security(weave): Fixing path traversal in send_local_file

[anandwandb]

This PR addresses a path traversal vulnerability in weave_server.py, discovered by a bug bounty researcher

abspath = "/" / pathlib.Path(path) constructs an absolute path by joining the root directory / with the provided path. It ensures that abspath always starts from the root directory, however - it doesn't protect against path traversal attacks. An attacker could give a path like ../../../../../../../etc/passwd and read sensitive files outside of the root directory of the webserver.

The patch proposed in this PR checks to ensure that the resolved requested_path starts with the local_artifact_path - otherwise throws a 403 Error.

[github-actions]

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request}

[circle-job-mirror]

Preview this PR with FeatureBee: https://beta.wandb.ai/?betaVersion=42afcf952f48070df64d328c65470c9e9753c7f8