Function scoped_join 

pub fn scoped_join<R: AsRef<Path>, U: AsRef<Path>>(
    root: R,
    unsafe_path: U,
) -> Result<PathBuf>

Safely join unsafe_path to root, and ensure unsafe_path is scoped under root.

The scoped_join() function assumes root exists and is an absolute path. It safely joins the two given paths and ensures:

• The returned path is guaranteed to be scoped inside root.
• Any symbolic links in the path are evaluated with the given root treated as the root of the filesystem, similar to a chroot.

It’s modelled after secure_join, but only for Linux systems.

Arguments

• root: the absolute path to scope the symlink evaluation.
• unsafe_path: the path to evaluated and joint with root. It is unsafe since it may try to escape from the root by using “../” or symlinks.

Security

On success return, the scoped_join() function guarantees that:

• The resulting PathBuf must be a child path of root and will not contain any symlink path components (they will all get expanded).
• When expanding symlinks, all symlink path components must be resolved relative to the provided root. In particular, this can be considered a userspace implementation of how chroot(2) operates on file paths.
• Non-existent path components are unaffected.

Note that the guarantees provided by this function only apply if the path components in the returned string are not modified (in other words are not replaced with symlinks on the filesystem) after this function has returned. You may use crate::PinnedPathBuf to protect from such TOCTTOU attacks.