harden security around attachment functionality and explicitly disallow reading sensitive files

gmail/gmail_tools.py

@@ -22,7 +22,7 @@ from email.utils import formataddr
 from pydantic import Field
 
 from auth.service_decorator import require_google_service
-from core.utils import handle_http_errors
+from core.utils import handle_http_errors, validate_file_path
 from core.server import server
 from auth.scopes import (
     GMAIL_SEND_SCOPE,
@@ -288,7 +288,7 @@ def _prepare_gmail_message(
             try:
                 # If path is provided, read and encode the file
                 if file_path:
-                    path_obj = Path(file_path)
+                    path_obj = validate_file_path(file_path)
                     if not path_obj.exists():
                         logger.error(f"File not found: {file_path}")
                         continue