pub fn safe_join(root: impl AsRef<Path>, rel: &str) -> Result<PathBuf>Expand description
Safely join a relative path to a root directory, preventing path traversal.
Rejects:
- Empty paths
- Paths containing null bytes
- Absolute paths (starting with
/or Windows drive letters) - Parent directory references (
..) - Paths that normalize to empty (e.g., “.”, “./”)
- Any symlink in the path (including broken symlinks)
Note: This function rejects ALL symlinks in the path, not just those pointing outside the root. This reduces the symlink-based attack surface. However, this does NOT eliminate TOCTOU races (an attacker can still swap a component to a symlink between check and write). True TOCTOU protection requires OS-level openat/O_NOFOLLOW-style APIs.
Returns the joined path if safe, or VoidError::PathTraversal if unsafe.