// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package exec runs external commands. It wraps os.StartProcess to make it // easier to remap stdin and stdout, connect I/O with pipes, and do other // adjustments. // // Unlike the "system" library call from C and other languages, the // os/exec package intentionally does not invoke the system shell and // does not expand any glob patterns or handle other expansions, // pipelines, or redirections typically done by shells. The package // behaves more like C's "exec" family of functions. To expand glob // patterns, either call the shell directly, taking care to escape any // dangerous input, or use the [path/filepath] package's Glob function. // To expand environment variables, use package os's ExpandEnv. // // Note that the examples in this package assume a Unix system. // They may not run on Windows, and they do not run in the Go Playground // used by golang.org and godoc.org. // // # Executables in the current directory // // The functions [Command] and [LookPath] look for a program // in the directories listed in the current path, following the // conventions of the host operating system. // Operating systems have for decades included the current // directory in this search, sometimes implicitly and sometimes // configured explicitly that way by default. // Modern practice is that including the current directory // is usually unexpected and often leads to security problems. // // To avoid those security problems, as of Go 1.19, this package will not resolve a program // using an implicit or explicit path entry relative to the current directory. // That is, if you run [LookPath]("go"), it will not successfully return // ./go on Unix nor .\go.exe on Windows, no matter how the path is configured. // Instead, if the usual path algorithms would result in that answer, // these functions return an error err satisfying [errors.Is](err, [ErrDot]). // // For example, consider these two program snippets: // // path, err := exec.LookPath("prog") // if err != nil { // log.Fatal(err) // } // use(path) // // and // // cmd := exec.Command("prog") // if err := cmd.Run(); err != nil { // log.Fatal(err) // } // // These will not find and run ./prog or .\prog.exe, // no matter how the current path is configured. // // Code that always wants to run a program from the current directory // can be rewritten to say "./prog" instead of "prog". // // Code that insists on including results from relative path entries // can instead override the error using an errors.Is check: // // path, err := exec.LookPath("prog") // if errors.Is(err, exec.ErrDot) { // err = nil // } // if err != nil { // log.Fatal(err) // } // use(path) // // and // // cmd := exec.Command("prog") // if errors.Is(cmd.Err, exec.ErrDot) { // cmd.Err = nil // } // if err := cmd.Run(); err != nil { // log.Fatal(err) // } // // Setting the environment variable GODEBUG=execerrdot=0 // disables generation of ErrDot entirely, temporarily restoring the pre-Go 1.19 // behavior for programs that are unable to apply more targeted fixes. // A future version of Go may remove support for this variable. // // Before adding such overrides, make sure you understand the // security implications of doing so. // See https://go.dev/blog/path-security for more information.
package exec import ( ) // Error is returned by [LookPath] when it fails to classify a file as an // executable. type Error struct { // Name is the file name for which the error occurred. Name string // Err is the underlying error. Err error } func ( *Error) () string { return "exec: " + strconv.Quote(.Name) + ": " + .Err.Error() } func ( *Error) () error { return .Err } // ErrWaitDelay is returned by [Cmd.Wait] if the process exits with a // successful status code but its output pipes are not closed before the // command's WaitDelay expires. var ErrWaitDelay = errors.New("exec: WaitDelay expired before I/O complete") // wrappedError wraps an error without relying on fmt.Errorf. type wrappedError struct { prefix string err error } func ( wrappedError) () string { return .prefix + ": " + .err.Error() } func ( wrappedError) () error { return .err } // Cmd represents an external command being prepared or run. // // A Cmd cannot be reused after calling its [Cmd.Run], [Cmd.Output] or [Cmd.CombinedOutput] // methods. type Cmd struct { // Path is the path of the command to run. // // This is the only field that must be set to a non-zero // value. If Path is relative, it is evaluated relative // to Dir. Path string // Args holds command line arguments, including the command as Args[0]. // If the Args field is empty or nil, Run uses {Path}. // // In typical use, both Path and Args are set by calling Command. Args []string // Env specifies the environment of the process. // Each entry is of the form "key=value". // If Env is nil, the new process uses the current process's // environment. // If Env