fix(security): resolve Snyk Code findings — Tar Slip, Path Traversal, Open Redirect, XSS

Tar Slip (CWE-22) — 3 import services:
  threat_actor, lolbas, caldera: add path validation before extractall()
  to prevent malicious zip members with ../ escaping the target directory.
  (sigma, elastic, atomic already had this protection)

Path Traversal (CWE-23) — professional_reports.py:
  Add _assert_safe_report_path() check on all 5 report endpoints to
  verify the generated filepath stays within REPORT_OUTPUT_DIR.

Open Redirect (CWE-601) — sso.py:
  Validate IdP redirect URL scheme (must be http/https) before
  issuing RedirectResponse, blocking javascript: and data: redirects.

DOM XSS (CWE-79) — 4 frontend pages:
  Create src/utils/url.ts with safeUrl() that rejects non-http/https
  protocols; apply to actor.mitre_url, ref.url, intel.url.
  Sanitize framework name to alphanumeric-only before DOM insertion.
  Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp).

Hardcoded credentials (CWE-798):
  verify_gaps.py, create_wiki.py: replace literal passwords with
  environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).

backend/app/services/lolbas_import_service.py

@@ -151,11 +151,15 @@ def _download_zip(url: str) -> bytes:
 # Define function _extract_zip
 def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
     """Extract *zip_bytes* into *dest* and return the root directory."""
-    # Open context manager
+    dest_path = Path(dest).resolve()
     with zipfile.ZipFile(io.BytesIO(zip_bytes)) as zf:
-        # Call zf.extractall()
+        for member in zf.infolist():
+            target = (dest_path / member.filename).resolve()
+            if not target.is_relative_to(dest_path):
+                raise ValueError(
+                    f"Zip Slip detected — '{member.filename}' resolves outside target directory"
+                )
         zf.extractall(dest)
-    # Return Path(dest)
     return Path(dest)