harden car cli extract command against symlink traversal attacks

[willscott]

it may be possible for a malformed car to specify a symlink, and then later in the same directory specify another entry with the same name, that could then be written into the destination of the symlink.

This should already be safe - since the final destination path is resolved and required to be within the extraction directory, but testing is needed to ensure these edge cases are properly caught as errors.