fix(executor): stop forwarding downstream User-Agent on wrapped Codex image requests#4129
fix(executor): stop forwarding downstream User-Agent on wrapped Codex image requests#4129fengshao1227 wants to merge 1 commit into
Conversation
… image requests The wrapped image path (executeOpenAIImage / executeOpenAIImageStream) called applyCodexHeaders which forwards the downstream client's User-Agent to upstream chatgpt.com. Script UAs like "Python-urllib/3.9" trigger Cloudflare 1010 Access Denied on the /images/generations endpoint. Switch both call sites to applyCodexDirectImageHeaders, which already exists for the direct image path — it clones gin headers and strips User-Agent so the resolution falls through to the safe codexUserAgent default. Closes router-for-me#3980
|
This pull request targeted The base branch has been automatically changed to |
There was a problem hiding this comment.
Code Review
This pull request updates the OpenAI image execution flow to use applyCodexDirectImageHeaders instead of applyCodexHeaders and adds a test to verify that downstream User-Agent headers are not leaked upstream. The reviewer suggested checking the error returned by executor.Execute in the new test to avoid silent failures.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| _, _ = executor.Execute(ctx, newCodexOpenAIImageTestAuth(server.URL), cliproxyexecutor.Request{ | ||
| Model: "codex/dall-e-3", | ||
| Payload: []byte(`{"model":"codex/dall-e-3","prompt":"A cute otter","stream":false}`), | ||
| }, codexOpenAIImageTestOptions(codexImagesGenerationsPath, false)) |
There was a problem hiding this comment.
The test currently ignores the error returned by executor.Execute using _, _ =. It is highly recommended to check and assert that err is nil to ensure the execution succeeds and to prevent silent failures or confusing test failures if the setup or request preparation fails.
_, err := executor.Execute(ctx, newCodexOpenAIImageTestAuth(server.URL), cliproxyexecutor.Request{
Model: "codex/dall-e-3",
Payload: []byte(`{"model":"codex/dall-e-3","prompt":"A cute otter","stream":false}`),
}, codexOpenAIImageTestOptions(codexImagesGenerationsPath, false))
if err != nil {
t.Fatalf("Execute() error = %v", err)
}
Summary
executeOpenAIImage/executeOpenAIImageStream) forwarded the downstream client'sUser-Agentto upstreamchatgpt.com, triggering Cloudflare 1010 when the UA is a script default likePython-urllib/3.9applyCodexHeadersto the existingapplyCodexDirectImageHeaders, which strips downstream UA so resolution falls through to the safecodexUserAgentdefaultexecuteDirectOpenAIImage/executeDirectOpenAIImageStream) already usedapplyCodexDirectImageHeaders— this fix closes the gap for the wrapped pathRoot cause
applyCodexHeaderspasses downstream gin headers (includingUser-Agent) toensureHeaderWithConfigPrecedence. When noCodexHeaderDefaults.UserAgentconfig is set, the priority chain is: config (empty) → downstream UA → hardcodedcodexUserAgent. So"Python-urllib/3.9"wins over the safe default.The direct image path already had
applyCodexDirectImageHeaders(introduced specifically for this reason) which clones gin headers and callsginHeaders.Del("User-Agent")before passing them through — so the downstream UA never enters the priority chain andcodexUserAgentis used as fallback.Changes
codex_openai_images.go:115applyCodexHeaders→applyCodexDirectImageHeaders(non-streaming)codex_openai_images.go:211applyCodexHeaders→applyCodexDirectImageHeaders(streaming)codex_openai_images_test.goPython-urllib/3.9downstream UA verifies upstream receivescodexUserAgentTests
go test -run "OpenAIImage" ./internal/runtime/executor/— all 5 image tests passgo build -o test-output ./cmd/server— compiles cleanlyCloses #3980