pub fn scope_contains(scope: &str, candidate: &str) -> boolExpand description
Whether candidate is the scope namespace itself or a descendant of it,
compared whole-segment by whole-segment.
Hardening rules (deny-by-default):
- Any
.or..segment in either string is rejected outright. We never normalize traversal segments — a path that needs normalizing is denied. - Empty segments (
a//b, leading/trailing/, or the empty string) are rejected outright, so/-boundary tricks cannot smuggle segments past the comparison. - Comparison is per-segment, so scope
a/bdoes NOT matcha/bc(the classic non-boundary prefix bug) and never grants upward access (scopea/bdoes not matcha).