Skip to main content

sanitize_env

Function sanitize_env 

Source
pub fn sanitize_env(env: &HashMap<String, String>) -> HashMap<String, String>
Expand description

Return a copy of env with security-sensitive variables removed.

Strips dynamic-loader paths (LD_PRELOAD, LD_LIBRARY_PATH, DYLD_*), interpreter paths (PYTHONPATH, PERLLIB, NODE_PATH), and a few interpreter option vectors (NODE_OPTIONS, PERL5OPT) that would let a malicious MCP config inject code into the child.

Used at spawn so no caller can smuggle these in via the server’s env map.