Harden S3 sync target paths

[dfgvaetyj3456356-hash]

S3Hook.sync_to_local_dir() derives local target paths from object keys after removing the configured prefix. Current upstream already contains the analogous GCS guard; this PR applies the same containment check to S3 sync targets.

The change resolves each candidate S3 download target and rejects keys that would land outside the requested local directory before creating parent directories or downloading content.

Regression coverage adds a traversal-shaped S3 object key under the requested prefix.

Validation performed locally:

• python -m py_compile providers\amazon\src\airflow\providers\amazon\aws\hooks\s3.py providers\amazon\tests\unit\amazon\aws\hooks\test_s3.py
• python -m ruff check providers\amazon\src\airflow\providers\amazon\aws\hooks\s3.py providers\amazon\tests\unit\amazon\aws\hooks\test_s3.py
• git diff --check -- providers\amazon\src\airflow\providers\amazon\aws\hooks\s3.py providers\amazon\tests\unit\amazon\aws\hooks\test_s3.py

The focused pytest command could not run in this local checkout because the Airflow pytest plugin dependency time_machine is not installed in the current environment.

Gen-AI disclosure:

• This PR was prepared with assistance from OpenAI Codex.
• I reviewed the generated code and tests for relevance, correctness, and scope before submitting.
• I ran the checks listed above locally, and I take responsibility for the final submitted changes.

---

Important

🛠️ Maintainer triage note for @dfgvaetyj3456356-hash · by @potiuk · 2026-06-12 11:23 UTC

Some review feedback from @shahar1 is waiting on you:

• You've pushed new commits since @shahar1 requested changes, but the review hasn't been followed up.

The ball is in your court — you've been assigned to this PR. Address the outstanding comments (reply or push a fix), then ping the reviewer for a re-review.

_{Automated triage — may be imperfect; a maintainer takes the next look.}

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example Dag that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[shahar1]

Please fix the PR's description, including adding declaration for using AI according to the guidelines.

[dfgvaetyj3456356-hash]

Thanks for the review. I updated the PR description to include the required Gen-AI disclosure and refreshed the validation notes.

I also rebased the branch onto current main and force-pushed clean history, so the PR now contains only the two intended noreply-authored commits.

Local validation after the rebase:

• python -m py_compile providers\amazon\src\airflow\providers\amazon\aws\hooks\s3.py providers\amazon\tests\unit\amazon\aws\hooks\test_s3.py
• python -m ruff check providers\amazon\src\airflow\providers\amazon\aws\hooks\s3.py providers\amazon\tests\unit\amazon\aws\hooks\test_s3.py
• git diff --check -- providers\amazon\src\airflow\providers\amazon\aws\hooks\s3.py providers\amazon\tests\unit\amazon\aws\hooks\test_s3.py

[dfgvaetyj3456356-hash]

Hi @shahar1, I updated the PR description with the Gen-AI disclosure and validation notes, then rebased/pushed the clean branch. The visible checks are green now. Could you take another look when you have a chance?

PR's description was fixed

[boring-cyborg]

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.