Add subpath guard function to avoid non-relative subpath parsed URI

storage-local/src/main/java/io/kestra/storage/local/LocalStorage.java

@@ -233,14 +233,20 @@ public class LocalStorage implements StorageInterface {
                 .toList();
         }
     }
-
     private URI getKestraUri(String tenantId, Path path) {
         Path prefix = (tenantId == null) ?
-            basePath.toAbsolutePath() :
-            Path.of(basePath.toAbsolutePath().toString(), tenantId);
+            basePath.toAbsolutePath():
+            basePath.toAbsolutePath().resolve(tenantId);
+        subPathParentGuard(path, prefix);
         return URI.create("kestra:///" + prefix.relativize(path).toString().replace("\\", "/"));
     }
 
+    private void subPathParentGuard(Path path, Path prefix) {
+        if (!path.toAbsolutePath().startsWith(prefix)) {
+            throw new IllegalArgumentException("The path must be a subpath of the base path with the tenant ID.");
+        }
+    }
+
     private void parentTraversalGuard(URI uri) {
         if (uri.toString().contains("..")) {
             throw new IllegalArgumentException("File should be accessed with their full path and not using relative '..' path.");