5 releases (3 breaking)
| new 0.4.0 | May 21, 2026 |
|---|---|
| 0.3.1 | Jan 7, 2026 |
| 0.3.0 | Jan 7, 2026 |
| 0.2.0 | Dec 30, 2025 |
| 0.1.0 | Dec 29, 2025 |
#235 in Filesystem
2,447 downloads per month
Used in 3 crates
(2 directly)
99KB
1K
SLoC
path_jail
A zero-dependency filesystem sandbox for Rust. Restricts paths to a root directory, preventing traversal attacks while supporting files that don't exist yet.
Maintained by Tenuo — visit us at tenuo.ai.
Python bindings: path-jail on PyPI
Installation
cargo add path_jail
The Problem
The standard approach fails for new files:
// This breaks if the file doesn't exist yet!
let path = root.join(user_input).canonicalize()?;
if !path.starts_with(&root) {
return Err("escape attempt");
}
The Solution
// One-liner for simple cases
let path = path_jail::join("/var/uploads", user_input)?;
std::fs::write(&path, data)?;
// Blocked: returns Err(EscapedRoot)
path_jail::join("/var/uploads", "../../etc/passwd")?;
For multiple paths, create a Jail and reuse it:
use path_jail::Jail;
let jail = Jail::new("/var/uploads")?;
let path1 = jail.join("report.pdf")?;
let path2 = jail.join("data.csv")?;
Features
- Zero dependencies - only stdlib
- Symlink-safe - resolves and validates symlinks
- Works for new files - validates paths that don't exist yet
- Type-safe paths - optional
JailedPathnewtype prevents confused deputy bugs - Segment joining - safely build paths from user IDs, filenames, etc.
- Helpful errors - tells you what went wrong and why
secure-openfeature (Unix) -O_NOFOLLOW-protected opens; zero extra depsguardfeature (Linux 5.6+) - kernel-enforced TOCTOU safety viaopenat2(RESOLVE_BENEATH);O_NOFOLLOWfallback on macOS/BSD
Security
| Attack | Example | Blocked |
|---|---|---|
| Path traversal | ../../etc/passwd |
Yes |
| Symlink escape | link -> /etc |
Yes |
| Symlink chains | a -> b -> /etc |
Yes |
| Broken symlinks | link -> /nonexistent |
Yes |
| Absolute injection | /etc/passwd |
Yes |
| Parent escape | foo/../../secret |
Yes |
| Null byte injection | file\x00.txt |
Yes |
Limitations
This library validates paths. It does not hold file descriptors.
Rejected at construction:
- Filesystem roots (
/,C:\,\\server\share) are rejected because they defeat the purpose of jailing.
Defends against:
- Logic errors in path construction
- Confused deputy attacks from untrusted input
Does not defend against:
- Malicious local processes racing your I/O (use the
guardfeature for kernel-enforced protection on Linux 5.6+)
For kernel-enforced sandboxing without leaving the path_jail API, enable the guard feature. For a
capability-based alternative that replaces std::fs entirely, see cap-std.
Platform-Specific Edge Cases
Hard Links
Hard links cannot be detected by path inspection. If an attacker has shell access and creates a hard link to a sensitive file inside your jail, path_jail will allow access.
Mitigations:
- Use a separate partition for the jail (hard links cannot cross partitions)
- Use container isolation
Mount Points
If an attacker can mount a filesystem inside the jail, they can escape:
let jail = Jail::new("/var/uploads")?;
// Attacker (with root): mount /dev/sda1 /var/uploads/mnt
jail.join("mnt/etc/passwd")?; // Passes check, but accesses root filesystem!
Detecting mount points would require stat() on every path component (expensive) or parsing /proc/mounts (Linux-only).
Mitigations:
- Mounting requires root privileges. If attacker has root, path validation is moot.
- Use container isolation (separate mount namespace)
TOCTOU Race Conditions
path_jail validates paths at call time. A symlink could be created between validation and use:
let path = jail.join("file.txt")?; // Validated
// Attacker creates symlink here
std::fs::write(&path, data)?; // Escapes!
