Directory traversal vulnerability in example raw scalars plugin

[wchargin]

The “example raw scalars” sample plugin serves static content from an
arbitrary user-specified path, and is vulnerable to basic directory
traversal attacks.

If the plugin is installed to /tmp/workdir/example_raw_scalars and the
server is at localhost:6006, then one can read /tmp/test.txt from:

http://localhost:6006/data/plugin/example_raw_scalars/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/tmp/test.txt

(The %2e sequences are needed to prevent some layer of the stack,
either WSGI or Werkzeug, from normalizing the path, but this is a super
common variation—the first one listed on the OWASP page.)

This plugin’s README explicitly says to copy the entire directory as a
starting point and then just change the frontend to create your desired
visualization, so security vulnerabilities in the backend are especially
important.

(Found while auditing MIME type inference for #3128.)