The attack is outlined in
https://gitlab.com/gitlab-org/gitlab/-/issues/213139. It exploits the
fact that the artifacts endpoint reads `file.path` directly using
`UploadedFile.from_params`.

`file.path` can be given by the user and pass through workhorse. As
such, it's an untrusted source and could contain the path of any file in
`Dir.tmpdir`. This results in creating a `Ci::JobArtifact` pointing to
an arbitrary temporary file.

To counter this, this commit relies on the fact that the upload endpoint
deals with a multipart upload. This type of uploads are handled by
`Gitlab::Middleware::Multipart` which will read the upload file from a
trusted source (the workhorse JWT token) and build a `UploadedFile`
object out of it. Thus, in the Grape endpoint, we can simply read the
param directly and validate that it's an `UploadedFile`.