Fixing rgpath for terminal sandboxing

[dileepyavan]

fixes(#301928)

[Copilot]

Pull request overview

This PR targets terminal sandboxing reliability by adjusting how the sandbox helper exposes the bundled rg (ripgrep) dependency, addressing failures where sandboxed terminal tools never run due to missing ripgrep.

Changes:

• Inject ILogService into SandboxHelperService and log the computed ripgrep path.
• Stop overriding SandboxManager.initialize’s ripgrep config from _rgPath, and instead try to make rg discoverable by extending PATH in the wrapped command’s environment prefix.
• Add helper logic to append the ripgrep binary directory to PATH.

Comments suppressed due to low confidence (3)

src/vs/platform/sandbox/node/sandboxHelperService.ts:81

• SandboxManager.initialize(...) runs before the wrapped command is produced, so updating PATH only in _getSandboxEnvironmentPrefix() won’t affect the sandbox runtime’s dependency check that currently fails with “Required: ripgrep (rg)”. Also, normalizedRuntimeConfig.ripgrep is now only provided when the caller supplies runtimeConfig.ripgrep, but TerminalSandboxService never sets it, so initialize will fall back to searching for rg on the current process PATH and likely keep failing. Consider always providing a ripgrep config here (e.g. using VS Code’s bundled ripgrep path) or otherwise ensuring rg is discoverable in the environment used during initialize.

This issue also appears in the following locations of the same file:

• line 30
• line 104

			ripgrep: runtimeConfig.ripgrep ? {
				command: runtimeConfig.ripgrep.command,
				args: runtimeConfig.ripgrep?.args ? [...runtimeConfig.ripgrep.args] : undefined,
			} : undefined,
			mandatoryDenySearchDepth: runtimeConfig.mandatoryDenySearchDepth,
			allowPty: runtimeConfig.allowPty,
		};
		await SandboxManager.initialize(normalizedRuntimeConfig, request => this._requestSandboxPermission(request));
		return SandboxManager.wrapWithSandbox(`${this._getSandboxEnvironmentPrefix()} ${command}`);

src/vs/platform/sandbox/node/sandboxHelperService.ts:35

• The ripgrep path is currently derived from appRoot/node_modules/@vscode/ripgrep/bin/rg. In built distributions the module/binary is commonly stored under node_modules.asar and the executable under node_modules.asar.unpacked (see other ripgrep usages that rewrite rgPath to the unpacked location). If _rgPath points at a non-existent location, both the new PATH injection and any ripgrep command resolution will be ineffective. Suggest resolving the ripgrep binary using @vscode/ripgrep’s rgPath (and rewriting to the unpacked path when needed) instead of constructing it manually from appRoot.

		this._rgPath = nativeEnvironmentService.appRoot
			? this._pathJoin(nativeEnvironmentService.appRoot, 'node_modules', '@vscode', 'ripgrep', 'bin', 'rg')
			: undefined;
		this._tempDir = nativeEnvironmentService.tmpDir?.path;
		logService.info('SandboxHelperService#constructor ripgrep path', this._rgPath ?? 'undefined');
	}

src/vs/platform/sandbox/node/sandboxHelperService.ts:108

• _getPathWithRipgrepDir appends the ripgrep directory to the end of PATH. If another rg exists earlier on PATH, the sandbox runtime will pick that one, which can reintroduce “missing/incorrect dependency” issues and makes behavior less deterministic. Consider prepending the ripgrep directory so the bundled rg takes precedence.

		const rgDir = dirname(this._rgPath);
		const currentPath = process.env['PATH'];
		const path = process.platform === 'win32' ? win32 : posix;
		return currentPath ? `${currentPath}${path.delimiter}${rgDir}` : rgDir;
	}

---

You can also share your feedback on Copilot code review. Take the survey.