fix: guard HTTP buildpack download against disk exhaustion

[jkutner]

Summary

• Add maxDownloadBytes constant (500 MB) to pkg/blob/downloader.go
• Reject responses whose declared Content-Length exceeds the limit in downloadAsStream before any bytes are written to disk (Option B)
• Wrap io.Copy in handleHTTP with io.LimitReader and remove the partial cache file if the limit is hit (Option A — catches chunked/no-Content-Length responses)
• Replace http.DefaultClient in NewDownloader with a client that has a 10-minute timeout and 30-second ResponseHeaderTimeout, closing the slow-drip attack vector (Option C)
• Two new unit tests cover the Content-Length rejection and timeout paths

Motivation

pkg/blob/downloader.go previously called io.Copy(fh, reader) with no size bound when caching HTTP buildpack downloads. A malicious endpoint referenced via --buildpack, project.toml, or a builder config could stream an arbitrarily large response to fill the victim's disk partition. The default cache location (~/.pack/download-cache) shares the home partition on typical systems, so exhaustion disrupts unrelated processes. Reported by bugbunny.ai, CVSS 3.1: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

Test plan

• go test ./pkg/blob/... -v — all 9 cases pass
• make build — binary builds cleanly
• make lint — 0 issues

[jkutner]

See https://lists.cncf.io/g/cncf-buildpacks-maintainers/message/816

[codecov]

Codecov Report

❌ Patch coverage is 73.33333% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.56%. Comparing base (5cdc8bf) to head (71b0eaf).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2594      +/-   ##
==========================================
+ Coverage   60.51%   60.56%   +0.06%     
==========================================
  Files         256      256              
  Lines       19513    19525      +12     
==========================================
+ Hits        11806    11824      +18     
+ Misses       6879     6874       -5     
+ Partials      828      827       -1     

Flag	Coverage Δ
os_linux	60.21% <73.34%> (+0.05%)	⬆️
os_macos-arm64	57.37% <73.34%> (+0.06%)	⬆️
os_windows	57.19% <73.34%> (+0.06%)	⬆️
unit	60.56% <73.34%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.