backupengine: disallow path traversals via backup MANIFEST on restore

[timvaillancourt]

Description

This PR addresses a GHSA-8g8j-r87h-p36x where it is possible for an attacker with access to the backup storage to cause files to be restored outside of the intended backup path(s), via a directory traversal

How? In the backup MANIFEST there is a FileEntries array/list/slice representing files to restore. In this structure is a Name string field we trust to be the place to restore the files. If a user adds ../..s to these paths, the backup engine will trust this on restore and construct a path that traverses the intended base path

This PR updates this code to validate that the paths we build from the Name field do not escape the parent/base directory they are meant to restore to. These 4 x base paths are known and on a typical install are:

1. $VTDATAROOT/vt_0000000100/data
2. $VTDATAROOT/vt_0000000100/innodb/data
3. $VTDATAROOT/vt_0000000100/innodb/logs
4. $VTDATAROOT/vt_0000000100/bin-logs

Related Issue(s)

GHSA-8g8j-r87h-p36x

Checklist

• "Backport to:" labels have been added if this change should be back-ported to release branches
• If this change is to be back-ported to previous releases, a justification is included in the PR description
• Tests were added or are not required
• Did the new or modified tests pass consistently locally and on CI?
• Documentation was added or is not required

Deployment Notes

AI Disclosure

Claude w/Opus 4.6 wrote the tests and reviewed the changes I made

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

• Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

• Apply the release notes (needs details) label if users need to know about this change.
• New features should be documented.
• There should be some code comments as to why things are implemented the way they are.
• There should be a comment at the top of each new or modified test to explain what the test does.

New flags

• Is this flag really necessary?
• Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
• vtctl command output order should be stable and awk-able.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.85%. Comparing base (70c7a72) to head (aaeaf0b).
⚠️ Report is 23 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (70c7a72) and HEAD (aaeaf0b). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (70c7a72)	HEAD (aaeaf0b)
	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #19470       +/-   ##
===========================================
- Coverage   69.67%   48.85%   -20.82%     
===========================================
  Files        1614       46     -1568     
  Lines      216793     6988   -209805     
===========================================
- Hits       151044     3414   -147630     
+ Misses      65749     3574    -62175     

Flag	Coverage Δ
partial	48.85% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[timvaillancourt]

@mattlord we can point this at the CVE you planned to create, or I can create an issue. For now the Needs Issue label will gate a merge

[mattlord]

❤️