Hyperledger Sawtooth is using transaction processor to execute a transaction and validate state change.
Since transaction processor an run an arbitrary code, how it gets validated?
For example if it generates a random number for computation or fetches a data from internet which can change?
In short, I can quote the answer to this question as
Any Transaction Processor written should be deterministic in nature. Deterministic behavior is that for a given input state, the logic in the smart-contract should always evaluate to a specific output state. The result should be same for a given input state irrespective of when it's executed, where it's executed.
I believe this rule also applies to all of the other Blockchain frameworks out there. This behavior serves as a way to validate transactions later point in time.
The long descriptive answer is that when a transaction is sent to the validator, it's broadcasted to other nodes in the network and put in a pending queue. Based on the command from the consensus engine the validator responsible for building the block will take pending transactions, validate them and put in a block. For validation, the transactions are sent to the respective transaction processor. A transaction processor reads the data from the global state (data stored until current chain head), applies what it needs to do and computes the output state (data stored on the ledger, if current block is accepted).
Once the block is ready, it's broadcasted to other nodes in the network. When a validator receives the block it validates all the transactions put in the block. Note that proposed output state shall match to that of the evaluation, otherwise the arrived block is discarded. If the output state transition is dependent on arbitrary input, there's no deterministic behavior of whether the block is accepted by other validators.
Note: The cosmetic/syntactic verification of the transactions/batches happen and I did not mention those things in my answer. Please refer to the official documentation for elaborate answers on them.
As long as you write the Transaction Processor in compliance with this rule, it is ok to read the data from any external source/generate the random values. But if your Transaction Processor is relying on the arbitrary data to make decision of validity of the transaction, then the result of a transaction is also arbitrary.