Use `os.Root` for filesystem access

[delvh]

At the moment, there are a couple of places, where we need to query the filesystem - especially for git data, customizations, templates.
Oftentimes, the places we need to query are user-supplied and must thus be sanitized.
Through the new os.Root in 1.24 we can now ensure that access is only possible in directories we want to access.
As such, we should migrate all filesystem access to use os.Root wherever possible as a security measure.

[silverwind]

Seems good to avoid future path traversal exploits. I doubt whether all fs access can be migrated. Ideally we should forbid functions like os.ReadFile via lint rule so it will require a // nolint comment to circumvent.

[wxiaoguang]

We already have this and have used it as much as possible. These functions guarantee that the root (first) elem won't be bypassed.

[delvh]

Well… to some extent.
Currently, we ensure it with semantics (we have called this function at runtime beforehand).
However, with this change, we can ensure even at compile time that no out-of-bounds access can occur.
Additionally, it has one other benefit:
Right now, we silently ignore the invalid parts of parameters.
If we used os.Root, those ignored parts would become error cases instead, which sounds a lot cleaner in my perspective.

[wxiaoguang]

Yes, we could refactor some "PathJoinXxx" caller functions to use os.Root. I think they are the only places need to be taken care of the directory bypass at the moment. IIRC there is no other function directly accessing the filesystem with user input (correct me if I was wrong or I missed anything)