Fix Path Traversal in validate_assignment via Path Normalization (#1978)

* Fix path traversal validate_assignment

* refactor: use pathlib for path traversal fix

* Update nbgrader/server_extensions/validate_assignment/handlers.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: yueyueL

nbgrader/server_extensions/validate_assignment/handlers.py

@@ -6,6 +6,7 @@
 
 from tornado import web
 from textwrap import dedent
+from pathlib import Path
 
 from jupyter_server.utils import url_path_join as ujoin
 from jupyter_server.base.handlers import JupyterHandler
@@ -38,8 +39,11 @@ def load_config(self):
         return app.config
 
     def validate_notebook(self, path):
-        fullpath = os.path.join(self.root_dir, path)
-
+        root = Path(self.root_dir).resolve()
+        target = (root / path).resolve()
+        if not target.is_relative_to(root):
+            raise web.HTTPError(403, "Access denied: path outside allowed directory")
+        fullpath = str(target)
         try:
             config = self.load_config()
             validator = Validator(config=config)
@@ -144,4 +148,4 @@ def load_jupyter_server_extension(nbapp):
     webapp.add_handlers(".*$", [
         (ujoin(base_url, pat), handler)
         for pat, handler in default_handlers
-    ])
+    ])