feat: Refactor save_root handling for safety

[odaysec]

Normalize and validate save_root to ensure safe directory usage. fix uncontrolled command line issues you must ensure that any user-influenced values passed to subprocess are either (1) chosen from a hard-coded allowlist, or (2) rigorously validated and normalized before use. It is also important to avoid shell=True and building shell command strings when passing user-controlled data.

For this case, the untrusted value is save_root, which contributes to trial_dir and is passed as a command-line argument (--trial-dir) to the watcher process. The best fix that doesn’t change existing functionality is to constrain save_root to be a safe, absolute directory path inside a known base directory, and to bail out if the provided value attempts path traversal or is otherwise unsafe. We can do this by introducing a small validation/normalization step in run: compute a safe base directory (e.g., a default root under the current working directory), resolve save_root to an absolute path, and verify that it is contained within that base. If the check fails, we either reject with an exception or fall back to the default. We then use the normalized safe_save_root to construct trial_dir. This removes the tainted flow while preserving the intended behavior for legitimate inputs.

Concretely, in extern/threestudio/gradio_app.py within run, before trial_dir is built, we will:

• Import pathlib’s Path at the top of the file (this is a standard library module).
• Define base_root = Path.cwd() / EXP_ROOT_DIR (or similar).
• Resolve save_root via Path(save_root).expanduser().resolve() and verify it is under base_root using relative_to inside a try block.
• If validation passes, set safe_save_root to this resolved path; if it fails, set safe_save_root to base_root.
• Use safe_save_root when constructing trial_dir and when passing exp_root_dir to the training command.

[odaysec]

@tinghuiz @dunbar12138 could you please take a look when you have time? This PR fixes a security issue.