[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression (#23985)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: merlimat

pulsar-package-management/filesystem-storage/src/main/java/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java

@@ -59,11 +59,14 @@ public class FileSystemPackagesStorage implements PackagesStorage {
     }
 
     private File getPath(String path) throws IOException {
-        if (path.contains("..")) {
+        // Normalize the path to remove any redundant path elements
+        File f = Paths.get(storagePath.toString(), path).normalize().toFile();
+
+        // Ensure the normalized path is still within the storagePath
+        if (!f.getAbsolutePath().startsWith(storagePath.getAbsolutePath())) {
             throw new IOException("Invalid path: " + path);
         }
 
-        File f = Paths.get(storagePath.toString(), path).toFile();
         if (!f.getParentFile().exists()) {
             if (!f.getParentFile().mkdirs()) {
                 throw new RuntimeException("Failed to create parent dirs for " + path);