fix: validate TEST_TMPDIR path traversal in getWritableDirs

[Ashutosh0x]

Fixes #29457

Summary

AbstractSandboxSpawnRunner.getWritableDirs() reads TEST_TMPDIR from the action environment and passes it directly to addWritablePath() without validation. A malicious rule can set TEST_TMPDIR to a relative path containing ../ traversal sequences, causing the resolved path to escape the sandbox exec root.

Root Cause

Same class of issue as #3296 (TMPDIR sanitization). The fix was partial -- TMPDIR was sanitized but TEST_TMPDIR was missed.

Variable	Sanitized?	Risk
TMPDIR	Yes	None (fixed in #3296)
TEST_TMPDIR	No	Traversal sequences can escape sandbox

Fix

Added validateTestTmpdir() using PathFragment.containsUplevelReferences() to reject ../ traversal before addWritablePath(). Absolute paths are allowed (legitimate via --test_tmpdir).

Related

• linux-sandbox: SandboxStash reads TEST_SRCDIR from action env without validation, enabling path traversal outside sandboxExecRoot with --reuse_sandbox_directories #29476 / PR fix: validate TEST_SRCDIR in SandboxStash to prevent path traversal outside sandboxExecRoot #29631 -- sister issue (TEST_SRCDIR)
• Bazel passes through TMPDIR by default, but sandbox doesn't #3296 -- prior TMPDIR fix
• hermetic linux-sandbox: mount target creation can follow pre-seeded symlinks under sandbox_root and create host paths outside sandbox_root #28515 / PR fix: use lstat() in CreateTarget to prevent symlink traversal outside sandbox_root #29645 -- symlink following fix

[Ashutosh0x]

Hi @meteorcloudy @iancha1992 — Requesting review on this security fix. It validates TEST_TMPDIR paths in getWritableDirs to prevent path traversal outside the sandbox. Minimal change, ready for merge. Thanks!

[iancha1992]

cc: @meisterT @Wyverald