Potential fix for code scanning alert no. 292: Uncontrolled data used in path expression

[JensKrumsieck]

Potential fix for https://github.com/fairagro/sciwin/security/code-scanning/292

General fix: ensure filesystem operations use a canonicalized path that is guaranteed to remain inside a trusted base directory, instead of using partially validated raw PathBuf.

Best targeted fix in packages/core/src/project.rs:

1. In verify_relative_to_cwd, after validating parent for non-existing paths, canonicalize the parent and rebuild path as canonical_parent.join(file_name) so the returned path is always anchored to canonical parent under canonical CWD.
2. Keep (and effectively apply to both branches) the starts_with(cwd) and file-type checks on the final path.
3. This preserves current behavior (creating directories relative to CWD) while making the returned path deterministic and safer for create_dir_all.

No new dependencies are required (uses existing dunce and std APIs already in file).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[JensKrumsieck]

👍🏻

[github-actions]

Package	Line Rate	Health
packages/util/src	5%	❌
packages/gui/src/components/graph	0%	❌
packages/core/src	72%	➖
packages/cli/src	58%	➖
packages/cli/src/commands	57%	➖
packages/repository/src	98%	✔
packages/remote_execution/src/reana	0%	❌
packages/reana/src	78%	✔
packages/gui/src/components/files	10%	❌
packages/test_utils	67%	➖
packages/gui/src/components	2%	❌
packages/core/src/parser	92%	✔
packages/gui/src/components/layout	0%	❌
packages/gui/src	23%	❌
packages/remote_execution/src	0%	❌
Summary	53% (2463 / 4655)	➖