TL;DR: Comprehensive path validation protecting against 62+ attack vectors including encoding attacks, Unicode tricks, and Windows-specific exploits. 95.81% test coverage, battle-tested in production.
The motivation: We built a blockchain security platform that handles untrusted code repositories. Standard path validation wasn't enough - we kept discovering new attack vectors:
- URL encoding: %2e%2e%2f → ../ - Double encoding: %252e%252e%252f → %2e%2e%2f → ../ - UTF-8 overlong: %c0%ae (invalid but sometimes accepted) - Unicode homoglyphs: ․․/ (using U+2024) - Windows NTFS streams: file.txt::$DATA - Trailing dots/spaces (Windows ignores these) - And 50+ more patterns
After 6 months of production hardening, we extracted this into a standalone library. Every attack we've seen is tested (21 tests, 62+ patterns).
*Stats*: - 62+ attack patterns covered - 95.81% test coverage - Zero dependencies (only anyhow) - Cross-platform compatibility - MIT/Apache-2.0 licensed
*Links*: - Crates.io: https://crates.io/crates/path-security - GitHub: https://github.com/redasgard/path-security - Docs: https://docs.rs/path-security
Perfect for web file uploads, archive extraction, git operations, and any application handling user-provided paths.
Feedback very welcome!