@@ -433,6 +433,7 @@ class NativeAssetsBuildRunner {
433433 null ,
434434 hookKernelFile,
435435 packageLayout! ,
436+ _filteredEnvironment (_environmentVariablesFilter),
436437 ),
437438 );
438439 if (buildOutput == null ) return null ;
@@ -450,7 +451,7 @@ class NativeAssetsBuildRunner {
450451 Uri ? resources,
451452 PackageLayout packageLayout,
452453 ) async {
453- final environment = Platform .environment ;
454+ final environment = _filteredEnvironment (_environmentVariablesFilter) ;
454455 final outDir = config.outputDirectory;
455456 return await runUnderDirectoriesLock (
456457 [
@@ -526,6 +527,7 @@ ${e.message}
526527 resources,
527528 hookKernelFile,
528529 packageLayout,
530+ environment,
529531 );
530532 if (result == null ) {
531533 if (await dependenciesHashFile.exists ()) {
@@ -550,6 +552,22 @@ ${e.message}
550552 );
551553 }
552554
555+ /// Limit the environment that hook invocations get to see.
556+ ///
557+ /// This allowlist lists environment variables needed to run mainstream
558+ /// compilers.
559+ static const _environmentVariablesFilter = {
560+ 'ANDROID_HOME' , // Needed for the NDK.
561+ 'HOME' , // Needed to find tools in default install locations.
562+ 'PATH' , // Needed to invoke native tools.
563+ 'PROGRAMDATA' , // Needed for vswhere.exe.
564+ 'SYSTEMROOT' , // Needed for process invocations on Windows.
565+ 'TEMP' , // Needed for temp dirs in Dart process.
566+ 'TMP' , // Needed for temp dirs in Dart process.
567+ 'TMPDIR' , // Needed for temp dirs in Dart process.
568+ 'USER_PROFILE' , // Needed to find tools in default install locations.
569+ };
570+
553571 Future <HookOutput ?> _runHookForPackage (
554572 Hook hook,
555573 HookConfig config,
@@ -559,6 +577,7 @@ ${e.message}
559577 Uri ? resources,
560578 File hookKernelFile,
561579 PackageLayout packageLayout,
580+ Map <String , String > environment,
562581 ) async {
563582 final configFile = config.outputDirectory.resolve ('../config.json' );
564583 final configFileContents =
@@ -583,6 +602,8 @@ ${e.message}
583602 executable: dartExecutable,
584603 arguments: arguments,
585604 logger: logger,
605+ includeParentEnvironment: false ,
606+ environment: environment,
586607 );
587608
588609 var deleteOutputIfExists = false ;
@@ -639,6 +660,12 @@ ${e.message}
639660 }
640661 }
641662
663+ Map <String , String > _filteredEnvironment (Set <String > allowList) => {
664+ for (final entry in Platform .environment.entries)
665+ if (allowList.contains (entry.key.toUpperCase ()))
666+ entry.key: entry.value,
667+ };
668+
642669 /// Compiles the hook to kernel and caches the kernel.
643670 ///
644671 /// If any of the Dart source files, or the package config changed after
@@ -666,7 +693,8 @@ ${e.message}
666693 Uri packageConfigUri,
667694 Uri workingDirectory,
668695 ) async {
669- final environment = Platform .environment;
696+ // Don't invalidate cache with environment changes.
697+ final environmentForCaching = < String , String > {};
670698 final kernelFile = File .fromUri (
671699 outputDirectory.resolve ('../hook.dill' ),
672700 );
@@ -682,8 +710,8 @@ ${e.message}
682710 if (! await dependenciesHashFile.exists ()) {
683711 mustCompile = true ;
684712 } else {
685- final outdatedDependency =
686- await dependenciesHashes .findOutdatedDependency (environment );
713+ final outdatedDependency = await dependenciesHashes
714+ .findOutdatedDependency (environmentForCaching );
687715 if (outdatedDependency != null ) {
688716 mustCompile = true ;
689717 logger.info (
@@ -717,7 +745,7 @@ ${e.message}
717745 dartExecutable.resolve ('../version' ),
718746 ],
719747 lastModifiedCutoffTime,
720- environment ,
748+ environmentForCaching ,
721749 );
722750 if (modifiedDuringBuild != null ) {
723751 logger.severe ('File modified during build. Build must be rerun.' );
@@ -759,6 +787,7 @@ ${e.message}
759787 executable: dartExecutable,
760788 arguments: compileArguments,
761789 logger: logger,
790+ includeParentEnvironment: true ,
762791 );
763792 var success = true ;
764793 if (compileResult.exitCode != 0 ) {
0 commit comments