Prevent Absolute Symlinks in SRPM Source Archives

[mizdebsk]

As a Java package maintainer,
I want javapackages-validator to detect and reject source tarballs and zip archives in SRPMs that contain absolute symlinks,
so that I can prevent the inclusion of potentially malicious archives that could exploit the Zip Slip vulnerability, ensuring safer and more secure package builds.

---

Acceptance Criteria

• The validator scans all source archives (.zip, .tar, .tar.gz, etc.) included in the SRPM.
• It fails validation if it finds any symlink with an absolute path (i.e., symlink target starts with /).
• The error output must include:
  • The name of the source archive
  • The path of the symlink within the archive
  • The absolute path it points to

Test Cases

• ✅ Valid Case: Archive contains only regular files and relative symlinks
  → Validation passes

• ❌ Invalid Case: Archive contains one or more absolute symlinks
  → Validation fails, each symlink reported

• ❌ Mixed Case: Archive contains both relative and absolute symlinks
  → Validation fails, only absolute symlinks reported in the error message