fix(tools): prevent environment variable race in script shell tool#2616
Merged
dgageot merged 1 commit intodocker:mainfrom May 4, 2026
Merged
fix(tools): prevent environment variable race in script shell tool#2616dgageot merged 1 commit intodocker:mainfrom
dgageot merged 1 commit intodocker:mainfrom
Conversation
tdabasinskas
force-pushed
the
fix/script-shell-env-race
branch
3 times, most recently
from
360c65d to
ead7eda
Compare
The script shell tool's `execute()` method was aliasing the shared `t.env` slice directly into `cmd.Env`, then appending per-call parameters. When the slice had spare capacity, appending would mutate the shared backing array, causing concurrent tool invocations to race and leak parameters into each other's environments. Now create a per-call copy with exact capacity equal to the final size, ensuring each subprocess receives only its own parameters without affecting concurrent executions. fix(tools): preserve nil-env semantics in script_shell so child inherits parent env When `t.env` is nil (no toolset env wired), the prior fix changed `cmd.Env=nil` (Go inherits parent env) to a non-nil empty slice, stripping PATH/HOME/everything from the subprocess. Expand nil to `os.Environ()` before the per-call clone so the inherit-parent semantics are preserved. Addresses Copilot review feedback on the prior fix in this branch.
tdabasinskas
force-pushed
the
fix/script-shell-env-race
branch
from
ead7eda to
b4dd28b
Compare
dgageot
approved these changes
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The script shell tool's
execute()method was aliasing the sharedt.envslice directly intocmd.Env, then appending per-call parameters. When the slice had spare capacity, appending would mutate the shared backing array, causing concurrent tool invocations to race and leak parameters into each other's environments.Now create a per-call copy with exact capacity equal to the final size, ensuring each subprocess receives only its own parameters without affecting concurrent executions.