Improve PathHelpers validation with GetFullPath check

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

Author: Copilot

src/DemaConsulting.TemplateDotNetTool/PathHelpers.cs

@@ -44,6 +44,17 @@ internal static string SafePathCombine(string basePath, string relativePath)
         // 1. relativePath doesn't contain ".." (path traversal)
         // 2. relativePath is not an absolute path (IsPathRooted check)
         // This ensures the combined path will always be under basePath
-        return Path.Combine(basePath, relativePath);
+        var combinedPath = Path.Combine(basePath, relativePath);
+        
+        // Additional validation: ensure the combined path is still under the base path
+        var fullBasePath = Path.GetFullPath(basePath);
+        var fullCombinedPath = Path.GetFullPath(combinedPath);
+        
+        if (!fullCombinedPath.StartsWith(fullBasePath, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new ArgumentException($"Invalid path component: {relativePath}", nameof(relativePath));
+        }
+        
+        return combinedPath;
     }
 }