entrypoint-aws-batch: Keep ../ path parts in ZIP archive members during extraction

The default of stripping ../ parts in member paths is a (good!)
restriction for safety and security, but such paths do not pose any
(additional) risk in the context of our Nextstrain runtime containers.
We're already downloading and executing arbitrary user-supplied code, so
the ability to overwrite system files with ZIP archive members is not
any additional privilege.

Keeping the ../ parts will allow Nextstrain CLI to construct ZIP
archives for jobs which write to new sibling paths of /nextstrain/build
in the container.  This will be used for including pathogen workflow
source separate (e.g. in /nextstrain/pathogen) from the analysis working
directory (/nextstrain/build).  It can also be used to support
Nextstrain CLI's existing --augur, --auspice, etc. overlays on AWS
Batch, though a few other changes are required for that too (coming
soon).

Note that Nextstrain CLI does *not* permit ../ path parts when
extracting from these same ZIP archives (e.g. after a job completes to
download results), as that *would* be additional risk.  Currently it
strips ../ parts, like unzip's default behaviour, but that will change
soon to entirely skip archive members containing ../ parts.

Author: tsibley

entrypoint-aws-batch

@@ -8,7 +8,7 @@ set -x
 case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
     s3://*.zip)
         aws s3 cp --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
-        unzip "$PWD.zip"
+        unzip -: "$PWD.zip"
         ;;
     s3://*)
         # Note that this doesn't preserve file permissions/modes.