Mitigations:
- Enable the
guardfeature on Linux 5.6+: a singleopenat2(RESOLVE_BENEATH)syscall makes the validate-and-open atomic (see below) - Enable the
secure-openfeature forO_NOFOLLOW-protected file operations (protects the final component only) - Use container/chroot isolation
Windows Reserved Device Names
On Windows, filenames like CON, PRN, AUX, NUL, COM1-COM9, LPT1-LPT9 are special device names.
let path = jail.join("CON.txt")?; // Returns C:\uploads\CON.txt
std::fs::File::open(&path)?; // Opens console device, not file!
Impact: Denial of Service (not a filesystem escape).
Mitigation: Validate filenames against a blocklist before calling path_jail, or use UUIDs for stored filenames.
Unicode Normalization (macOS)
macOS automatically converts filenames to NFD (decomposed) form. A file saved as café.txt (NFC) may be stored as café.txt (NFD).
path_jail handles this correctly (all paths are canonicalized). The issue arises when storing paths externally:
let user_input = "café"; // NFC from web form
let jail = Jail::new(format!("/uploads/{}", user_input))?;
// Wrong: storing original input
db.insert("root", user_input); // NFC bytes
// Later: comparison fails
db.get("root") == jail.root().to_str(); // NFC != NFD
Mitigation: Always store jail.root() or jail.relative(), never the original input. These are already canonicalized.
Case Sensitivity (Windows/macOS)
Windows and macOS (by default) have case-insensitive filesystems.
path_jail handles this correctly for existing paths because canonicalize() normalizes case to what's on disk:
let jail = Jail::new("/var/Uploads")?; // Canonicalized
jail.contains("/var/uploads/file.txt")?; // Also canonicalized - works!
The issue is for blocklist checks on user input before calling path_jail:
let blocklist = ["secret.txt"];
let input = "SECRET.TXT";
// Wrong: case-sensitive comparison
if blocklist.contains(&input) { /* won't match */ }
// Right: normalize first
if blocklist.contains(&input.to_lowercase().as_str()) { /* matches */ }
Mitigation: Normalize case before blocklist checks.
Trailing Dots and Spaces (Windows)
Windows silently strips trailing dots and spaces:
jail.join("file.txt.")?; // Becomes "file.txt"
jail.join("file.txt ")?; // Becomes "file.txt"
Mitigation: Strip trailing dots/spaces before validation.
Alternate Data Streams (Windows NTFS)
NTFS supports alternate data streams: file.txt:hidden. Consider rejecting filenames containing :.
Unicode Display Attacks
Filenames can contain Unicode control characters that manipulate display:
jail.join("\u{202E}txt.exe")?; // Right-to-left override: displays as "exe.txt"
path_jail passes these through (they're valid filenames). This is a UI attack, not a path attack. Sanitize filenames before displaying to users.
Special Filesystems (Linux)
/proc and /dev contain symlinks that can escape any jail:
let jail = Jail::new("/proc")?;
jail.join("self/root/etc/passwd")?; // /proc/self/root → /
path_jail catches this via symlink resolution (the above returns EscapedRoot). However, these filesystems have many such escape vectors. Avoid using them as jail roots.
Path Canonicalization
All returned paths are canonicalized (symlinks resolved, .. eliminated):
// macOS: /var is a symlink to /private/var
let jail = Jail::new("/var/uploads")?;
assert!(jail.root().starts_with("/private/var"));
// Windows: Long paths (>260 chars) use \\?\ prefix
let long_name = "a".repeat(300);
let path = jail.join(&long_name)?;
assert!(path.to_string_lossy().starts_with(r"\\?\"));
When comparing paths, always canonicalize your expected values.
