Reject Windows drive-relative and UNC paths in ValidateOutputPath

filepath.IsAbs misses drive-relative paths (C:foo, C:..\evil) and UNC
paths (\\server\share) on Windows. Add a filepath.VolumeName check to
catch these. Add Windows-only test cases for C:\, C:relative, C:..\,
and UNC paths.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: wesm

internal/export/attachments.go

@@ -207,6 +207,11 @@ func ValidateOutputPath(outputPath string) error {
 	if filepath.IsAbs(cleaned) {
 		return fmt.Errorf("output path %q is absolute; use a relative path", outputPath)
 	}
+	// Reject Windows drive-relative (C:foo) and UNC (\\server\share) paths,
+	// which filepath.IsAbs does not catch.
+	if filepath.VolumeName(cleaned) != "" {
+		return fmt.Errorf("output path %q contains a drive or UNC prefix; use a relative path", outputPath)
+	}
 	if cleaned == ".." || strings.HasPrefix(cleaned, ".."+string(filepath.Separator)) {
 		return fmt.Errorf("output path %q escapes the working directory", outputPath)
 	}

internal/export/attachments_test.go

@@ -416,6 +416,33 @@ func TestValidateOutputPath(t *testing.T) {
 		{"traversal via subdir", "foo/../../evil.txt", true},
 	}
 
+	// Windows drive and UNC paths — only meaningful on Windows where
+	// filepath.VolumeName returns non-empty for these forms.
+	if runtime.GOOS == "windows" {
+		tests = append(tests,
+			struct {
+				name    string
+				path    string
+				wantErr bool
+			}{"windows absolute", `C:\tmp\file.pdf`, true},
+			struct {
+				name    string
+				path    string
+				wantErr bool
+			}{"windows drive-relative", `C:tmp\file.pdf`, true},
+			struct {
+				name    string
+				path    string
+				wantErr bool
+			}{"windows drive-relative traversal", `C:..\evil`, true},
+			struct {
+				name    string
+				path    string
+				wantErr bool
+			}{"windows UNC path", `\\server\share\file.pdf`, true},
+		)
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := ValidateOutputPath(tt.path)