fix: sanitize inspect output path

[AustinAbro321]

Description

This prevents package name that's been edited to go an arbitrary directory from leaving the cwd when using zarf package inspect definition or zarf package inspect sbom

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	9c9f43e
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/69d68c59c9f15b0008bf4526

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 3 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/pkg/packager/create.go	0.00%	2 Missing ⚠️
src/cmd/package.go	50.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
src/pkg/packager/layout/package.go	65.01% <100.00%> (+0.13%)	⬆️
src/cmd/package.go	38.08% <50.00%> (ø)
src/pkg/packager/create.go	55.31% <0.00%> (-0.60%)	⬇️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dgershman]

Code & Security Review

Critical Issues

None.

Security Review

Strengths:

• Correctly fixes a path traversal vulnerability where a maliciously crafted package name (e.g., ../../etc/evil) could write SBOM or documentation files outside the intended output directory.
• filepath.Base() is the right mitigation — it strips all directory components, preventing traversal while preserving the actual name.
• Fix is applied consistently across all three affected call sites:
  • src/cmd/package.go — SBOM inspect output path
  • src/cmd/package.go — documentation inspect output path
  • src/pkg/packager/create.go — SBOM output during package create

Minor Observation:

• filepath.Base("") returns ".", which would produce an output path like outputDir/. — but an empty package name is an edge case that would likely be caught by other validation. Not a blocking issue.
• No test is added for the sanitization. A unit test verifying that a name like ../../traversal is sanitized to traversal would strengthen confidence, but the fix itself is straightforward enough that this isn't blocking.

Code Quality

• Clean, minimal change with appropriate comments explaining the "why."
• No unnecessary refactoring.

Summary Table

Priority	Issue
🟢 Green	Consider adding a test for path traversal sanitization
🟢 Green	Edge case: empty package name produces "." via filepath.Base("") (unlikely in practice)

Recommendation: Approve — the fix is correct, minimal, and consistently applied across all affected paths.

[brandtkeller]

lgtm