[layer8]

No, they really don’t have this, because for example you can still open() using an arbitrary string as a file name, a string which may have come from unvalidated input. They don’t force you to convert the string to a FileName type and also prove that you have done some sort of pattern-matching on the string.

[kqr]

That is true. You'd need to expose alternative versions of system functions that deal only in parsed and not raw data, and then prohibit the native variants. A little more ceremony, but also a little more flexibility.

Edit: It might be easier to instead replace input functions with ones that return TaintedString, unusable as a regular string. But it's easier to write a linter rule that prohibits any unsafe (default) system functions than one which requires safe input functions, I suppose.

[kstrauser]

Now I’m imagining a Rust UncheckedString type with a to_string() method that takes a regexp.