From 1f36b3d350615836d27cfd56905a1186c7df4bb3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 12 Jan 2023 02:21:51 +0000
Subject: [PATCH 1/3] build(deps): bump minimatch from 3.0.4 to 3.0.5 in /cli

Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/isaacs/minimatch/releases)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 cli/package-lock.json | 14 +++++++-------
 cli/package.json      |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cli/package-lock.json b/cli/package-lock.json
index 3a73bbf..890342d 100644
--- a/cli/package-lock.json
+++ b/cli/package-lock.json
@@ -11,7 +11,7 @@
             "dependencies": {
                 "axios": "^0.21.2",
                 "chalk": "^4.1.0",
-                "minimatch": "^3.0.4",
+                "minimatch": "^3.0.5",
                 "nocamel": "^1.0.2",
                 "semver": "^7.3.5",
                 "ws": "^7.5.3",
@@ -170,9 +170,9 @@
             }
         },
         "node_modules/minimatch": {
-            "version": "3.0.4",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-            "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+            "version": "3.0.5",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.5.tgz",
+            "integrity": "sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw==",
             "dependencies": {
                 "brace-expansion": "^1.1.7"
             },
@@ -426,9 +426,9 @@
             }
         },
         "minimatch": {
-            "version": "3.0.4",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-            "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+            "version": "3.0.5",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.5.tgz",
+            "integrity": "sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw==",
             "requires": {
                 "brace-expansion": "^1.1.7"
             }
diff --git a/cli/package.json b/cli/package.json
index ef1103e..1461740 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -7,7 +7,7 @@
     "dependencies": {
         "axios": "^0.21.2",
         "chalk": "^4.1.0",
-        "minimatch": "^3.0.4",
+        "minimatch": "^3.0.5",
         "nocamel": "^1.0.2",
         "semver": "^7.3.5",
         "ws": "^7.5.3",

From 6ef0cdf7b4c96e71d49ae267dc905c177ede1d51 Mon Sep 17 00:00:00 2001
From: Omar Brikaa <brikaaomar@gmail.com>
Date: Sat, 8 Feb 2025 15:10:50 +0200
Subject: [PATCH 2/3] Provide HOME in sandbox (#702)

---
 api/src/job.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/api/src/job.js b/api/src/job.js
index d46120b..31f688d 100644
--- a/api/src/job.js
+++ b/api/src/job.js
@@ -156,6 +156,8 @@ class Job {
                 '-s',
                 '-c',
                 '/box/submission',
+                '-E',
+                'HOME=/tmp',
                 '-e',
                 `--dir=${this.runtime.pkgdir}`,
                 `--dir=/etc:noexec`,

From 1d55a41a2d563318388596b46d7da772027339ba Mon Sep 17 00:00:00 2001
From: Omar Brikaa <brikaaomar@gmail.com>
Date: Sat, 8 Feb 2025 20:46:46 +0200
Subject: [PATCH 3/3] Explicitly provide env vars instead of inheriting them
 from parent (#703)

---
 api/src/job.js     |  8 +++-----
 api/src/runtime.js | 10 +---------
 2 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/api/src/job.js b/api/src/job.js
index 31f688d..8c3fa79 100644
--- a/api/src/job.js
+++ b/api/src/job.js
@@ -158,7 +158,9 @@ class Job {
                 '/box/submission',
                 '-E',
                 'HOME=/tmp',
-                '-e',
+                ...this.runtime.env_vars.flat_map(v => ['-E', v]),
+                '-E',
+                `PISTON_LANGUAGE=${this.runtime.language}`,
                 `--dir=${this.runtime.pkgdir}`,
                 `--dir=/etc:noexec`,
                 `--processes=${this.runtime.max_process_count}`,
@@ -177,10 +179,6 @@ class Job {
                 ...args,
             ],
             {
-                env: {
-                    ...this.runtime.env_vars,
-                    PISTON_LANGUAGE: this.runtime.language,
-                },
                 stdio: 'pipe',
             }
         );
diff --git a/api/src/runtime.js b/api/src/runtime.js
index 9a2adf4..90a2225 100644
--- a/api/src/runtime.js
+++ b/api/src/runtime.js
@@ -178,15 +178,7 @@ class Runtime {
             const env_file = path.join(this.pkgdir, '.env');
             const env_content = fss.read_file_sync(env_file).toString();
 
-            this._env_vars = {};
-
-            env_content
-                .trim()
-                .split('\n')
-                .map(line => line.split('=', 2))
-                .forEach(([key, val]) => {
-                    this._env_vars[key.trim()] = val.trim();
-                });
+            this._env_vars = env_content.trim().split('\n');
         }
 
         return this._env_vars;