fix(cli/permissions): Fix CWD and exec path leaks

[nayeemrmn]

Fixes #5627.
Fixes #5742.
Fixes #5786.

• Add permissions.check_read_blind(path, display) for Deno.cwd() and Deno.execPath(). It allows you to get errors like:
  • PermissionDenied: read access to <CWD>, run again with the --allow-read flag
  • PermissionDenied: read access to <exec_path>, run again with the --allow-read flag
• For FS functions that accept relative paths, only display the resolved path in permission messages if the CWD is allowed. Otherwise use the input path. Example for permission requests:

  • await Deno.permissions.request({ name: "read", path: "../abc" });

  • deno run --unstable temp.ts:
    ⚠️ Deno requests read access to "../abc". Grant? [g/d (g = grant, d = deny)]
  • deno run --unstable --allow-read=. temp.ts:
    ⚠️ Deno requests read access to "/mnt/c/Users/Nayeem/projects/abc". Grant? [g/d (g = grant, d = deny)]
• For Deno.realPath(), check if the CWD is allowed when a relative path is given.
• Add tests.

[ry]

Hey @nayeemrmn - sorry for the slow review - I just now saw this patch. I wish I had gotten it in v1.0.2!

[ry]

@nayeemrmn Gosh - sorry for the slow review again. This looks good to me. Could you please draft a commit message that I can use when squashing this?

[nayeemrmn]

Commit message:

fix(cli/permissions): Fix CWD and exec path leaks

- fix: Add permissions.check_read_blind() to check for read access for a
  directory while anonymizing it in error messages.
- fix: For ops which affect relative paths, only display the resolved
  path in permission messages if the CWD is allowed. Otherwise display
  the input path.
- fix: Deno.realPath(), check if the CWD is allowed when a relative path
  is given.
- refactor: Factor out all path resolution and normalization to
  cli/permissions.rs. This includes paths given as whitelists as well as
  op arguments.

[ry]

LGTM