Module security 

Path sanitization and directory permission utilities

Defense-in-depth for filenames derived from API responses or untrusted input.

Functions

create_dir_restricted

Create directories with mode 0o700 (owner-only) on Unix.

safe_join

Sanitize untrusted_name then join it to base_dir and validate the result.

sanitize_filename

Strip path traversal components and return only the final filename.

validate_path_within

Canonicalize both paths and confirm target is a descendant of base_dir.