Potential fix for code scanning alert no. 281: Uncontrolled data used in path expression

[JensKrumsieck]

Potential fix for https://github.com/fairagro/sciwin/security/code-scanning/281

General fix: validate and constrain the resolved path before using it in filesystem operations. The safest pattern is to resolve against an allowlisted base directory and reject paths that escape it.

Best fix here without changing broad behavior too much: harden verify_base_dir so it rejects dangerous relative inputs (.., separators in components are inherently handled by component parsing) and ensures the final resolved path is under the current working directory. This matches the current implicit behavior of joining relative paths to current_dir, while preventing traversal/escape and suspicious component use. Then downstream functions (create_arc_folder_structure) can continue using the returned validated path unchanged.

Edit region: packages/core/src/project.rs, function verify_base_dir (lines ~100–122 in snippet).
Needed changes:

• Use std::path::Component to inspect path components.
• Reject absolute input (to enforce confinement) and any ParentDir traversal.
• Build candidate path from current_dir().join(folder).
• Canonicalize existing candidates; for non-existing targets canonicalize parent then append leaf.
• Ensure final path starts with canonicalized current directory; otherwise reject.

No new dependency is required; only standard library API is used.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[JensKrumsieck]

looks good to me