fix: Secure tar archive extraction

[chtruong814]

What does this PR do ?

Adds a shared safe tar extraction helper and replaces raw tar extraction in model, notebook, test-data, and dataset-processing paths to prevent path traversal when unpacking archives. It also validates save_artifacts() artifact paths before extract/copy/rename and sanitizes ASR tokenizer rename targets so raw archive metadata cannot move files outside the intended output directory.

Changelog

• Add nemo.utils.tar_utils.safe_extract, which rejects absolute paths, .. traversal, symlinks, and hardlinks by default.
• Route SaveRestoreConnector._safe_extract() through the shared helper while preserving its legacy skip-and-warn behavior with skip_unsafe=True.
• Replace raw tar.extract() / tar.extractall() usage across affected model utilities, notebook dataset download, test-data setup, dataset-processing scripts, and the torchaudio conversion script.
• Validate save_artifacts() artifact paths before constructing extract, copy, or rename paths.
• Derive ASR tokenizer output names from extracted member basenames before os.rename().
• Add regression tests for traversal rejection, absolute artifact-path move prevention, ASR tokenizer rename target sanitization, and a static guard preventing raw tar extraction outside the shared helper.

Verification

• MPLCONFIGDIR=.pytest_cache/matplotlib UV_CACHE_DIR=.uv-cache uv run pytest tests/utils/test_tar_utils.py -v
• Targeted tests/core/test_save_restore.py save/restore compatibility cases
• UV_CACHE_DIR=.uv-cache uv run isort --check <changed files>
• UV_CACHE_DIR=.uv-cache uv run --with black==24.10.0 black --check <changed files>
• rg -n "tar\\.extract(all)?\\(" nemo tests scripts

[chtruong814]

/ok to test a6b1957

[chtruong814]

/ok to test 53c721a