Description
The semantics of mkFsPath are inconsistent between the real and simulated filesystem instances, as is documented in the description of FsPath.
This inconsistency makes it easy to write code that behaves differently depending on whether or not it runs on a real or simulated filesystem.
This makes it nigh-impossible to write code that is truly known to be invariant over what kind of filesystem it will be evaluated on, since the segments of the FsPath will be interpreted differently by the different instances.
Notably, the code mkFsPath ["/", "etc", "passwd"] will yield an FsPath that is well-behaved in the simulation, but yields a path to /etc/passwd when evaluated with the actual filesystem, regardless of the mount point.
tmpDir <- Dir.getTemporaryDirectory
let mountPoint = tmpDir </> "fs-sim"
let hasFS = ioHasFS (MountPoint mountPoint)
let passwd = mkFsPath ["/", "etc", "passwd"]
putStrLn (unsafeToFilePath passwd)
-- "/etc/passwd"
-- NOT: "/tmp/fs-sim/etc/passwd"This breaks the encapsulation that the mount point is intended to introduce and introduces an attack vector that can be exploited by any FsPath created from user input or by an unreviewed version of a dependency.
Furthermore, fs-api significantly obfuscates the dangers here.
In my opinion, the fsPathToFilePath function that is used to interpreted FsPath on the real filesystem should escape all characters that have special meaning on the current platform in order to yield consistent behaviour across the API instances and better encapsulation.