Fix path traversal when saving named chat templates (#46191)
The chat_template dict keys are written out as `<name>.jinja` files by both
PreTrainedTokenizerBase.save_pretrained and ProcessorMixin.save_pretrained,
but those keys are untrusted. The legacy list-of-dicts chat_template format
in tokenizer_config.json turns each entry's "name" into a dict key, so a name
like "../../foo" flows straight into os.path.join(chat_template_dir,
f"{name}.jinja") and lets a saved repo write a file outside the target
directory.
Before opening the file in both save paths, reject any template name whose
resolved path escapes chat_template_dir. Add regression tests for the
tokenizer and the processor.
transformers
eaaaf849 - Fix path traversal when saving named chat templates (#46191)
