From 3048de9d6e5693e09c9885ec8b4673dbcf72c1e6 Mon Sep 17 00:00:00 2001
From: Sean Liao <sean@liao.dev>
Date: Fri, 6 Feb 2026 21:06:09 +0000
Subject: [PATCH] io/fs: document that Sub does not check for existence

Also recommend os.Root for constraining access.

Fixes #77447

Change-Id: Id8d178163438e9264fe19ed37ba03e1ee5d0bd35
Reviewed-on: https://go-review.googlesource.com/c/go/+/742284
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
---
 src/io/fs/sub.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/io/fs/sub.go b/src/io/fs/sub.go
index 376d561bad..63c7a3cf77 100644
--- a/src/io/fs/sub.go
+++ b/src/io/fs/sub.go
@@ -24,7 +24,8 @@ type SubFS interface {
 // Otherwise, Sub returns a new [FS] implementation sub that,
 // in effect, implements sub.Open(name) as fsys.Open(path.Join(dir, name)).
 // The implementation also translates calls to ReadDir, ReadFile,
-// ReadLink, Lstat, and Glob appropriately.
+// ReadLink, Lstat, and Glob appropriately. Sub does not check if the
+// directory currently exists.
 //
 // Note that Sub(os.DirFS("/"), "prefix") is equivalent to os.DirFS("/prefix")
 // and that neither of them guarantees to avoid operating system
@@ -32,6 +33,7 @@ type SubFS interface {
 // does not check for symbolic links inside "/prefix" that point to
 // other directories. That is, [os.DirFS] is not a general substitute for a
 // chroot-style security mechanism, and Sub does not change that fact.
+// Use [os.Root] to constrain access to particular directory trees.
 func Sub(fsys FS, dir string) (FS, error) {
 	if !ValidPath(dir) {
 		return nil, &PathError{Op: "sub", Path: dir, Err: ErrInvalid}
-- 
2.52.0