API
One-shot validation
// Validate and join in one call
let safe: PathBuf = path_jail::join("/var/uploads", "subdir/file.txt")?;
Reusable jail
use path_jail::Jail;
// Create a jail (root must exist, be a directory, and not be filesystem root)
let jail = Jail::new("/var/uploads")?;
// Get the canonicalized root
let root: &Path = jail.root();
// Safely join a relative path
let path: PathBuf = jail.join("subdir/file.txt")?;
// Check if an absolute path is inside the jail
let verified: PathBuf = jail.contains("/var/uploads/file.txt")?;
// Get relative path for database storage
let rel: PathBuf = jail.relative(&path)?; // "subdir/file.txt"
Type-safe paths
Use JailedPath for compile-time guarantees:
use path_jail::{Jail, JailedPath};
fn save_upload(path: JailedPath, data: &[u8]) -> std::io::Result<()> {
// path is guaranteed to be inside the jail - no runtime check needed
std::fs::write(&path, data)
}
let jail = Jail::new("/var/uploads")?;
let path: JailedPath = jail.join_typed("report.pdf")?;
save_upload(path, b"data")?;
Segment joining
Safely build paths from multiple user inputs:
use path_jail::Jail;
let jail = Jail::new("/var/uploads")?;
let user_id = "alice";
let filename = "photo.jpg";
// Safe: each segment is validated (no /, \, or .. allowed in segments)
let path = jail.join_segments([user_id, "files", filename])?;
// These would fail:
// jail.join_segments(["../etc", "passwd"])?; // ".." rejected
// jail.join_segments(["users/files"])?; // "/" in segment rejected
// Type-safe version:
let path: JailedPath = jail.segments([user_id, "files", filename])?;
Error Handling
Construction errors
use path_jail::{Jail, JailError};
match Jail::new("/var/uploads") {
Ok(jail) => { /* use jail */ }
Err(JailError::InvalidRoot(path)) => {
// Tried to use filesystem root (/, C:\) or non-directory
panic!("Config error: {}", path.display());
}
Err(JailError::Io(e)) => {
// Root doesn't exist
panic!("Config error: {}", e);
}
Err(e) => panic!("Unexpected error: {}", e), // Future-proof
}
Path validation errors
use path_jail::{Jail, JailError};
let jail = Jail::new("/var/uploads")?;
match jail.join(user_input) {
Ok(path) => {
// Safe to use
std::fs::write(&path, data)?;
}
Err(JailError::EscapedRoot { attempted, root }) => {
// Path traversal attempt
eprintln!("Blocked: {} escapes {}", attempted.display(), root.display());
}
Err(JailError::BrokenSymlink(path)) => {
// Symlink target doesn't exist (can't verify it's safe)
eprintln!("Broken symlink: {}", path.display());
}
Err(JailError::InvalidPath(reason)) => {
// Absolute path or other invalid input
eprintln!("Invalid: {}", reason);
}
Err(JailError::Io(e)) => {
// Filesystem error (e.g., permission denied)
eprintln!("I/O error: {}", e);
}
Err(e) => eprintln!("Error: {}", e), // Future-proof (non_exhaustive)
}
Example: File Uploads
use path_jail::Jail;
use std::path::PathBuf;
struct UploadService {
jail: Jail,
}
impl UploadService {
fn new(root: &str) -> Result<Self, path_jail::JailError> {
Ok(Self { jail: Jail::new(root)? })
}
fn save(&self, user_id: &str, filename: &str, data: &[u8]) -> std::io::Result<PathBuf> {
let path = self.jail.join(format!("{}/{}", user_id, filename))
.map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidInput, e))?;
if let Some(parent) = path.parent() {
std::fs::create_dir_all(parent)?;
}
std::fs::write(&path, data)?;
Ok(path)
}
}
Framework Integration
Axum
use axum::{extract::Path, http::StatusCode, response::IntoResponse};
use bytes::Bytes;
use path_jail::Jail;
use std::sync::LazyLock;
static UPLOADS: LazyLock<Jail> = LazyLock::new(|| {
Jail::new("/var/uploads").expect("uploads dir must exist")
});
async fn upload(
Path(filename): Path<String>,
body: Bytes,
) -> Result<impl IntoResponse, StatusCode> {
let path = UPLOADS.join(&filename).map_err(|_| StatusCode::BAD_REQUEST)?;
if let Some(parent) = path.parent() {
std::fs::create_dir_all(parent).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
}
std::fs::write(&path, &body).map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
Ok(StatusCode::CREATED)
}
Actix-web
use actix_web::{web, HttpResponse, Result};
use path_jail::Jail;
use std::sync::LazyLock;
static UPLOADS: LazyLock<Jail> = LazyLock::new(|| {
Jail::new("/var/uploads").expect("uploads dir must exist")
});
async fn upload(
path: web::Path<String>,
body: web::Bytes,
) -> Result<HttpResponse> {
let safe_path = UPLOADS.join(path.as_str())
.map_err(|_| actix_web::error::ErrorBadRequest("invalid path"))?;
std::fs::write(&safe_path, &body)?;
Ok(HttpResponse::Created().finish())
}
TOCTOU-Safe File Operations
secure-open — O_NOFOLLOW protection (all Unix)
Enable the secure-open feature for O_NOFOLLOW-protected file operations:
[dependencies]
path_jail = { version = "0.4", features = ["secure-open"] }
use path_jail::Jail;
use std::io::{Read, Write};
let jail = Jail::new("/var/uploads")?;
// Open with O_NOFOLLOW - fails if path is a symlink
let mut file = jail.open("config.txt")?;
let mut contents = String::new();
file.read_to_string(&mut contents)?;
// Create with O_CREAT | O_EXCL | O_NOFOLLOW - fails if file exists or is symlink
let mut file = jail.create("new.txt")?;
file.write_all(b"hello")?;
// Other options
let file = jail.create_or_truncate("data.txt")?; // Truncate if exists
let file = jail.open_append("log.txt")?; // Append mode
This protects against symlink swap attacks on the final path component. Zero additional dependencies.
