security(utilities): harden path traversal validation in safe_extract

[SyedaAnshrahGillani]

This PR fixes a security vulnerability in the path traversal validation logic within mindsdb/utilities/fs.py.

The previous implementation relied on os.path.commonprefix, which performs a character-by-character string comparison rather than a path-component-aware check. This made the validation susceptible to bypasses where a malicious target path shares a prefix with the intended directory but resides outside of it (e.g., /app/data incorrectly validating /app/data-secret).

Changes:

• Replaced the flawed os.path.commonprefix check with a robust os.path.relpath validation in __is_within_directory.
• Added more descriptive error messages to safe_extract to provide the specific member name when a traversal attempt is
  detected, aiding in security auditing and debugging.

Fixes # (if there is a related issue, otherwise leave blank)

Type of change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ⚡ New feature (non-breaking change which adds functionality)
• 📢 Breaking change (fix or feature that would cause existing functionality not to work as expected)
• 📄 This change requires a documentation update

Verification Process

To ensure the changes are working as expected:

- Test Location: mindsdb/utilities/fs.py
- Verification Steps:
   1. Verified the logic using a standalone test script to check edge cases:
      - /app/data vs /app/data-secret (Now correctly returns False)
      - /app/data vs /app/data/file.txt (Correctly returns True)
      - /app/data vs /app/other/file.txt (Correctly returns False)
   2. Confirmed that safe_extract correctly raises an exception with the member name when a .. traversal is attempted in a
      mock tarfile.

Checklist:

• My code follows the style guidelines(PEP 8) of MindsDB.
• I have appropriately commented on my code, especially in complex areas.
• Necessary documentation updates are either made or tracked in issues.
• Relevant unit and integration tests are updated or added.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[Syeda-Anshrah-Gillani]

I have read the CLA Document and I hereby sign the CLA