[results-processor] will overwrite files when extracting from a ZIP

[gsnedders]

In the following:

wpt.fyi/results-processor/processor.py

Lines 200 to 210 in d6339c4

	with zipfile.ZipFile(artifact, mode='r') as z:
	for f in z.infolist():
	if f.is_dir():
	continue
	basename = posixpath.basename(f.filename)
	if fnmatch.fnmatchcase(basename, 'wpt_report*.json'):
	path = z.extract(f, path=self._temp_dir)
	self.results.append(path)
	elif fnmatch.fnmatchcase(basename, 'wpt_screenshot*.txt'):
	path = z.extract(f, path=self._temp_dir)
	self.screenshots.append(path)

There's nothing stopping us from overwriting files that already exist when extracting, and it's hard to check for in advance given ZipFile.extract does some normalization of the path.

This would be bad if someone uploaded archive1.zip and archive2.zip, both containing wptreport.json and wptscreenshot.txt, which feels like a totally sensible thing to do.

We should probably just create a new temporary directory within self._temp_dir (via tempdir.mkdtemp(dir=self._temp_dir) for each archive file we're processing, and extract into that. This still isn't totally safe, but for there to be any risk you really need someone trying to be malicious.