Arbitrary File Write in postman_download module

An attacker hosts a malicious Postman workspace whose `name` field contains path-traversal sequences (e.g., `../`). When the BBOT `postman_download` module processes this workspace, `pathlib` resolves the traversal outside the intended output directory, allowing the attacker to write arbitrary files (a ZIP archive containing workspace JSON data) to any location the user can write. The attacker must first get the victim to scan the malicious workspace (e.g., by publishing it publicly or tricking the user into importing it). [ref_id=1]

The `save_workspace` method in `bbot/modules/postman_download.py` constructs a local directory path by directly concatenating `workspace["name"]` with `self.output_dir` via pathlib, without sanitizing the workspace name for path-traversal characters. The same unsanitized name is also used as a filename inside the ZIP archive.

The patch introduces two defenses. First, `self.helpers.tagify(name)` sanitizes the workspace name before using it as a directory name, stripping or encoding traversal characters. Second, a runtime check verifies that the resolved path is still relative to the intended output directory; if not, the operation is aborted with a warning. The same sanitization is applied to collection names used inside the ZIP file. [patch_id=6466798]