fix(download_file): sanitize windows separators and add regression test

Agent-Logs-Url: https://github.com/fabiocaccamo/python-fsutil/sessions/6af6fe4f-2ec3-4e2e-91e3-8ec6fa5cbe5f

Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>

Author: Copilot

src/fsutil/operations.py

@@ -214,7 +214,8 @@ def download_file(
             filename_match = re.search(filename_pattern, content_disposition)
             if filename_match:
                 # sanitize Content-Disposition filename to prevent path traversal
-                filename = os.path.basename(filename_match.group(1))
+                filename = filename_match.group(1).replace("\\", "/")
+                filename = os.path.basename(filename)
             # or detect filename from url
             if not filename:
                 filename = get_filename(url)

tests/test_operations.py

@@ -232,6 +232,33 @@ def test_download_file_without_requests_installed(temp_path):
             fsutil.download_file(url, dirpath=temp_path())
 
 
+def test_download_file_content_disposition_filename_is_sanitized(temp_path):
+    class MockResponse:
+        headers = {"content-disposition": 'attachment; filename="..\\..\\evil.txt"'}
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, exc_type, exc_val, exc_tb):
+            return None
+
+        def raise_for_status(self):
+            return None
+
+        def iter_content(self, chunk_size=1):
+            yield b"hello world"
+
+    class MockRequests:
+        def get(self, *args, **kwargs):
+            return MockResponse()
+
+    with patch("fsutil.operations.require_requests", return_value=MockRequests()):
+        path = fsutil.download_file("https://example.com/file.txt", dirpath=temp_path())
+        assert fsutil.exists(path)
+        assert fsutil.get_filename(path) == "evil.txt"
+        assert path == temp_path("evil.txt")
+
+
 def test_list_dirs(temp_path):
     for i in range(0, 5):
         fsutil.create_dir(temp_path(f"a/b/c/d-{i}"))