add exclusion patterns for tarfile-extractall-traversal

[cjenn-aviatrix]

As per PEP706 the filter arg is used to prevent directory traversal

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Cireo]

per https://docs.python.org/3/library/tarfile.html#default-named-filters we may still want to have failing behavior if filter is 'fully_trusted', or None prior to 3.14, but at least this forces it to be explicit

[GrosQuildu]

Thanks for the PR!

To sum up, from python3.14 the default filter is data and extraction is safe (except DoS attacks). Is that right?
If so, we may want to either:

• only detect extractions with explicit fully_trust (targetting 3.14 and more impactful issues)
• detect the data filters (and filter=None) in addition to fully_trust, maybe lowering the rule's impact (targeting all python versions)

Another question: what happens if both filter and members args are provided:

• filter=data and members=None
• filter=fully_trust and members=some_members()