Fix path traversal in download_dir via server-controlled filenames

[TristanInSec]

Summary

• download_dir() parses filenames from Get-ChildItem stdout and passes them directly to File.join() to build local file paths
• A rogue server can return filenames containing ../ sequences (e.g. ../../.ssh/authorized_keys), causing files to be written outside the intended download directory
• Ruby's File.join does not sanitize traversal sequences: File.join("/home/user/loot", "../../.ssh/authorized_keys") resolves to /home/user/.ssh/authorized_keys

Fix

Use File.basename() on server-supplied filenames for the local path construction only. The remote download path still uses the original filename so the correct file is fetched. Entries that resolve to empty, ., or .. are skipped.

Steps to reproduce

1. Set up a rogue Windows server that returns crafted filenames via Get-ChildItem
2. Connect with evil-winrm and run download C:\loot\*
3. Server returns filename ../../.ssh/authorized_keys
4. File is written to ~/.ssh/authorized_keys instead of the download directory

[cybervaca]

Thanks for the PR and for reporting this issue.

Could you please re-submit the PR against the dev branch instead of master? We do not accept pull requests directly into master.

Once it is opened against dev, we will review it there.

Thanks again for the contribution.

[TristanInSec]

Done -- rebased the PR to target dev. Thanks for the heads-up.

[OscarAkaElvis]

I've been doing some tests and everything looks good to me. Merging.