pub fn normalize_capability_path(path: &str) -> Option<PathBuf>Expand description
Lexically normalize an absolute capability path for allow-list matching.
Resolves . and .. components purely textually (no filesystem access, so
it works for not-yet-created write targets) and collapses redundant
separators. The result is the canonical lexical form a loader should match
against a Capability::Filesystem allow-list and then act on.
Returns None when the path is unsafe to admit:
- it is relative (capability paths must be absolute), or
- a
..component would escape above the filesystem root, or - it contains a platform prefix (e.g. a Windows drive prefix), which the capability model does not model.
A .. that stays within the root is resolved, not rejected — e.g.
/data/../etc normalizes to /etc; admitting it here is safe because the
allow-list match then rejects /etc for a /data/** grant. Only true
root escapes are refused outright.
§Examples
use std::path::PathBuf;
use uni_plugin::normalize_capability_path as norm;
assert_eq!(norm("/data/./sub/f"), Some(PathBuf::from("/data/sub/f")));
assert_eq!(norm("/data/../etc"), Some(PathBuf::from("/etc")));
assert_eq!(norm("/data/../../etc/passwd"), None); // escapes above root
assert_eq!(norm("data/x"), None); // relative