contains duplicate environment keys, only the last // value in the slice for each duplicate key is used. // As a special case on Windows, SYSTEMROOT is always added if // missing and not explicitly set to the empty string. // // See also the Dir field, which may set PWD in the environment. Env []string // Dir specifies the working directory of the command. // If Dir is the empty string, Run runs the command in the // calling process's current directory. // // On Unix systems, the value of Dir also determines the // child process's PWD environment variable if not otherwise // specified. A Unix process represents its working directory // not by name but as an implicit reference to a node in the // file tree. So, if the child process obtains its working // directory by calling a function such as C's getcwd, which // computes the canonical name by walking up the file tree, it // will not recover the original value of Dir if that value // was an alias involving symbolic links. However, if the // child process calls Go's [os.Getwd] or GNU C's // get_current_dir_name, and the value of PWD is an alias for // the current directory, those functions will return the // value of PWD, which matches the value of Dir. Dir string // Stdin specifies the process's standard input. // // If Stdin is nil, the process reads from the null device (os.DevNull). // // If Stdin is an *os.File, the process's standard input is connected // directly to that file. // // Otherwise, during the execution of the command a separate // goroutine reads from Stdin and delivers that data to the command // over a pipe. In this case, Wait does not complete until the goroutine // stops copying, either because it has reached the end of Stdin // (EOF or a read error), or because writing to the pipe returned an error, // or because a nonzero WaitDelay was set and expired. Stdin io.Reader // Stdout and Stderr specify the process's standard output and error. // // If either is nil, Run connects the corresponding file descriptor // to the null device (os.DevNull). // // If either is an *os.File, the corresponding output from the process // is connected directly to that file. // // Otherwise, during the execution of the command a separate goroutine // reads from the process over a pipe and delivers that data to the // corresponding Writer. In this case, Wait does not complete until the // goroutine reaches EOF or encounters an error or a nonzero WaitDelay // expires. // // If Stdout and Stderr are the same writer, and have a type that can // be compared with ==, at most one goroutine at a time will call Write. Stdout io.Writer Stderr io.Writer // ExtraFiles specifies additional open files to be inherited by the // new process. It does not include standard input, standard output, or // standard error. If non-nil, entry i becomes file descriptor 3+i. // // ExtraFiles is not supported on Windows. ExtraFiles []*os.File // SysProcAttr holds optional, operating system-specific attributes. // Run passes it to os.StartProcess as the os.ProcAttr's Sys field. SysProcAttr *syscall.SysProcAttr // Process is the underlying process, once started. Process *os.Process // ProcessState contains information about an exited process. // If the process was started successfully, Wait or Run will // populate its ProcessState when the command completes. ProcessState *os.ProcessState // ctx is the context passed to CommandContext, if any. ctx context.Context Err error // LookPath error, if any. // If Cancel is non-nil, the command must have been created with // CommandContext and Cancel will be called when the command's // Context is done. By default, CommandContext sets Cancel to // call the Kill method on the command's Process. // // Typically a custom Cancel will send a signal to the command's // Process, but it may instead take other actions to initiate cancellation, // such as closing a stdin or stdout pipe or sending a shutdown request on a // network socket. // // If the command exits with a success status after Cancel is // called, and Cancel does not return an error equivalent to // os.ErrProcessDone, then Wait and similar methods will return a non-nil // error: either an error wrapping the one returned by Cancel, // or the error from the Context. // (If the command exits with a non-success status, or Cancel // returns an error that wraps os.ErrProcessDone, Wait and similar methods // continue to return the command's usual exit status.) // // If Cancel is set to nil, nothing will happen immediately when the command's // Context is done, but a nonzero WaitDelay will still take effect. That may // be useful, for example, to work around deadlocks in commands that do not // support shutdown signals but are expected to always finish quickly. // // Cancel will not be called if Start returns a non-nil error. Cancel func() error // If WaitDelay is non-zero, it bounds the time spent waiting on two sources // of unexpected delay in Wait: a child process that fails to exit after the // associated Context is canceled, and a child process that exits but leaves // its I/O pipes unclosed. // // The WaitDelay timer starts when either the associated Context is done or a // call to Wait observes that the child process has exited, whichever occurs // first. When the delay has elapsed, the command shuts down the child process // and/or its I/O pipes. // // If the child process has failed to exit — perhaps because it ignored or // failed to receive a shutdown signal from a Cancel function, or because no // Cancel function was set — then it will be terminated using os.Process.Kill. // // Then, if the I/O pipes communicating with the child process are still open, // those pipes are closed in order to unblock any goroutines currently blocked // on Read or Write calls. // // If pipes are closed due to WaitDelay, no Cancel call has occurred, // and the command has otherwise exited with a successful status, Wait and // similar methods will return ErrWaitDelay instead of nil. // // If WaitDelay is zero (the default), I/O pipes will be read until EOF, // which might not occur until orphaned subprocesses of the command have // also closed their descriptors for the pipes. WaitDelay time.Duration // childIOFiles holds closers for any of the child process's // stdin, stdout, and/or stderr files that were opened by the Cmd itself // (not supplied by the caller). These should be closed as soon as they // are inherited by the child process. childIOFiles []io.Closer // parentIOPipes holds closers for the parent's end of any pipes // connected to the child's stdin, stdout, and/or stderr streams // that were opened by the Cmd itself (not supplied by the caller). // These should be closed after Wait sees the command and copying // goroutines exit, or after WaitDelay has expired. parentIOPipes []io.Closer // goroutine holds a set of closures to execute to copy data // to and/or from the command's I/O pipes. goroutine []func() error // If goroutineErr is non-nil, it receives the first error from a copying // goroutine once all such goroutines have completed. // goroutineErr is set to nil once its error has been received. goroutineErr <-chan error // If ctxResult is non-nil, it receives the result of watchCtx exactly once. ctxResult <-chan ctxResult // The stack saved when the Command was created, if GODEBUG contains // execwait=2. Used for debugging leaks. createdByStack []byte // For a security release long ago, we created x/sys/execabs, // which manipulated the unexported lookPathErr error field // in this struct. For Go 1.19 we exported the field as Err error, // above, but we have to keep lookPathErr around for use by // old programs building against new toolchains. // The String and Start methods look for an error in lookPathErr // in preference to Err, to preserve the errors that execabs sets. // // In general we don't guarantee misuse of reflect like this, // but the misuse of reflect was by us, the best of various bad // options to fix the security problem, and people depend on // those old copies of execabs continuing to work. // The result is that we have to leave this variable around for the // rest of time, a compatibility scar. // // See https://go.dev/blog/path-security // and https://go.dev/issue/43724 for more context. lookPathErr error // cachedLookExtensions caches the result of calling lookExtensions. // It is set when Command is called with an absolute path, letting it do // the work of resolving the extension, so Start doesn't need to do it again. // This is only used on Windows. cachedLookExtensions struct{ in, out string } } // A ctxResult reports the result of watching the Context associated with a // running command (and sending corresponding signals if needed). type ctxResult struct { err error // If timer is non-nil, it expires after WaitDelay has elapsed after // the Context is done. // // (If timer is nil, that means that the Context was not done before the // command completed, or no WaitDelay was set, or the WaitDelay already // expired and its effect was already applied.) timer *time.Timer } var execwait = godebug.New("#execwait") var execerrdot = godebug.New("execerrdot") // Command returns the [Cmd] struct to execute the named program with // the given arguments. // // It sets only the Path and Args in the returned structure. // // If name contains no path separators, Command uses [LookPath] to // resolve name to a complete path if possible. Otherwise it uses name // directly as Path. // // The returned Cmd's Args field is constructed from the command name // followed by the elements of arg, so arg should not include the // command name itself. For example, Command("echo", "hello"). // Args[0] is always name, not the possibly resolved Path. // // On Windows, processes receive the whole command line as a single string // and do their