Build test tarballs without hex_core path validation

hex_core 0.16.0 validates paths in `:hex_tarball.create_docs/1`, rejecting
unsafe paths like `dir/../../baz.html`. The `Hexdocs.Tar.create/1` test
helper relies on being able to produce such tarballs to exercise the
unpacker's defense against malicious uploads, so build the tarball with
`:hex_erl_tar` directly and gzip it.

Author: ericmj

lib/hexdocs/tar.ex

@@ -2,9 +2,20 @@ defmodule Hexdocs.Tar do
   require Logger
 
   def create(files) do
-    files = for {path, contents} <- files, do: {String.to_charlist(path), contents}
-    {:ok, tarball} = :hex_tarball.create_docs(files)
-    tarball
+    path = Path.join(System.tmp_dir!(), "hexdocs-tar-#{System.unique_integer([:positive])}")
+    {:ok, tar} = :hex_erl_tar.open(path, [:write])
+
+    try do
+      Enum.each(files, fn {name, contents} ->
+        :ok = :hex_erl_tar.add(tar, contents, String.to_charlist(name), [])
+      end)
+    after
+      :ok = :hex_erl_tar.close(tar)
+    end
+
+    data = File.read!(path)
+    File.rm!(path)
+    :zlib.gzip(data)
   end
 
   def unpack_to_dir({:file, path}, opts \\ []) do