fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.2

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go

@@ -46,6 +46,13 @@ func MkdirAllHandle(root *os.File, unsafePath string, mode int) (_ *os.File, Err
 	if mode&^0o7777 != 0 {
 		return nil, fmt.Errorf("%w for mkdir 0o%.3o", errInvalidMode, mode)
 	}
+	// On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid
+	// bits. We could also silently ignore them but since we have very few
+	// users it seems more prudent to return an error so users notice that
+	// these bits will not be set.
+	if mode&^0o1777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir 0o%.3o: suid and sgid are ignored by mkdir", errInvalidMode, mode)
+	}
 
 	// Try to open as much of the path as possible.
 	currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath)
@@ -120,6 +127,17 @@ func MkdirAllHandle(root *os.File, unsafePath string, mode int) (_ *os.File, Err
 		expectedGid = uint32(unix.Getegid())
 	)
 
+	// The setgid bit (S_ISGID = 0o2000) is inherited to child directories and
+	// affects the group of any inodes created in said directory, so if the
+	// starting directory has it set we need to adjust our expected mode and
+	// owner to match.
+	if st, err := fstatFile(currentDir); err != nil {
+		return nil, fmt.Errorf("failed to stat starting path for mkdir %q: %w", currentDir.Name(), err)
+	} else if st.Mode&unix.S_ISGID == unix.S_ISGID {
+		expectedMode |= unix.S_ISGID
+		expectedGid = st.Gid
+	}
+
 	// Create the remaining components.
 	for _, part := range remainingParts {
 		switch part {