own parsing. Command combines and quotes Args into a command // line string with an algorithm compatible with applications using // CommandLineToArgvW (which is the most common way). Notable exceptions are // msiexec.exe and cmd.exe (and thus, all batch files), which have a different // unquoting algorithm. In these or other similar cases, you can do the // quoting yourself and provide the full command line in SysProcAttr.CmdLine, // leaving Args empty. func ( string, ...string) *Cmd { := &Cmd{ Path: , Args: append([]string{}, ...), } if := execwait.Value(); != "" { if == "2" { // Obtain the caller stack. (This is equivalent to runtime/debug.Stack, // copied to avoid importing the whole package.) := make([]byte, 1024) for { := runtime.Stack(, false) if < len() { = [:] break } = make([]byte, 2*len()) } if := bytes.Index(, []byte("\nos/exec.Command(")); >= 0 { = [+1:] } .createdByStack = } runtime.SetFinalizer(, func( *Cmd) { if .Process != nil && .ProcessState == nil { := "" if .createdByStack == nil { = " (set GODEBUG=execwait=2 to capture stacks for debugging)" } else { os.Stderr.WriteString("GODEBUG=execwait=2 detected a leaked exec.Cmd created by:\n") os.Stderr.Write(.createdByStack) os.Stderr.WriteString("\n") = "" } panic("exec: Cmd started a Process but leaked without a call to Wait" + ) } }) } if filepath.Base() == { , := LookPath() if != "" { // Update cmd.Path even if err is non-nil. // If err is ErrDot (especially on Windows), lp may include a resolved // extension (like .exe or .bat) that should be preserved. .Path = } if != nil { .Err = } } else if runtime.GOOS == "windows" && filepath.IsAbs() { // We may need to add a filename extension from PATHEXT // or verify an extension that is already present. // Since the path is absolute, its extension should be unambiguous // and independent of cmd.Dir, and we can go ahead and cache the lookup now. // // Note that we don't cache anything here for relative paths, because // cmd.Dir may be set after we return from this function and that may // cause the command to resolve to a different extension. if , := lookExtensions(, ""); == nil { .cachedLookExtensions.in, .cachedLookExtensions.out = , } else { .Err = } } return } // CommandContext is like [Command] but includes a context. // // The provided context is used to interrupt the process // (by calling cmd.Cancel or [os.Process.Kill]) // if the context becomes done before the command completes on its own. // // CommandContext sets the command's Cancel function to invoke the Kill method // on its Process, and leaves its WaitDelay unset. The caller may change the // cancellation behavior by modifying those fields before starting the command. func ( context.Context, string, ...string) *Cmd { if == nil { panic("nil Context") } := Command(, ...) .ctx = .Cancel = func() error { return .Process.Kill() } return } // String returns a human-readable description of c. // It is intended only for debugging. // In particular, it is not suitable for use as input to a shell. // The output of String may vary across Go releases. func ( *Cmd) () string { if .Err != nil || .lookPathErr != nil { // failed to resolve path; report the original requested path (plus args) return strings.Join(.Args, " ") } // report the exact executable path (plus args) := new(strings.Builder) .WriteString(.Path) for , := range .Args[1:] { .WriteByte(' ') .WriteString() } return .String() } // interfaceEqual protects against panics from doing equality tests on // two interfaces with non-comparable underlying types. func interfaceEqual(, any) bool { defer func() { recover() }() return == } func ( *Cmd) () []string { if len(.Args) > 0 { return .Args } return []string{.Path} } func ( *Cmd) () (*os.File, error) { if .Stdin == nil { , := os.Open(os.DevNull) if != nil { return nil, } .childIOFiles = append(.childIOFiles, ) return , nil } if , := .Stdin.(*os.File); { return , nil } , , := os.Pipe() if != nil { return nil, } .childIOFiles = append(.childIOFiles, ) .parentIOPipes = append(.parentIOPipes, ) .goroutine = append(.goroutine, func() error { , := io.Copy(, .Stdin) if skipStdinCopyError() { = nil } if := .Close(); == nil { = } return }) return , nil } func ( *Cmd) () (*os.File, error) { return .writerDescriptor(.Stdout) } func ( *Cmd) ( *os.File) (*os.File, error) { if .Stderr != nil && interfaceEqual(.Stderr, .Stdout) { return , nil } return .writerDescriptor(.Stderr) } // writerDescriptor returns an os.File to which the child process // can write to send data to w. // // If w is nil, writerDescriptor returns a File that writes to os.DevNull. func ( *Cmd) ( io.Writer) (*os.File, error) { if == nil { , := os.OpenFile(os.DevNull, os.O_WRONLY, 0) if != nil { return nil, } .childIOFiles = append(.childIOFiles, ) return , nil } if , := .