==== Canonical path validation

If it is impossible to use secure-by-design APIs that do this automatically, the universal way to prevent path injection is to validate paths constructed from untrusted data:

1. Ensure the target directory path ends with a forward slash to prevent partial path traversal, for example, `/base/dirmalicious` starts with `/base/dir` but does not start with `/base/dir/`.
2. Resolve the canonical path of the file by using methods like `{canonicalization_function}`. This will resolve relative path or path components like `../` and removes any ambiguity regarding the file's location. 
3. Check that the canonical path is within the directory where the file should be located.

*Important Note*: The order of this process pattern is important. The code must
follow this order exactly to be secure by design:

1. `data = transform(user_input);`
2. `data = normalize(data);`
3. `data = sanitize(data);`
4. `use(data);`

:tnsu_talk: https://www.youtube.com/watch?v=V-DdcKADnFk
As pointed out in {tnsu_talk}[this SonarSource talk], failure to follow this
exact order leads to security vulnerabilities.