This commit expands filepathDescendsFrom(string, string) to handle edge cases such as mixing absolute and relative paths or artifact name edge cases.
Additionally, tests for filepathDescendsFrom() and downloadrun() have been expanded to verify additional use cases.
This incorporates the work done by @williammartin to improve reasoning about `gh run download` behavior through testing while verifying a simpler solution to checking if a path is contained within a directory.
This builds off suggestion to reuse logic used already within `gh run download` for detecting path traversals.
This largely works but runs into an issue where detection logic doesn't handle non-separated traversal.
To prevent zipslip, we verify that each extracted file would fall
strictly under the prefix of the path to extract to. However, this
yielded a false positive when extracting to `.`, which is the default
for downloading a single archive.
- With no arguments in TTY mode, prompt which artifacts to download
- Change `--pattern` argument to be just `--name` and only do exact
matching
- For multi-archive downloads, prefix the destination path with the name
of the artifact
- Add tests exercising HTTP functionality
- Avoid "zipslip" path injection when extracting ZIP files
- Add tests for ZIP extraction