(*os.File); { return , nil } , , := os.Pipe() if != nil { return nil, } .childIOFiles = append(.childIOFiles, ) .parentIOPipes = append(.parentIOPipes, ) .goroutine = append(.goroutine, func() error { , := io.Copy(, ) .Close() // in case io.Copy stopped due to write error return }) return , nil } func closeDescriptors( []io.Closer) { for , := range { .Close() } } // Run starts the specified command and waits for it to complete. // // The returned error is nil if the command runs, has no problems // copying stdin, stdout, and stderr, and exits with a zero exit // status. // // If the command starts but does not complete successfully, the error is of // type [*ExitError]. Other error types may be returned for other situations. // // If the calling goroutine has locked the operating system thread // with [runtime.LockOSThread] and modified any inheritable OS-level // thread state (for example, Linux or Plan 9 name spaces), the new // process will inherit the caller's thread state. func ( *Cmd) () error { if := .Start(); != nil { return } return .Wait() } // Start starts the specified command but does not wait for it to complete. // // If Start returns successfully, the c.Process field will be set. // // After a successful call to Start the [Cmd.Wait] method must be called in // order to release associated system resources. func ( *Cmd) () error { // Check for doubled Start calls before we defer failure cleanup. If the prior // call to Start succeeded, we don't want to spuriously close its pipes. if .Process != nil { return errors.New("exec: already started") } := false defer func() { closeDescriptors(.childIOFiles) .childIOFiles = nil if ! { closeDescriptors(.parentIOPipes) .parentIOPipes = nil } }() if .Path == "" && .Err == nil && .lookPathErr == nil { .Err = errors.New("exec: no command") } if .Err != nil || .lookPathErr != nil { if .lookPathErr != nil { return .lookPathErr } return .Err } := .Path if runtime.GOOS == "windows" { if .Path == .cachedLookExtensions.in { // If Command was called with an absolute path, we already resolved // its extension and shouldn't need to do so again (provided c.Path // wasn't set to another value between the calls to Command and Start). = .cachedLookExtensions.out } else { // If *Cmd was made without using Command at all, or if Command was // called with a relative path, we had to wait until now to resolve // it in case c.Dir was changed. // // Unfortunately, we cannot write the result back to c.Path because programs // may assume that they can call Start concurrently with reading the path. // (It is safe and non-racy to do so on Unix platforms, and users might not // test with the race detector on all platforms; // see https://go.dev/issue/62596.) // // So we will pass the fully resolved path to os.StartProcess, but leave // c.Path as is: missing a bit of logging information seems less harmful // than triggering a surprising data race, and if the user really cares // about that bit of logging they can always use LookPath to resolve it. var error , = lookExtensions(.Path, .Dir) if != nil { return } } } if .Cancel != nil && .ctx == nil { return errors.New("exec: command with a non-nil Cancel was not created with CommandContext") } if .ctx != nil { select { case <-.ctx.Done(): return .ctx.Err() default: } } := make([]*os.File, 0, 3+len(.ExtraFiles)) , := .childStdin() if != nil { return } = append(, ) , := .childStdout() if != nil { return } = append(, ) , := .childStderr() if != nil { return } = append(, ) = append(, .ExtraFiles...) , := .environ() if != nil { return } .Process, = os.StartProcess(, .argv(), &os.ProcAttr{ Dir: .Dir, Files: , Env: , Sys: .SysProcAttr, }) if != nil { return } = true // Don't allocate the goroutineErr channel unless there are goroutines to start. if len(.goroutine) > 0 { := make(chan error, 1) .goroutineErr = type struct { int error } := make(chan , 1) <- {: len(.goroutine)} for , := range .goroutine { go func( func() error) { := () := <- if . == nil { . = } .-- if . == 0 { <- . } else { <- } }() } .goroutine = nil // Allow the goroutines' closures to be GC'd when they complete. } // If we have anything to do when the command's Context expires, // start a goroutine to watch for cancellation. // // (Even if the command was created by CommandContext, a helper library may // have explicitly set its Cancel field back to nil, indicating that it should // be allowed to continue running after cancellation after all.) if (.Cancel != nil || .WaitDelay != 0) && .ctx != nil && .ctx.Done() != nil { := make(chan ctxResult) .ctxResult = go .watchCtx() } return nil } // watchCtx watches c.ctx until it is able to send a result to resultc. // // If c.ctx is done before a result can be sent, watchCtx calls c.Cancel, // and/or kills cmd.Process it after c.WaitDelay has elapsed. // // watchCtx manipulates c.goroutineErr, so its result must be received before // c.awaitGoroutines is called. func ( *Cmd) ( chan<- ctxResult) { select { case <- ctxResult{}: return case <-.ctx.Done(): } var error if .Cancel != nil { if := .Cancel(); == nil { // We appear to have successfully interrupted the command, so any // program behavior from this point may be due to ctx even if the // command exits with code 0. = .ctx.Err() } else if errors.Is(, os.ErrProcessDone) { // The process already finished: we just didn't notice it yet. // (Perhaps c.Wait hadn't been called, or perhaps it happened to race with // c.ctx being canceled.) Don't inject a needless error. } else { = wrappedError{ prefix: "exec: canceling Cmd", err: , } } } if .WaitDelay == 0 { <- ctxResult{err: } return } := time.NewTimer(.WaitDelay) select { case <- ctxResult{err: , timer: }: // c.Process.Wait returned and we've handed the timer off to c.Wait. // It will take care of goroutine shutdown from here. return case <-.C: } := false if := .Process.Kill(); == nil { // We appear to have killed the process. c.Process.Wait should return a // non-nil error to c.Wait unless the Kill signal races with a successful // exit, and if that does happen we shouldn't report a spurious error, // so don't set err to anything here. = true } else if !errors.Is(, os.ErrProcessDone) { = wrappedError{ prefix: "exec: killing Cmd", err: , } } if .goroutineErr != nil { select { case := <-.goroutineErr: // Forward goroutineErr only if we don't have reason to believe it was // caused by a call to Cancel or Kill above. if == nil && ! { = } default: // Close the child process's I/O pipes, in case it abandoned some // subprocess that inherited them and is still holding them open // (see https://go.dev/issue/23019). // // We close the goroutine pipes only after we have sent any signals we're // going to send to the process (via Signal or Kill above): if we send // SIGKILL to the process, we would prefer for it to die of SIGKILL, not // SIGPIPE. (However, this may still cause any orphaned subprocesses to // terminate with SIGPIPE.) closeDescriptors(.parentIOPipes) // Wait for the copying goroutines to finish, but report ErrWaitDelay for // the error: any other error here could result from closing the pipes. _ = <-.goroutineErr if == nil { = ErrWaitDelay } } // Since we have already received the only result from c.goroutineErr, // set it to nil to prevent awaitGoroutines from blocking on it. .goroutineErr = nil } <- ctxResult{err: } } // An ExitError reports an unsuccessful exit by a command. type ExitError struct { *os.ProcessState // Stderr holds a subset of the standard error output from the // Cmd.Output method if standard error was not otherwise being // collected. // // If the error output is long, Stderr may contain only a prefix // and suffix of the output, with the middle replaced with // text about the number of omitted bytes. // // Stderr is provided for debugging, for inclusion in error messages. // Users with other needs should redirect Cmd.Stderr as needed. Stderr []byte } func ( *ExitError) () string { return .ProcessState.String() } // Wait waits for the command to exit and waits for any copying to // stdin or copying from stdout or stderr to complete. // // The command must have been started by [Cmd.Start]. // // The returned error is nil if the command runs, has no problems // copying stdin, stdout, and stderr, and exits with a zero exit // status. // // If the command fails to run or doesn't complete successfully, the // error is of type [*ExitError]. Other error types may be // returned for I/O problems. // // If any of c.Stdin, c.Stdout or c.Stderr are not an [*os.File], Wait also waits // for the respective I/O loop copying to or from the process to complete. // // Wait releases any resources associated with the [Cmd]. func ( *Cmd) () error { if .Process == nil { return errors.New("exec: not started") } if .ProcessState != nil { return errors.New("exec: Wait was already called") } , := .Process.Wait() if == nil && !.Success() { = &ExitError{ProcessState: } } .ProcessState = var *time.Timer if .ctxResult != nil { := <-.ctxResult = .timer // If c.Process.Wait returned an error, prefer that. // Otherwise, report any error from the watchCtx goroutine, // such as a Context cancellation or a WaitDelay overrun. if == nil && .err != nil { = .err } } if := .awaitGoroutines(); == nil { // Report an error from the copying goroutines only if the program otherwise // exited normally on its own. Otherwise, the copying error may be due to the // abnormal termination. = } closeDescriptors(.parentIOPipes) .parentIOPipes = nil return } // awaitGoroutines waits for the results of the goroutines copying data to or // from the command's I/O pipes. // // If c.WaitDelay elapses before the goroutines complete, awaitGoroutines // forcibly closes their pipes and returns ErrWaitDelay. // // If timer is non-nil, it must send to timer.C at the end of c.WaitDelay. func ( *Cmd) ( *time.Timer) error { defer func() { if != nil { .Stop() } .goroutineErr = nil }() if .goroutineErr == nil { return nil // No running goroutines to await. } if == nil { if .WaitDelay == 0 { return <-.goroutineErr } select { case := <-.goroutineErr: // Avoid the overhead of starting a timer. return default: } // No existing timer was started: either there is no Context associated with // the command, or c.Process.Wait completed before the Context was done. = time.NewTimer(.WaitDelay) } select { case <-.C: closeDescriptors(.parentIOPipes) // Wait for the copying goroutines to finish, but ignore any error // (since it was probably caused by closing the pipes). _ = <-.goroutineErr return ErrWaitDelay case := <-.goroutineErr: return } } // Output runs the command and returns its standard output. // Any returned error will usually be of type [*ExitError]. // If c.Stderr was nil and the returned error is of type // [*ExitError], Output populates the Stderr field of the // returned error. func ( *Cmd) () ([]byte, error) { if .Stdout != nil { return nil, errors.New("exec: Stdout already set") } var bytes.Buffer .Stdout = & := .Stderr == nil if { .Stderr = &prefixSuffixSaver{N: 32 << 10} } := .Run() if != nil && { if , := .(*ExitError); { .Stderr = .Stderr.(*prefixSuffixSaver).Bytes() } } return .Bytes(), } // CombinedOutput runs the command and returns its combined standard // output and standard error. func ( *Cmd) () ([]byte, error) { if .Stdout != nil { return nil, errors.New("exec: Stdout already set") } if .Stderr != nil { return nil, errors.New("exec: Stderr already set") } var bytes.Buffer .Stdout = & .Stderr = & := .Run() return .Bytes(), } // StdinPipe returns a pipe that will be connected to the command's // standard input when the command starts. // The pipe will be closed automatically after [Cmd.Wait] sees the command exit. // A caller need only call Close to force the pipe to close sooner. // For example, if the command being run will not exit until standard input // is closed, the caller must close the pipe. func ( *Cmd) () (io.WriteCloser, error) { if .Stdin != nil { return nil, errors.New("exec: Stdin already set") } if .Process != nil { return nil, errors.New("exec: StdinPipe after process started") } , , := os.Pipe() if != nil { return nil, } .Stdin = .childIOFiles = append(.childIOFiles, ) .parentIOPipes = append(.parentIOPipes, ) return , nil } // StdoutPipe returns a pipe that will be connected to the command's // standard output when the command starts. // // [Cmd.Wait] will close the pipe after seeing the command exit, so most callers // need not close the pipe themselves. It is thus incorrect to call Wait // before all reads from the pipe have completed. // For the same reason, it is incorrect to call [Cmd.Run] when using StdoutPipe. // See the example for idiomatic usage. func ( *Cmd) () (io.ReadCloser, error) { if .Stdout != nil { return nil, errors.New("exec: Stdout already set") } if .Process != nil { return nil, errors.New("exec: StdoutPipe after process started") } , , := os.Pipe() if != nil { return nil, } .Stdout = .childIOFiles = append(.childIOFiles, ) .parentIOPipes = append(.parentIOPipes, ) return , nil } // StderrPipe returns a pipe that will be connected to the command's // standard error when the command starts. // // [Cmd.Wait] will close the pipe after seeing the command exit, so most callers // need not close the pipe themselves. It is thus incorrect to call Wait // before all reads from the pipe have completed. // For the same reason, it is incorrect to use [Cmd.Run] when using StderrPipe. // See the StdoutPipe example for idiomatic usage. func ( *Cmd) () (io.ReadCloser, error) { if .Stderr != nil { return nil, errors.New("exec: Stderr already set") } if .Process != nil { return nil, errors.New("exec: StderrPipe after process started") } , , := os.Pipe() if != nil { return nil, } .Stderr = .childIOFiles = append(.childIOFiles, ) .parentIOPipes = append(.parentIOPipes, ) return , nil } // prefixSuffixSaver is an io.Writer which retains the first N bytes // and the last N bytes written to it. The Bytes() methods reconstructs // it with a pretty error message. type prefixSuffixSaver struct { N int // max size of prefix or suffix prefix []byte suffix []byte // ring buffer once len(suffix) == N suffixOff int // offset to write into suffix skipped int64 // TODO(bradfitz): we could keep one large []byte and use part of it for // the prefix, reserve space for the '... Omitting N bytes ...' message, // then the ring buffer suffix, and just rearrange the ring buffer // suffix when Bytes() is called, but it doesn't seem worth it for // now just for error messages. It's only ~64KB anyway. } func ( *prefixSuffixSaver) ( []byte) ( int, error) { := len() = .fill(&.prefix, ) // Only keep the last w.N bytes of suffix data. if := len() - .N; > 0 { = [:] .skipped += int64() } = .fill(&.suffix, ) // w.suffix is full now if p is non-empty. Overwrite it in a circle. for len() > 0 { // 0, 1, or 2 iterations. := copy(.suffix[.suffixOff:], ) = [:] .skipped += int64() .suffixOff += if .suffixOff == .N { .suffixOff = 0 } } return , nil } // fill appends up to len(p) bytes of p to *dst, such that *dst does not // grow larger than w.N. It returns the un-appended suffix of p. func ( *prefixSuffixSaver) ( *[]byte, []byte) ( []byte) { if := .N - len(*); > 0 { := min(len(), ) * = append(*, [:]...) = [:] } return } func ( *prefixSuffixSaver) () []byte { if .suffix == nil { return .prefix } if .skipped == 0 { return append(.prefix, .suffix...) } var bytes.Buffer .Grow(len(.prefix) + len(.suffix) + 50) .Write(.prefix) .WriteString("\n... omitting ") .WriteString(strconv.FormatInt(.skipped, 10)) .WriteString(" bytes ...