Harden Jinja template rendering with sandboxing

[tcoatswo]

Summary

Harden cloud-init Jinja template rendering by switching to a sandboxed Jinja environment.

Changes

• replace direct jinja2.Template rendering with SandboxedEnvironment
• handle SecurityError in the Jinja payload handler so unsafe templates are ignored cleanly
• add unit regressions covering unsafe attribute access in templater and handler paths

Verification

• reproduced the pre-fix behavior directly in Python: template expressions could access class, mro, and subclasses
• verified post-fix behavior directly in Python: unsafe attribute access is blocked, and handler rendering returns None with a warning
• I could not run the repo pytest suite on this host because the Python environment here does not have the pytest module installed

[blackboxsw]

Thank you for this submission and increasing the security posture for cloud-init's jinja2 template handling. Integration tests look happy with this approach. Some things we'll need on this PR:

• tox -e do_format

It looks like the sandboxedenvironment has been in Jinja2 for.... ever. So we don't have to worry about backward compatibility issues.

Requesting minor changes to ensure CI passes.

[blackboxsw]

Let's resolve conflicts in this PR and get CI passing on this please.