security: reject artifact symlink escapes

[dfgvaetyj3456356-hash]

Summary

This PR hardens shared artifact tar creation so symlinks or junctions inside source/model directories cannot resolve outside the intended source root before being archived.

create_tar_file() currently opens tar archives with dereference=True, so a link inside a packaged directory can be stored as the target file contents. The new validation walks each directory source before archiving and rejects links/junctions whose resolved target is outside that source root. Plain files and links that resolve inside the source root continue to work.

This also closes the temporary file descriptor returned by mkstemp() before reopening the tar path, which fixes Windows cleanup behavior in the existing tar tests.

Scope

This is packaging/upload-side hardening. It is separate from #5905, which is extraction-side validation.

Tests

python -m pytest sagemaker-core\tests\unit\test_common_utils.py::TestCreateTarFile -q
# 3 passed, 2 skipped locally on Windows where symlink creation is unavailable

python -m ruff check --select F821 sagemaker-core/src/sagemaker/core/common_utils.py sagemaker-core/tests/unit/test_common_utils.py
# All checks passed!

python -m py_compile sagemaker-core\src\sagemaker\core\common_utils.py sagemaker-core\tests\unit\test_common_utils.py

git diff --check