> Worse, since this was changed in a common function that all kinds of programs at the company used, it meant that anything that created a directory in that language (with that library) was now vulnerable to this kind of injection.
Low-level libraries that are used all over the company should probably have a strict code review process that's overseen by a group of experienced maintainers who have a good knowledge of security, performance, etc.
Ideally they should be turned into open source projects.
Google's https://abseil.io and Facebook's https://github.com/facebook/folly come to mind.