Pipe: Harden legacy pipe file transfer validation and access checks

[Caideyipi]

Description

This PR hardens the legacy pipe receiver file-transfer path and aligns its RPC access checks with normal client-
session expectations.

Changes

• Validate legacy pipe receiver file names before any file I/O.
• Reject empty names, path separators, .., and normalized paths outside the receiver file-data directory.
• Apply the same file-name validation when handling received TsFilePipeData.
• Require an authenticated session with USE_PIPE privilege for legacy handshake, sendFile, and sendPipeData.
• Make the legacy pipe sink open a normal client session before invoking legacy pipe RPCs, preserving built-in
  connector behavior.
• Add focused unit coverage for rejected unsafe names and accepted normal file writes.

Tests

• mvn '-Ddevelocity.off=true' '-Dscan=false' '-pl' 'iotdb-core/datanode' 'spotless:apply'
• git diff --check
• mvn '-Ddevelocity.off=true' '-Dscan=false' '-pl' 'iotdb-core/datanode' '-Dtest=IoTDBLegacyPipeReceiverAgentTest' 'test'

---

This PR has:

• been self-reviewed.
  • concurrent read
  • concurrent write
  • concurrent read and write
• added documentation for new or modified features or behaviors.
• added Javadocs for most classes and all non-trivial methods.
• added or updated version, license, or notice information
• added comments explaining the "why" and the intent of the code wherever would not be obvious
  for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold
  for code coverage.
• added integration tests.
• been tested in a test IoTDB cluster.

---

Key changed/added classes (or packages if there are too many classes) in this PR

[luoluoyuyu]

Review summary

Hardens legacy pipe file transfer: resolveFileInFileDataDir validates file names and resolves paths safely; transportFile uses resolved files for index checks; ClientRPCServiceImpl enforces login and USE_PIPE before handshake, sendPipeData, and sendFile; legacy sink opens a session before transfer.

Recommend merging. Optional IT for malicious file names noted inline.

[luoluoyuyu]

Good fix: PipeReceiverFilePathUtils.resolveFilePath plus illegal-name checks block path traversal in transportFile and handleTsFilePipeData. Consider adding an integration test with a malicious fileName expecting SYNC_FILE_ERROR.

[luoluoyuyu]

Requiring login and USE_PIPE before legacy pipe RPCs closes unauthenticated file transfer. Document that legacy sinks must call openSession (as done in IoTDBLegacyPipeSink in this PR) when upgrading.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 25.00000% with 42 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.70%. Comparing base (7563ac8) to head (4d8ca74).
⚠️ Report is 34 commits behind head on master.

Files with missing lines	Patch %	Lines
.../db/protocol/thrift/impl/ClientRPCServiceImpl.java	0.00%	23 Missing ⚠️
...pipe/sink/protocol/legacy/IoTDBLegacyPipeSink.java	0.00%	16 Missing ⚠️
.../protocol/legacy/IoTDBLegacyPipeReceiverAgent.java	82.35%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #17741      +/-   ##
============================================
+ Coverage     40.55%   40.70%   +0.15%     
- Complexity     2574     2610      +36     
============================================
  Files          5179     5184       +5     
  Lines        349896   350891     +995     
  Branches      44727    44893     +166     
============================================
+ Hits         141890   142821     +931     
- Misses       208006   208070      +64     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.