fix(gerrit): prevent path traversal in publish_code_suggestions

pr_agent/git_providers/gerrit_provider.py

@@ -342,10 +342,16 @@ def split_suggestion(self, msg) -> tuple[str, str]:
 
     def publish_code_suggestions(self, code_suggestions: list):
         msg = []
+        repo_root = pathlib.Path(self.repo_path).resolve()
         for suggestion in code_suggestions:
+            # Sanitize file path to prevent directory traversal
+            target_path = (repo_root / suggestion["relevant_file"]).resolve()
+            if not str(target_path).startswith(str(repo_root)):
+                get_logger().warning(f"Skipping suggestion with path traversal: {suggestion['relevant_file']}")
+                continue
             description, code = self.split_suggestion(suggestion['body'])
             add_suggestion(
-                pathlib.Path(self.repo_path) / suggestion["relevant_file"],
+                target_path,
                 code,
                 suggestion["relevant_lines_start"],
                 suggestion["relevant_lines_end"],