pub fn safe_join(base: &Path, candidate: &str) -> Option<PathBuf>Expand description
Lexically join a relative, attacker-influenced candidate onto base,
returning None if the candidate would escape base.
This is a string-level primitive (see skills/rust-path-security.md): it
performs no filesystem access and does not resolve symlinks — it is the
auditable companion to the syscall-level confinement enforced by
PathPolicy / cap_std. A candidate is rejected when it:
- contains an interior NUL byte;
- is absolute or carries a path prefix (e.g. a Windows drive / UNC); or
- contains a
..that pops abovebase(balanceda/../bis fine).
On success the returned path is guaranteed to start with base and to
contain no .. component.