Limitation: Protects the final path component only. An attacker who can swap an intermediate directory between path validation and the open call can still escape.
guard — Kernel-enforced TOCTOU safety (Linux 5.6+)
The guard feature uses a single openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) syscall. Because the validate-and-open is atomic at the kernel level, there is no window for a race condition:
[dependencies]
path_jail = { version = "0.4", features = ["guard"] }
use path_jail::guard::{FdJail, OpenOptions};
use std::io::Read;
// Pin the jail root as a file descriptor — renames of the root after this
// point are invisible to the jail.
let jail = FdJail::new("/var/uploads")?;
// TOCTOU-safe open: one syscall, kernel-enforced containment
let mut jf = jail.open("report.pdf", OpenOptions::new().read(true))?;
let mut buf = Vec::new();
jf.read_to_end(&mut buf)?;
// Every open captures an Attestation with inode, device, nlink, and timestamp
let att = jf.attestation();
assert!(att.toctou_safe); // true on Linux 5.6+
assert!(att.signature.is_none()); // None until Ed25519 key is configured
// Detect hard links (data exfiltration vector)
if jf.has_hard_links() {
return Err("hard link policy violation");
}
// Create a new file — fails if it already exists
let mut out = jail.create("output.bin")?;
out.write_all(b"processed")?;
On macOS/BSD: falls back to an O_NOFOLLOW-based open (same protection as secure-open). attestation().toctou_safe will be false.
Blocked by openat2:
- Symlink escapes (
/etclink inside jail) →JailError::Escape ..traversal →JailError::Escape/proc/self/rootand other magic links →JailError::MagicLink- Symlinks when
no_symlinks(true)→JailError::SymlinkRejected
Returns JailError::UnsupportedKernel on Linux kernels older than 5.6. Zero additional dependencies — raw syscall, no libc.
Alternatives
| path_jail | strict-path | cap-std | |
|---|---|---|---|
| Approach | Path validation + guard | Type-safe path system | File descriptors |
| Returns | PathBuf / JailedPath / JailFile |
Custom StrictPath<T> |
Custom Dir/File |
| Dependencies | 0 | ~5 | ~10 |
| TOCTOU-safe | guard (Linux 5.6+, kernel-enforced) / secure-open (final component, all Unix) |
No | Yes |
| Best for | File sandboxing with optional kernel enforcement | Complex type-safe paths | Full capability-based security |
strict-path- More comprehensive, uses marker types for compile-time guaranteescap-std- Capability-based, TOCTOU-safe, but replacesstd::fsentirely
guard on Linux 5.6+: the validate-and-open is a single openat2 syscall — truly atomic, no race window. On macOS/BSD the same API falls back to O_NOFOLLOW (final component only).
Thread Safety
Jail implements Clone, Send, and Sync. It can be safely shared across threads:
use std::sync::Arc;
use path_jail::Jail;
let jail = Arc::new(Jail::new("/var/uploads")?);
let jail_clone = Arc::clone(&jail);
std::thread::spawn(move || {
let path = jail_clone.join("file.txt").unwrap();
// ...
});
MSRV
Minimum Supported Rust Version: 1.85
This crate tracks recent stable Rust. The MSRV is bumped to 1.85 to accommodate transitive dev-dependencies that require edition 2024.
Development
This crate is maintained by Tenuo. Contributions are welcome!
git clone https://github.com/tenuo-ai/path_jail.git
cd path_jail
cargo test
cargo clippy
License
MIT OR Apache-2.0