidance

  • To address the DNS rebinding vulnerability, consider implementing a periodic refresh of the DNS resolutions for the allowed domains, ensuring the ipset remains up-to-date with the latest IP addresses.
  • Review the suggested fix of using dnsmasq or a similar DNS-aware firewall solution that can match on domain names rather than resolved IPs, as this could provide a more robust long-term solution.
  • When updating the script, pay attention to handling TTLs of DNS responses to ensure that the firewall refreshes entries before they expire, preventing the use of outdated IP addresses.
  • Evaluate the feasibility of integrating TTL-aware DNS resolution into the existing script or as part of migrating to a DNS-aware firewall solution.

Example

# Example of periodic refresh using cron job
# Add to crontab to run every hour
0 * * * * /path/to/codex-cli/scripts/refresh_firewall.sh

Note: The refresh_firewall.sh script would contain the logic to re-resolve DNS for allowed domains and update the ipset.

Notes

The provided suggestions aim to address the immediate vulnerability but may require further refinement based on the specific environment and requirements of the codex-cli application.

Recommendation

Apply workaround: Periodically re-resolve DNS and update the ipset entries. This approach directly addresses the identified vulnerability by ensuring the firewall rules are updated to reflect changes in DNS records, thereby mitigating the risk of DNS rebinding attacks.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#installation#tensor shape#request timeout

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

codex - 💡(How to fix) Fix Security: init_firewall.sh does not re-resolve DNS, allowing DNS rebinding bypass