From a7460c112660e12b220ec5043572a835f2644e1e Mon Sep 17 00:00:00 2001
From: Simon Staszkiewicz <simonstaszkiewicz@gmail.com>
Date: Wed, 30 Jul 2025 11:40:17 -0700
Subject: [PATCH 1/2] Update exec_auth.ts

---
 src/exec_auth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/exec_auth.ts b/src/exec_auth.ts
index fbd97a26f8..c9d3d23d85 100644
--- a/src/exec_auth.ts
+++ b/src/exec_auth.ts
@@ -95,7 +95,7 @@ export class ExecAuth implements Authenticator {
         }
         let opts = {};
         if (exec.env) {
-            const env = process.env;
+            const env = { ...process.env };
             exec.env.forEach((elt) => (env[elt.name] = elt.value));
             opts = { ...opts, env };
         }

From bd14efc49490a7196aed163043967aac5a29f4eb Mon Sep 17 00:00:00 2001
From: Simon Staszkiewicz <simon@staszkiewicz.ca>
Date: Wed, 30 Jul 2025 11:56:35 -0700
Subject: [PATCH 2/2] add regression test for exec_auth change

---
 src/exec_auth_test.ts | 59 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/src/exec_auth_test.ts b/src/exec_auth_test.ts
index e323b5880e..7577d87cd8 100644
--- a/src/exec_auth_test.ts
+++ b/src/exec_auth_test.ts
@@ -538,4 +538,63 @@ describe('ExecAuth', () => {
         const promise = auth.applyAuthentication(user, opts);
         await rejects(promise, { name: 'SyntaxError' });
     });
+
+    it('should not overwrite environment variables in process.env', async () => {
+        // TODO: fix this test for Windows
+        if (process.platform === 'win32') {
+            return;
+        }
+        const auth = new ExecAuth();
+        let optsOut: child_process.SpawnOptions | undefined = {};
+        (auth as any).execFn = (
+            command: string,
+            args?: readonly string[],
+            options?: child_process.SpawnOptionsWithoutStdio,
+        ): child_process.ChildProcessWithoutNullStreams => {
+            optsOut = options;
+            return {
+                stdout: {
+                    setEncoding: () => {},
+                    on: (_data: string, f: (data: Buffer | string) => void) => {
+                        f(Buffer.from(JSON.stringify({ status: { token: 'foo' } })));
+                    },
+                },
+                stderr: {
+                    setEncoding: () => {},
+                    on: () => {},
+                },
+                on: (op: string, f: any) => {
+                    if (op === 'close') {
+                        f(0);
+                    }
+                },
+            } as unknown as child_process.ChildProcessWithoutNullStreams;
+        };
+
+        process.env.DO_NO_OVERWRITE_ME = 'important';
+        const opts = {} as https.RequestOptions;
+        opts.headers = {} as OutgoingHttpHeaders;
+
+        await auth.applyAuthentication(
+            {
+                name: 'user',
+                authProvider: {
+                    config: {
+                        exec: {
+                            command: 'echo',
+                            env: [
+                                {
+                                    name: 'DO_NO_OVERWRITE_ME',
+                                    value: 'in exec',
+                                },
+                            ],
+                        },
+                    },
+                },
+            },
+            opts,
+        );
+        strictEqual(optsOut.env!.DO_NO_OVERWRITE_ME, 'in exec');
+        strictEqual(process.env.DO_NO_OVERWRITE_ME, 'important');
+    });
 });