fix: implement security check for repo path to prevent directory traversal

Author: Kewe63

dependency_updater/dependency_updater.go

@@ -89,6 +89,19 @@ func updater(token string, repoPath string, commit bool, githubAction bool) erro
 		return fmt.Errorf("error resolving repo path: %s", err)
 	}
 
+	// Ensure the resolved path stays within the workspace (CWE-22)
+	base := os.Getenv("GITHUB_WORKSPACE")
+	if base != "" {
+		absBase, err := filepath.Abs(base)
+		if err != nil {
+			return fmt.Errorf("error resolving workspace base path: %w", err)
+		}
+		rel, err := filepath.Rel(absBase, repoPath)
+		if err != nil || strings.HasPrefix(rel, "..") {
+			return fmt.Errorf("security error: repo path '%s' is outside of workspace '%s'", repoPath, absBase)
+		}
+	}
+
 	f, err := os.ReadFile(filepath.Join(repoPath, "versions.json"))
 	if err != nil {
 		return fmt.Errorf("error reading versions JSON: %s", err)