Pipe: Harden legacy pipe file transfer validation and access checks

[Caideyipi]

Description

This PR hardens the legacy pipe receiver file-transfer path and aligns its RPC access checks with normal client-
session expectations.

Changes

• Validate legacy pipe receiver file names before any file I/O.
• Reject empty names, path separators, .., and normalized paths outside the receiver file-data directory.
• Apply the same file-name validation when handling received TsFilePipeData.
• Require an authenticated session with USE_PIPE privilege for legacy handshake, sendFile, and sendPipeData.
• Make the legacy pipe sink open a normal client session before invoking legacy pipe RPCs, preserving built-in
  connector behavior.
• Add focused unit coverage for rejected unsafe names and accepted normal file writes.

Tests

• mvn '-Ddevelocity.off=true' '-Dscan=false' '-pl' 'iotdb-core/datanode' 'spotless:apply'
• git diff --check
• mvn '-Ddevelocity.off=true' '-Dscan=false' '-pl' 'iotdb-core/datanode' '-Dtest=IoTDBLegacyPipeReceiverAgentTest' 'test'

---

This PR has:

• been self-reviewed.
  • concurrent read
  • concurrent write
  • concurrent read and write
• added documentation for new or modified features or behaviors.
• added Javadocs for most classes and all non-trivial methods.
• added or updated version, license, or notice information
• added comments explaining the "why" and the intent of the code wherever would not be obvious
  for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold
  for code coverage.
• added integration tests.
• been tested in a test IoTDB cluster.

---

Key changed/added classes (or packages if there are too many classes) in this PR

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[luoluoyuyu]

Review 总结

安全加固到位：

1. resolveFileInFileDataDir 统一路径校验，封堵 ../ 等路径遍历
2. legacy sink 增加 openSession 认证
3. handshake / sendPipeData / sendFile 增加 USE_PIPE 权限检查

建议尽快合入（安全类）。行内 1 条建议补 IT。

[luoluoyuyu]

👍 使用 PipeReceiverFilePathUtils.resolveFilePath 替代 new File(fileDir, fileName) 是正确的修复。

建议补 IT（可 follow-up）：

• transportFile 传入 ../../../etc/passwd 类 fileName → 期望 SYNC_FILE_ERROR
• 正常 tsFile 名仍可续传

同时确认 getIllegalError4Directory 对 foo/bar（子路径）与 .. 的覆盖与 thrift 协议文档一致。

[luoluoyuyu]

👍 checkLegacyPipeReceiverPermission 要求已登录 + USE_PIPE system 权限，堵住未授权 legacy pipe 文件写入。

兼容性提醒：升级后旧版 sink（未 openSession）会在 handshake 失败。PR 已在 IoTDBLegacyPipeSink.openClientSession() 处理发送侧，需确保 source/target 0.14+ 成对升级 或 release note 标明 breaking change。