Severity: Warning
File: src/Servy.Service/ProcessManagement/ProcessLauncher.cs
Lines: 178-201
Code:
bool isPython = psi.FileName.IndexOf("python", StringComparison.OrdinalIgnoreCase) >= 0 ||
string.Equals(extension, ".py", StringComparison.OrdinalIgnoreCase);
if (isPython)
{
psi.Environment["PYTHONLEGACYWINDOWSSTDIO"] = "0";
psi.Environment["PYTHONIOENCODING"] = "utf-8";
psi.Environment["PYTHONUTF8"] = "1";
psi.Environment["PYTHONUNBUFFERED"] = "1";
}
bool isJava = psi.FileName.IndexOf("java", StringComparison.OrdinalIgnoreCase) >= 0 ||
string.Equals(extension, ".jar", StringComparison.OrdinalIgnoreCase);
if (isJava)
{
string currentArgs = psi.Arguments ?? string.Empty;
if (currentArgs.IndexOf("-Dfile.encoding", StringComparison.OrdinalIgnoreCase) < 0)
{
psi.Arguments = $"-Dfile.encoding=UTF-8 {currentArgs}".Trim();
}
}Explanation:
psi.FileName is the full executable path. IndexOf("python", ...) matches anywhere in the string — including parent directory names. Examples that trigger false positives:
C:\Tools\python-utils\node.exe — sets PYTHON* env vars on a Node.js process.C:\dev\my-javascript\app.exe — prepends -Dfile.encoding=UTF-8 to a non-Java program (which then fails to start because the unknown switch is treated as the first positional argument).C:\Program Files\JavaScript Runtime\jsruntime.exe — same.C:\python_3.11\Scripts\pip.exe — actually this one is Python so OK, but the matching is structurally fragile.
The Python case is benign (extra env vars usually harmless), but the Java case actively breaks the launched program by injecting a bogus first argument.
Suggested fix:
Match on the executable filename only (not the full path), and require an exact-name or word-boundary match:
string fileNameOnly = Path.GetFileNameWithoutExtension(psi.FileName ?? string.Empty);
bool isPython =
string.Equals(fileNameOnly, "python", StringComparison.OrdinalIgnoreCase) ||
string.Equals(fileNameOnly, "pythonw", StringComparison.OrdinalIgnoreCase) ||
fileNameOnly.StartsWith("python3", StringComparison.OrdinalIgnoreCase) ||
string.Equals(extension, ".py", StringComparison.OrdinalIgnoreCase);
bool isJava =
string.Equals(fileNameOnly, "java", StringComparison.OrdinalIgnoreCase) ||
string.Equals(fileNameOnly, "javaw", StringComparison.OrdinalIgnoreCase) ||
string.Equals(fileNameOnly, "javac", StringComparison.OrdinalIgnoreCase) ||
string.Equals(extension, ".jar", StringComparison.OrdinalIgnoreCase);
Severity: Warning
File:
src/Servy.Service/ProcessManagement/ProcessLauncher.csLines: 178-201
Code:
Explanation:
psi.FileNameis the full executable path.IndexOf("python", ...)matches anywhere in the string — including parent directory names. Examples that trigger false positives:C:\Tools\python-utils\node.exe— sets PYTHON* env vars on a Node.js process.C:\dev\my-javascript\app.exe— prepends-Dfile.encoding=UTF-8to a non-Java program (which then fails to start because the unknown switch is treated as the first positional argument).C:\Program Files\JavaScript Runtime\jsruntime.exe— same.C:\python_3.11\Scripts\pip.exe— actually this one is Python so OK, but the matching is structurally fragile.The Python case is benign (extra env vars usually harmless), but the Java case actively breaks the launched program by injecting a bogus first argument.
Suggested fix:
Match on the executable filename only (not the full path), and require an exact-name or word-boundary match: