-
-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
options.env.PATH is used to find binaries instead of the calling process.env.PATH #366
Comments
Hi @mvachhar, Would |
I've used that to work around my particular issue at the moment. However, what if you want the child to have a different PATH than the parent, and in particular, the child PATH does not contain the right directory to find the binary to spawn on the parent. Or, you want to tightly control the path in the spawned process so that it doesn't accidentally run binaries you didn't intend. In these cases this is still an issue. It is why libc exec and nodejs spawn both use the |
I am not sure I am understanding. If the child needs to have a different |
Exactly. Suppose we have the following. The parent PATH is execa("myProg", [], { extendEnv: false, env: { PATH: "/usr/bin" }) We will get |
Oh, and just to be clear in my prior comment, UNIX |
Yes that makes sense now. @sindresorhus what do you think? |
Yeah, seems like a valid bug. |
So what is the course for a fix? Submit a PR for cross-spawn?
…On Thu, Sep 5, 2019 at 11:02 AM Sindre Sorhus ***@***.***> wrote:
Yeah, seems like a valid bug.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#366?email_source=notifications&email_token=AAKSETLZG6ESRNN6QXIFAYLQIE3T7A5CNFSM4ISP4Z52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD574KIY#issuecomment-528467235>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAKSETPXDATO6Q33Q4PHGX3QIE3T7ANCNFSM4ISP4Z5Q>
.
|
I cannot reproduce this bug. await execa('ls', [], {extendEnv:false}) Returns: {
command: 'ls',
exitCode: 0,
exitCodeName: 'SUCCESS',
stdout: 'index.d.ts\n' +
'index.js\n' +
'index.test-d.ts\n' +
'lib\n' +
'license\n' +
'media\n' +
'node_modules\n' +
'package.json\n' +
'readme.md\n' +
'test',
stderr: '',
all: undefined,
failed: false,
timedOut: false,
isCanceled: false,
killed: false
} Are you using the latest version of execa? |
On the latest version (2.0.4) you have to do execa("ls", [], {extendEnv: false, env: { PATH:null } }); but, essentially the same problem. I haven't looked at the latest code, but I suspect it is still a cross-spawn issue at heart. |
This is normal that you get Try this: const { execFile } = require('child_process')
const { promisify } = require('util')
const pExecFile = promisify(execFile)
await pExecFile('ls', { env: { PATH: null } }) You get:
|
Ok, so execa is mimicking the behavior of child_process.spawn here, which itself is broken, IMHO, but that isn't going to get fixed. There is some wierd stuff going on with env that I don't understand. For example import { execFileSync } = require('child_process');
execFileSync("/usr/bin/env", [], { env: { } }).toString(); // Returns empty string, so no environment as expected
execFileSync("ls", [], { env: { } }).toString(); // Works as expected
execFileSync("/usr/bin/env, [], { env: { PATH: null } }).toString(); //Returns 'PATH=null\n'
execFileSync("ls", [], { env: { PATH: null } }).toString(); //ENOENT So, my original test comparison to child_process was flawed. I have no idea why In any case, it isn't worth digging into the node.js source to find it, it is what it is. Sorry for the false alarm. |
Just for precision: we are forwarding to it, not mimicking it. execa is just a wrapper around I think it would be worth posting that issue on the Node.js repository though. |
It seems that there is no way to pass an empty environment to execa and use PATH to find the binary.
If one does
execa
will throw ENOENT because there is noPATH
environment variable in env. However, with vanilla node:everything is fine.
It appears that this difference is due to the fact that spawn (IMHO) does the correct thing and uses the calling processes
PATH
environment variable to find the underlying binary. Howeverexeca
is using theenv
option, which is intended to be the environment for the spawned process, not the parent process.This makes it impossible to use the parent path to find the binary but give the child an empty environment (which is important to avoid leaking secrets stored in the environment, for example). Moreover, someone may want a different path for the child vs. the parent, which is also impossible to achieve.
A little bit of digging seems to indicate that the underlying problem is actually in cross-spawn itself, though it is unclear to me if this is the desired behavior or not for their package. Again, it probably shouldn't be the desired behavior, but to each their own.
The text was updated successfully, but these errors were encountered: