enh(File): proper implementation of File::getExecutablePath

[matejk]

Summary

• getExecutablePathImpl() is now a full resolver: on Unix it searches cwd + PATH via findInPath(), then verifies executability using euid/egid stat checks; on Windows it uses SearchPathW (two-call pattern for paths > MAX_PATH) with PATHEXT iteration. Paths containing a directory separator are resolved to absolute via Path::makeAbsolute().
• canExecuteImpl() on Unix now uses euid/egid stat-based permission checks (consistent with canReadImpl/canWriteImpl) with an S_ISREG guard. Windows checks extension against PATHEXT. VxWorks treats any regular file as executable (no permission bits).
• absolutePath() no longer searches PATH — it only resolves relative paths against cwd
• existsAnywhere() reimplemented via shared findInPath() helper, fixed to not search PATH for absolute paths
• findInPath() extracted into File.cpp — always returns absolute paths via Path::makeAbsolute(), with cached PATH tokenization
• Performance optimizations:
  • PATH caching: tokenized once and cached with change detection (thread-safe with mutex)
  • PATHEXT caching (Windows): tokenized once at startup (thread-safe by design)
  • Combined stat checks: Unix/VxWorks now check existence and executability in a single stat() call
• ProcessRunner::start() updated to use getExecutablePath() / canExecute()
• VxWorks File_VX.cpp synced with Unix/Windows implementations
• Tests updated: added non-executable file test, directory test, relative path with separator test, non-existent relative path test
• Documentation: Added note about Windows UNC path limitations with SearchPathW

Follows up on #5180.

Performance Improvements

• Reduced syscalls: Unix/VxWorks now use 1 stat() call instead of 2 for paths with directory separators
• Cached PATH parsing: Avoids repeated Environment::get("PATH") and string tokenization (thread-safe)
• Cached PATHEXT parsing (Windows): One-time initialization eliminates repeated parsing (thread-safe)
• Thread-safe: All caching implementations are thread-safe for concurrent calls

Bug Fixes

• Fixed existsAnywhere() incorrectly searching PATH for absolute paths
• Eliminated TOCTOU race condition in getExecutablePathImpl() by removing redundant existence check

Test plan

• Build Foundation library and testsuite on macOS, Linux, Windows
• Run Foundation-testrunner — FileTest and ProcessRunnerTest must pass
• Verify File("ls").getExecutablePath() returns absolute path like /usr/bin/ls (Unix)
• Verify File("nonexistent").getExecutablePath() returns empty string
• Verify non-executable file returns empty from getExecutablePath()
• Verify directory path returns empty from getExecutablePath()

[Copilot]

Pull request overview

This PR improves executable resolution semantics in Poco::File (and related ProcessRunner behavior) by making getExecutablePath() a resolver (CWD/PATH on Unix; SearchPathW + PATHEXT on Windows), simplifying canExecute(), and aligning tests with the new behavior.

Changes:

• Reworked File::absolutePath(), File::getExecutablePath(), File::canExecute(), and existsAnywhere() behavior; introduced findInPath() helper.
• Implemented new platform-specific executable resolution logic on Unix/Windows.
• Updated ProcessRunner::start() and FileTest expectations to use getExecutablePath()/canExecute().

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
Foundation/testsuite/src/FileTest.cpp	Updates tests to validate the new executable-resolution behavior.
Foundation/src/ProcessRunner.cpp	Uses getExecutablePath()/canExecute() to validate commands before launching.
Foundation/src/File_WIN32U.cpp	Implements Windows executable resolution with SearchPathW and PATHEXT; updates WinAPI calls.
Foundation/src/File_UNIX.cpp	Implements Unix executable resolution and simplifies canExecuteImpl() using access(X_OK).
Foundation/src/File.cpp	Adds shared findInPath() helper; updates absolutePath(), existsAnywhere(), and canExecute().
Foundation/include/Poco/File.h	Updates documentation for the changed absolutePath(), getExecutablePath(), existsAnywhere(), and canExecute() semantics.

Comments suppressed due to low confidence (1)

Foundation/src/ProcessRunner.cpp:276

• ProcessRunner::start() validates using getExecutablePath()/canExecute(), but on Windows getExecutablePathImpl()/canExecuteImpl() can now accept PATHEXT entries like .CMD/.BAT. Process::launchImpl() uses CreateProcessW, which cannot launch .cmd/.bat directly, so validation may succeed and launch still fails. Either restrict Windows canExecute/getExecutablePath to CreateProcess-launchable extensions (e.g. .exe/.com) or add explicit handling to run scripts via cmd.exe /c.

		std::string execPath = File(_cmd).getExecutablePath();
		if (execPath.empty())
		{
			throw Poco::FileNotFoundException(
				Poco::format("ProcessRunner::start(%s): command not found", _cmd));
		}
		else if (!File(execPath).canExecute())
		{
			throw Poco::ExecuteFileException(
				Poco::format("ProcessRunner::start(%s): cannot execute", _cmd));
		}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Test 5 comment says "Non-executable file" but the test uses a clearly non-existent filename, so it doesn’t exercise the non-executable-path behavior. Either adjust the comment to match (non-existent) or create a real non-executable file (e.g. temp file without +x on Unix / a .txt on Windows) and assert getExecutablePath() returns empty for it.

[Copilot]

FileImpl::getExecutablePathImpl() returns _path for any existing path containing '/', without verifying executability or returning an absolute path for relative inputs (e.g. "./tool"). This contradicts File::getExecutablePath() docs (executable + fully resolved absolute path) and can return directories or non-executable files. Resolve to an absolute path and validate with canExecuteImpl() (or access(X_OK) + S_ISREG) before returning; otherwise return empty.

Suggested change

	return existsImpl() ? _path : std::string{};
	{
	Poco::Path p(_path);
	if (!p.isAbsolute())
	p.makeAbsolute();
	const std::string exePath = p.toString();
	struct stat st;
	if (::access(exePath.c_str(), X_OK) == 0 &&
	::stat(exePath.c_str(), &st) == 0 &&
	S_ISREG(st.st_mode))
	{
	return exePath;
	}
	return {};
	}

[Copilot]

findInPath() returns the first existing match in CWD/PATH and may return a relative path when PATH contains relative entries. When used by getExecutablePathImpl() this can produce non-absolute and/or non-executable results. Consider either (1) making the returned candidate absolute (Path(candidate).makeAbsolute()) and (2) providing a separate helper (or predicate) for "executable" resolution so getExecutablePathImpl() can filter out non-executable matches without changing existsAnywhere() semantics.

[Copilot]

Windows getExecutablePathImpl(): the initial SearchPathW(NULL, name, NULL, ...) can return a match for non-executable files when the caller passes an absolute/relative path with an extension not in PATHEXT (e.g. C:\Windows\win.ini). This violates the getExecutablePath() contract of returning an executable match or empty. After SearchPathW succeeds, validate the resolved path with canExecuteImpl() (PATHEXT membership) and return empty if it’s not executable.

[Copilot]

Windows getExecutablePathImpl() truncates resolution to MAX_PATH; if SearchPathW returns a required length >= MAX_PATH, the function currently falls through and returns empty even though the executable exists. Consider a two-call pattern: call SearchPathW with 0/NULL to get required length, then allocate a buffer of that size (+1) and call again.

[Copilot]

UNIX canExecuteImpl() now uses ::access(X_OK), which checks permissions using the real UID/GID, while canReadImpl()/canWriteImpl() use effective IDs (geteuid/getegid). This changes behavior for setuid/setgid processes and is inconsistent within FileImpl. Consider keeping the prior euid/egid-based permission logic, or using faccessat(..., AT_EACCESS) where available with a fallback.

Suggested change

	return ::stat(absolutePath.c_str(), &st) == 0 && S_ISREG(st.st_mode) && ::access(absolutePath.c_str(), X_OK) == 0;
	if (::stat(absolutePath.c_str(), &st) != 0 || !S_ISREG(st.st_mode))
	return false;
	uid_t euid = ::geteuid();
	gid_t egid = ::getegid();
	// root can execute any regular file that has at least one execute bit set
	if (euid == 0)
	return (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) != 0;
	if (st.st_uid == euid)
	return (st.st_mode & S_IXUSR) != 0;
	else if (st.st_gid == egid)
	return (st.st_mode & S_IXGRP) != 0;
	else
	return (st.st_mode & S_IXOTH) != 0;

[aleks-f]

@matejk see copilot suggestions, some make sense

[matejk]

@matejk see copilot suggestions, some make sense

They really do.