Skip to content

fix(executor): stop forwarding downstream User-Agent on wrapped Codex image requests#4129

Open
fengshao1227 wants to merge 1 commit into
router-for-me:devfrom
fengshao1227:fix/codex-image-ua-forwarding
Open

fix(executor): stop forwarding downstream User-Agent on wrapped Codex image requests#4129
fengshao1227 wants to merge 1 commit into
router-for-me:devfrom
fengshao1227:fix/codex-image-ua-forwarding

Conversation

@fengshao1227

Copy link
Copy Markdown

Summary

  • Wrapped Codex image paths (executeOpenAIImage / executeOpenAIImageStream) forwarded the downstream client's User-Agent to upstream chatgpt.com, triggering Cloudflare 1010 when the UA is a script default like Python-urllib/3.9
  • Switched both call sites from applyCodexHeaders to the existing applyCodexDirectImageHeaders, which strips downstream UA so resolution falls through to the safe codexUserAgent default
  • The direct image path (executeDirectOpenAIImage / executeDirectOpenAIImageStream) already used applyCodexDirectImageHeaders — this fix closes the gap for the wrapped path

Root cause

applyCodexHeaders passes downstream gin headers (including User-Agent) to ensureHeaderWithConfigPrecedence. When no CodexHeaderDefaults.UserAgent config is set, the priority chain is: config (empty) → downstream UA → hardcoded codexUserAgent. So "Python-urllib/3.9" wins over the safe default.

The direct image path already had applyCodexDirectImageHeaders (introduced specifically for this reason) which clones gin headers and calls ginHeaders.Del("User-Agent") before passing them through — so the downstream UA never enters the priority chain and codexUserAgent is used as fallback.

Changes

File Change
codex_openai_images.go:115 applyCodexHeadersapplyCodexDirectImageHeaders (non-streaming)
codex_openai_images.go:211 applyCodexHeadersapplyCodexDirectImageHeaders (streaming)
codex_openai_images_test.go New test: wrapped path with Python-urllib/3.9 downstream UA verifies upstream receives codexUserAgent

Tests

  • go test -run "OpenAIImage" ./internal/runtime/executor/ — all 5 image tests pass
  • go build -o test-output ./cmd/server — compiles cleanly

Closes #3980

… image requests

The wrapped image path (executeOpenAIImage / executeOpenAIImageStream)
called applyCodexHeaders which forwards the downstream client's
User-Agent to upstream chatgpt.com. Script UAs like "Python-urllib/3.9"
trigger Cloudflare 1010 Access Denied on the /images/generations
endpoint.

Switch both call sites to applyCodexDirectImageHeaders, which already
exists for the direct image path — it clones gin headers and strips
User-Agent so the resolution falls through to the safe codexUserAgent
default.

Closes router-for-me#3980
@github-actions github-actions Bot changed the base branch from main to dev July 7, 2026 06:51
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

This pull request targeted main.

The base branch has been automatically changed to dev.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the OpenAI image execution flow to use applyCodexDirectImageHeaders instead of applyCodexHeaders and adds a test to verify that downstream User-Agent headers are not leaked upstream. The reviewer suggested checking the error returned by executor.Execute in the new test to avoid silent failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +335 to +338
_, _ = executor.Execute(ctx, newCodexOpenAIImageTestAuth(server.URL), cliproxyexecutor.Request{
Model: "codex/dall-e-3",
Payload: []byte(`{"model":"codex/dall-e-3","prompt":"A cute otter","stream":false}`),
}, codexOpenAIImageTestOptions(codexImagesGenerationsPath, false))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The test currently ignores the error returned by executor.Execute using _, _ =. It is highly recommended to check and assert that err is nil to ensure the execution succeeds and to prevent silent failures or confusing test failures if the setup or request preparation fails.

	_, err := executor.Execute(ctx, newCodexOpenAIImageTestAuth(server.URL), cliproxyexecutor.Request{
		Model:   "codex/dall-e-3",
		Payload: []byte(`{"model":"codex/dall-e-3","prompt":"A cute otter","stream":false}`),
	}, codexOpenAIImageTestOptions(codexImagesGenerationsPath, false))
	if err != nil {
		t.Fatalf("Execute() error = %v", err)
	}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Codex images: downstream User-Agent (e.g. Python-urllib/3.9) forwarded upstream triggers Cloudflare 1010

1 participant