\n") .Write(.suffix[.suffixOff:]) .Write(.suffix[:.suffixOff]) return .Bytes() } // environ returns a best-effort copy of the environment in which the command // would be run as it is currently configured. If an error occurs in computing // the environment, it is returned alongside the best-effort copy. func ( *Cmd) () ([]string, error) { var error := .Env if == nil { , = execenv.Default(.SysProcAttr) if != nil { = os.Environ() // Note that the non-nil err is preserved despite env being overridden. } if .Dir != "" { switch runtime.GOOS { case "windows", "plan9": // Windows and Plan 9 do not use the PWD variable, so we don't need to // keep it accurate. default: // On POSIX platforms, PWD represents “an absolute pathname of the // current working directory.” Since we are changing the working // directory for the command, we should also update PWD to reflect that. // // Unfortunately, we didn't always do that, so (as proposed in // https://go.dev/issue/50599) to avoid unintended collateral damage we // only implicitly update PWD when Env is nil. That way, we're much // less likely to override an intentional change to the variable. if , := filepath.Abs(.Dir); == nil { = append(, "PWD="+) } else if == nil { = } } } } , := dedupEnv() if == nil { = } return addCriticalEnv(), } // Environ returns a copy of the environment in which the command would be run // as it is currently configured. func ( *Cmd) () []string { // Intentionally ignore errors: environ returns a best-effort environment no matter what. , := .environ() return } // dedupEnv returns a copy of env with any duplicates removed, in favor of // later values. // Items not of the normal environment "key=value" form are preserved unchanged. // Except on Plan 9, items containing NUL characters are removed, and // an error is returned along with the remaining values. func dedupEnv( []string) ([]string, error) { return dedupEnvCase(runtime.GOOS == "windows", runtime.GOOS == "plan9", ) } // dedupEnvCase is dedupEnv with a case option for testing. // If caseInsensitive is true, the case of keys is ignored. // If nulOK is false, items containing NUL characters are allowed. func dedupEnvCase(, bool, []string) ([]string, error) { // Construct the output in reverse order, to preserve the // last occurrence of each key. var error := make([]string, 0, len()) := make(map[string]bool, len()) for := len(); > 0; -- { := [-1] // Reject NUL in environment variables to prevent security issues (#56284); // except on Plan 9, which uses NUL as os.PathListSeparator (#56544). if ! && strings.IndexByte(, 0) != -1 { = errors.New("exec: environment variable contains NUL") continue } := strings.Index(, "=") if == 0 { // We observe in practice keys with a single leading "=" on Windows. // TODO(#49886): Should we consume only the first leading "=" as part // of the key, or parse through arbitrarily many of them until a non-"="? = strings.Index([1:], "=") + 1 } if < 0 { if != "" { // The entry is not of the form "key=value" (as it is required to be). // Leave it as-is for now. // TODO(#52436): should we strip or reject these bogus entries? = append(, ) } continue } := [:] if { = strings.ToLower() } if [] { continue } [] = true = append(, ) } // Now reverse the slice to restore the original order. for := 0; < len()/2; ++ { := len() - - 1 [], [] = [], [] } return , } // addCriticalEnv adds any critical environment variables that are required // (or at least almost always required) on the operating system. // Currently this is only used for Windows. func addCriticalEnv( []string) []string { if runtime.GOOS != "windows" { return } for , := range { , , := strings.Cut(, "=") if ! { continue } if strings.EqualFold(, "SYSTEMROOT") { // We already have it. return } } return append(, "SYSTEMROOT="+os.Getenv("SYSTEMROOT")) } // ErrDot indicates that a path lookup resolved to an executable // in the current directory due to ‘.’ being in the path, either // implicitly or explicitly. See the package documentation for details. // // Note that functions in this package do not return ErrDot directly. // Code should use errors.Is(err, ErrDot), not err == ErrDot, // to test whether a returned error err is due to this condition. var ErrDot = errors.New("cannot run executable found relative to current directory")