Improve the forbidden env vars check (#542)

- Now reports all forbidden env vars found in one go,
  rather than only the first found.
- Now checks for known problematic Poetry env vars too.
- Uses a const slice instead of a fixed size array to avoid having to
  manually update the array every time entries are added/removed.
- Uses a static str slice in the error to avoid an unnecessary
  string allocation.
- Adds additional unit test coverage.

GUS-W-21914465.

Author: edmorley

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- The forbidden env vars check now reports all forbidden env vars found rather than only the first. ([#542](https://github.com/heroku/buildpacks-python/pull/542))
+- The forbidden env vars check now checks for known problematic Poetry env vars too. ([#542](https://github.com/heroku/buildpacks-python/pull/542))
+
 ## [6.2.0] - 2026-04-02
 
 ### Changed

src/checks.rs

@@ -7,14 +7,20 @@ use libcnb::Env;
 // https://docs.python.org/3/using/cmdline.html#environment-variables
 // https://pip.pypa.io/en/stable/cli/pip/#general-options
 // https://pip.pypa.io/en/stable/cli/pip_install/#options
-// https://docs.astral.sh/uv/configuration/environment/
-const FORBIDDEN_ENV_VARS: [&str; 22] = [
+// https://python-poetry.org/docs/configuration/
+// https://docs.astral.sh/uv/reference/environment/
+const FORBIDDEN_ENV_VARS: &[&str] = &[
     "PIP_CACHE_DIR",
     "PIP_PREFIX",
     "PIP_PYTHON",
     "PIP_ROOT",
     "PIP_TARGET",
     "PIP_USER",
+    "POETRY_CACHE_DIR",
+    "POETRY_DATA_DIR",
+    "POETRY_HOME",
+    "POETRY_VIRTUALENVS_CREATE",
+    "POETRY_VIRTUALENVS_USE_POETRY_PYTHON",
     "PYTHONHOME",
     "PYTHONINSPECT",
     "PYTHONNOUSERSITE",
@@ -34,11 +40,14 @@ const FORBIDDEN_ENV_VARS: [&str; 22] = [
 ];
 
 pub(crate) fn check_environment(env: &Env) -> Result<(), ChecksError> {
-    if let Some(&name) = FORBIDDEN_ENV_VARS
+    let forbidden_vars_found: Vec<&'static str> = FORBIDDEN_ENV_VARS
         .iter()
-        .find(|&name| env.contains_key(name))
-    {
-        return Err(ChecksError::ForbiddenEnvVar(name.to_string()));
+        .copied()
+        .filter(|&name| env.contains_key(name))
+        .collect();
+
+    if !forbidden_vars_found.is_empty() {
+        return Err(ChecksError::ForbiddenEnvVars(forbidden_vars_found));
     }
 
     Ok(())
@@ -47,7 +56,7 @@ pub(crate) fn check_environment(env: &Env) -> Result<(), ChecksError> {
 /// Errors due to one of the environment checks failing.
 #[derive(Debug, PartialEq)]
 pub(crate) enum ChecksError {
-    ForbiddenEnvVar(String),
+    ForbiddenEnvVars(Vec<&'static str>),
 }
 
 #[cfg(test)]
@@ -56,9 +65,12 @@ mod tests {
 
     #[test]
     fn check_environment_valid() {
+        assert_eq!(check_environment(&Env::new()), Ok(()));
         let mut env = Env::new();
-        env.insert("PYTHONPATH", "/example");
         env.insert("PIP_EXTRA_INDEX_URL", "https://example.tld/simple");
+        env.insert("POETRY_FOO", "example");
+        env.insert("PYTHONPATH", "/example");
+        env.insert("UV_FOO", "example");
         assert_eq!(check_environment(&env), Ok(()));
     }
 
@@ -68,7 +80,21 @@ mod tests {
         env.insert("PYTHONHOME", "/example");
         assert_eq!(
             check_environment(&env),
-            Err(ChecksError::ForbiddenEnvVar("PYTHONHOME".to_string()))
+            Err(ChecksError::ForbiddenEnvVars(vec!["PYTHONHOME"]))
+        );
+        env.insert("PIP_PYTHON", "/example");
+        env.insert("POETRY_HOME", "/example");
+        env.insert("VIRTUAL_ENV", "/example");
+        env.insert("UV_PYTHON", "/example");
+        assert_eq!(
+            check_environment(&env),
+            Err(ChecksError::ForbiddenEnvVars(vec![
+                "PIP_PYTHON",
+                "POETRY_HOME",
+                "PYTHONHOME",
+                "UV_PYTHON",
+                "VIRTUAL_ENV",
+            ]))
         );
     }
 }

src/errors.rs

@@ -62,16 +62,21 @@ fn on_buildpack_error(error: BuildpackError) {
 
 fn on_buildpack_checks_error(error: ChecksError) {
     match error {
-        ChecksError::ForbiddenEnvVar(name) => log_error(
-            "Unsafe environment variable found",
-            formatdoc! {"
-                The environment variable `{name}` is set, however, it can
-                cause problems with the build so we don't allow using it.
+        ChecksError::ForbiddenEnvVars(env_vars) => {
+            let env_vars_list = env_vars.join("\n");
+            log_error(
+                "Unsafe environment variable(s) found",
+                formatdoc! {"
+                    The following environment variable(s) can cause problems
+                    with the build so we don't allow using them:
 
-                You must unset that environment variable. If you didn't set it
-                yourself, check that it wasn't set by an earlier buildpack.
-            "},
-        ),
+                    {env_vars_list}
+
+                    You must unset the above env var(s). If you didn't set them
+                    yourself, check if they were set by an earlier buildpack.
+                "},
+            );
+        }
     }
 }
 

tests/checks_test.rs

@@ -4,21 +4,25 @@ use libcnb_test::{PackResult, TestRunner, assert_contains};
 
 #[test]
 #[ignore = "integration test"]
-fn checks_reject_pythonhome_env_var() {
+fn checks_reject_forbidden_env_vars() {
     let mut config = default_build_config("tests/fixtures/pyproject_toml_only");
     config.env("PYTHONHOME", "/invalid");
+    config.env("VIRTUAL_ENV", "/invalid");
     config.expected_pack_result(PackResult::Failure);
 
     TestRunner::default().build(config, |context| {
         assert_contains!(
             context.pack_stdout,
             indoc! {"
-                [Error: Unsafe environment variable found]
-                The environment variable `PYTHONHOME` is set, however, it can
-                cause problems with the build so we don't allow using it.
+                [Error: Unsafe environment variable(s) found]
+                The following environment variable(s) can cause problems
+                with the build so we don't allow using them:
 
-                You must unset that environment variable. If you didn't set it
-                yourself, check that it wasn't set by an earlier buildpack.
+                PYTHONHOME
+                VIRTUAL_ENV
+
+                You must unset the above env var(s). If you didn't set them
+                yourself, check if they were set by an earlier buildpack.
 
                 ERROR: failed to build: exit status 1
             "}