[native_assets_builder] Don't pass in the whole environment

dcharkes · dcharkes · commit 189e7da9e74e · 2024-11-29T09:39:41.000+01:00
diff --git a/pkgs/native_assets_builder/lib/src/build_runner/build_runner.dart b/pkgs/native_assets_builder/lib/src/build_runner/build_runner.dart
@@ -434,6 +434,7 @@ class NativeAssetsBuildRunner {
           null,
           hookKernelFile,
           packageLayout!,
+          _filteredEnvironment(_environmentVariablesFilter),
         ),
       );
       if (buildOutput == null) return null;
@@ -489,6 +490,7 @@ class NativeAssetsBuildRunner {
         final environmentFile = File.fromUri(
           config.outputDirectory.resolve('../environment.json'),
         );
+        final environment = _filteredEnvironment(_environmentVariablesFilter);
         if (buildOutputFile.existsSync() &&
             dependenciesHashFile.existsSync() &&
             environmentFile.existsSync()) {
@@ -512,7 +514,7 @@ ${e.message}
               !const MapEquality<String, String>().equals(
                   (json.decode(await environmentFile.readAsString()) as Map)
                       .cast<String, String>(),
-                  Platform.environment);
+                  environment);
           if (!dependenciesOutdated && !environmentChanged) {
             logger.info(
               [
@@ -535,14 +537,15 @@ ${e.message}
           resources,
           hookKernelFile,
           packageLayout,
+          environment,
         );
         if (result == null) {
           if (await dependenciesHashFile.exists()) {
             await dependenciesHashFile.delete();
           }
         } else {
           await environmentFile.writeAsString(
-            json.encode(Platform.environment),
+            json.encode(environment),
           );
           final modifiedDuringBuild = await dependenciesHashes.hashFiles(
             [
@@ -561,6 +564,22 @@ ${e.message}
     );
   }
 
+  /// Limit the environment that hook invocations get to see.
+  ///
+  /// This allowlist lists environment variables needed to run mainstream
+  /// compilers.
+  static const _environmentVariablesFilter = {
+    'ANDROID_HOME',
+    'HOME',
+    'PATH',
+    'PROGRAMDATA',
+    'SYSTEMROOT',
+    'TEMP',
+    'TMP',
+    'TMPDIR',
+    'USER_PROFILE',
+  };
+
   Future<HookOutput?> _runHookForPackage(
     Hook hook,
     HookConfig config,
@@ -570,6 +589,7 @@ ${e.message}
     Uri? resources,
     File hookKernelFile,
     PackageLayout packageLayout,
+    Map<String, String> environment,
   ) async {
     final configFile = config.outputDirectory.resolve('../config.json');
     final configFileContents =
@@ -594,6 +614,8 @@ ${e.message}
       executable: dartExecutable,
       arguments: arguments,
       logger: logger,
+      includeParentEnvironment: false,
+      environment: environment,
     );
 
     var deleteOutputIfExists = false;
@@ -650,6 +672,12 @@ ${e.message}
     }
   }
 
+  Map<String, String> _filteredEnvironment(Set<String> allowList) => {
+        for (final entry in Platform.environment.entries)
+          if (allowList.contains(entry.key.toUpperCase()))
+            entry.key: entry.value,
+      };
+
   /// Compiles the hook to kernel and caches the kernel.
   ///
   /// If any of the Dart source files, or the package config changed after
@@ -752,6 +780,8 @@ ${e.message}
       executable: dartExecutable,
       arguments: compileArguments,
       logger: logger,
+      includeParentEnvironment: false,
+      environment: _filteredEnvironment({'HOME', 'PUB_CACHE', 'SYSTEMROOT'}),
     );
     var success = true;
     if (compileResult.exitCode != 0) {
