Validate Windows layer paths before conversion

[SolsticeSpectrum]

What

Reject unsafe tar entry names before converting a regular layer into a Windows-compatible layer.

Windows currently prefixes each source entry with Files/, but it does so through path.Join, which also cleans parent directory components. This means an input name such as ../Hives/escaped.txt is normalized outside the intended Files/ prefix.

This change validates the source tar path before joining it under Files/:

• reject absolute paths
• reject paths that clean to ..
• reject paths that clean under ../
• keep existing behavior for layers already using the Files/ prefix

Why

The Windows conversion code creates Files and Hives top-level directories. Source filesystem entries should not be able to escape the Files/ namespace during conversion.

Tests

go test ./internal/windows -count=1
go test ./pkg/crane -count=1
PATH="$(go env GOPATH)/bin:$PATH" ./hack/presubmit.sh

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.