If you take 'any ' path from the request and convert it into a path on your local system, it would potentially allow malicious users to read files that you do not want them to access. Containers like
Tomcat protect against resources being read from outside the application, but once you allow this (as you are requesting) then you are now responsible for ensuring this doesn't happen