security: add SSH key path validation to aws/lib/common.sh (#1414)

Add validation in ensure_ssh_key() to prevent path traversal and
arbitrary file upload attacks:
- Validate public key file exists and is a regular file
- Reject symlinks to prevent reading sensitive system files
- Enforce 10KB size limit (SSH pubkeys are ~100-600 bytes)

Fixes #1407

Agent: complexity-hunter

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

aws/lib/common.sh

@@ -61,6 +61,24 @@ ensure_ssh_key() {
     # Generate key if needed
     generate_ssh_key_if_missing "${key_path}"
 
+    # Validate SSH public key path before upload
+    if [[ ! -f "${pub_path}" ]]; then
+        log_error "SSH public key not found: ${pub_path}"
+        return 1
+    fi
+    if [[ -L "${pub_path}" ]]; then
+        log_error "SSH public key cannot be a symlink: ${pub_path}"
+        return 1
+    fi
+    # SSH public keys are typically 100-600 bytes (ed25519/RSA)
+    # Reject suspiciously large files to prevent arbitrary file upload
+    local size
+    size=$(wc -c <"${pub_path}")
+    if [[ ${size} -gt 10000 ]]; then
+        log_error "SSH public key file too large: ${size} bytes (max 10000)"
+        return 1
+    fi
+
     local key_name="spawn-key"
 
     # Check if already registered