fix(scriptutils): fix path resolution and wildcard extraction for absolute shebangs#345
Closed
mcexit wants to merge 1 commit into
Closed
fix(scriptutils): fix path resolution and wildcard extraction for absolute shebangs#345mcexit wants to merge 1 commit into
mcexit wants to merge 1 commit into
Conversation
…bare name rules `PurePath.match()` performs right-aligned suffix matching, which caused absolute shebang paths (e.g., `C:\uv\python.exe`) to inadvertently evaluate true for bare names like `python.exe` or `python*.exe`. This resulted in two critical bugs: 1. Virtual environment paths were hijacked by the `is_default` trap, falling back to the global default Python runtime instead of the specified one. 2. Custom executables (like `python_uv_test.exe`) were intercepted by the fallback wildcard search, resulting in arbitrary slicing and lookup errors for phantom version tags (e.g., `_uv_test`). This commit introduces an `is_name_only` check (validating the absence of directory separators `/` and `\`) to safely distinguish bare commands from explicit paths. Gating the `is_default`, virtual alias, and wildcard extraction logic behind this check ensures explicit paths correctly fall through to `_find_on_path()`.
|
All commit authors signed the Contributor License Agreement. |
Member
|
Please file an issue first, and leave out the cheesy headings and just focus on the problem you're observing and the context it appears in. |
Member
|
Also, if an issue is "critical", please submit it as a security report using the Github Security Advisory feature. Otherwise, please refrain from assessing the severity of an issue - we can handle that, taking into account more than one single user. |
This was referenced May 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR resolves a critical issue where scripts utilizing absolute or explicit relative shebangs (such as those generated by modern virtual environment managers like
uv) are incorrectly intercepted, truncated, or routed to the wrong interpreter.🐛 The Bugs
The original logic in
_find_shebang_commandheavily relied onpathlib.PurePath.match(). Becausematch()performs a loose right-aligned suffix match,PurePath("C:/uv/python.exe").match("python.exe")evaluates toTrue. This caused a chain reaction of unintended behaviors:is_defaultTrap: Absolute paths likeC:\...\python.exeincorrectly triggered theis_defaultcheck, discarding the user's isolated environment and defaulting to the system-wide global Python.python*.exewould intercept executables likeC:\...\python_uv_test.exeand blindly slice the name ([6:-4]), causing the system to search for a phantom runtime tag (e.g.,[ERROR] No runtime installed that matches _uv_test) and crash.sh_cmd.match(i["executable"])could falsely intercept absolute shebangs if a registered runtime was using a relative executable name.🛠️ The Fix
is_name_onlyCheck: Introduced a check for path separators (/or\) to properly distinguish between "bare names" (likepy.exeorpython3.14.exe) and explicit paths (C:\...\python.exeor./python.exe).is_defaultoverride, and the tag extraction wildcards are now safely gated behindis_name_only.not PurePath(i["executable"]).is_absolute()) to prevent absolute shebangs from falsely matching relative executable registries.🧪 Impact
With these changes, absolute paths are safely bypassed in the virtual lookup traps, allowing them to cleanly fall through to the
LookupErrorat the end of the block. This exception is caught gracefully by_parse_shebang, which delegates the absolute path toshutil.which()under_find_on_path().This restores 100% interoperability with tools like
uvand explicit local paths (./python.exe), without breaking any existing PEP 397/PEP 486 behaviors for standard bare names.