paritytech · mrcnski · Aug 21, 2023 · Jun 4, 2023 · Jun 4, 2023 · Aug 6, 2023
diff --git a/node/core/pvf/common/src/worker/mod.rs b/node/core/pvf/common/src/worker/mod.rs
@@ -128,6 +128,16 @@ pub fn worker_event_loop<F, Fut>(
 		}
 	}
 
+	// Delete all env vars to prevent malicious code from accessing them.
+	for (key, _) in std::env::vars() {
-	for (key, _) in std::env::vars() {
+	for (key, _) in std::env::vars_os() {
-	for (key, _) in std::env::vars() {
+	for (key, _) in std::env::vars_os() {
+		// TODO: *theoretically* the value (or mere presence) of `RUST_LOG` can be a source of
+		// randomness for malicious code. In the future we can remove it also and log in the host;
+		// see <https://github.com/paritytech/polkadot/issues/7117>.
+		if key != "RUST_LOG" {
+			std::env::remove_var(key);
+		}
+	}
+
 	// Run the main worker loop.
 	let rt = Runtime::new().expect("Creates tokio runtime. If this panics the worker will die and the host will detect that and deal with it.");
 	let err = rt

diff --git a/roadmap/implementers-guide/src/node/utility/pvf-host-and-workers.md b/roadmap/implementers-guide/src/node/utility/pvf-host-and-workers.md
@@ -125,3 +125,10 @@ A basic security mechanism is to make sure that any thread directly interfacing
 with untrusted code does not have access to the file-system. This provides some
 protection against attackers accessing sensitive data or modifying data on the
 host machine.
+
+### Clearing env vars
+
+We clear environment variables before handling untrusted code, because why give
+attackers potentially sensitive data unnecessarily? And even if everything else
+is locked down, env vars can potentially provide a source of randomness (see
+point 1, "Consensus faults" above).