Fix: Prevent object key normalization in signed URL generation

[ryomosao]

Previously, pkg/abstractions/volume/multipart.go normalized object keys using joinCleanPath. This behavior could alter the target path, creating signed URLs for unintended files and posing a security risk (information leakage).

This change replaces joinCleanPath with simple path joining to preserve the raw object key.

---

Summary by cubic

Stopped normalizing object keys when building S3 keys for presigned URLs and multipart uploads. This preserves the exact path provided and prevents signed URLs from pointing to unintended files.

• Bug Fixes
  • Removed joinCleanPath and filepath.Clean; build keys with "/" concatenation.
  • Updated CreatePresignedURL, CreateMultipartUpload, CompleteMultipartUpload, and AbortMultipartUpload to use the raw VolumePath.
  • Reduces risk of information leakage by avoiding path normalization.

^{Written for commit a1795ee. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion