Ports: Sanitize environment before handling Ports

This keeps users from leaking their host environment variables (CFLAGS, etc.) into Ports, and it keeps us from leaking Port-specific settings into their dependencies.
Author: https://github.com/timschumi Commit: https://github.com/SerenityOS/serenity/commit/7550017f97 Pull-request: https://github.com/SerenityOS/serenity/pull/14066 Reviewed-by: https://github.com/EWouters ✅
2025-04-21 12:05:15 +00:00 · 2022-05-19 23:28:43 +02:00 · 2022-05-19 23:28:43 +02:00 · 7550017f97 · 2024-07-17 10:45:27 +09:00
commit 7550017f97
parent bdac8c53ea
3 changed files with 15 additions and 0 deletions
--- a/Meta/lint-ports.py
+++ b/Meta/lint-ports.py
@ -21,6 +21,7 @@ PORT_TABLE_FILE = 'AvailablePorts.md'
 IGNORE_FILES = {
    '.gitignore',
    '.port_include.sh',
+    '.strip_env.sh',
    PORT_TABLE_FILE,
    'build_all.sh',
    'build_installed.sh',
--- a/Ports/.port_include.sh
+++ b/Ports/.port_include.sh
@ -2,6 +2,12 @@
 set -eu

 SCRIPT="$(dirname "${0}")"
+
+if [ -z "${SERENITY_STRIPPED_ENV:-}" ]; then
+    exec "${SCRIPT}/.strip_env.sh" "${@}"
+fi
+unset SERENITY_STRIPPED_ENV
+
 export MAKEJOBS="${MAKEJOBS:-$(nproc)}"

 maybe_source() {
--- a/Ports/.strip_env.sh
+++ b/Ports/.strip_env.sh
@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+exec env -i SERENITY_STRIPPED_ENV=1 \
+    MAKEJOBS="${MAKEJOBS:-}" \
+    IN_SERENITY_PORT_DEV="${IN_SERENITY_PORT_DEV:-}" \
+    SERENITY_ARCH="${SERENITY_ARCH:-}" \
+    SERENITY_TOOLCHAIN="${SERENITY_TOOLCHAIN:-}" \
+    "${@}"