fix: harden request handling and input parsing in hello and diagnostics

[fereidani]

In continuation to PR #1680

Ghoul related reports:

hello/hello.go:120:28: [server-timeout] http.Server has no ReadHeaderTimeout; without it the server is vulnerable to slow-header connection exhaustion (Slowloris) (confidence: 8.3/10, CWE-400)
hello/hello.go:208:27: [oversized-timeout] an attacker-controlled duration used as timeout/duration in time.NewTicker may cause denial of service or a non-expiring session (confidence: 8.3/10, CWE-400)

Changes:

• hello/hello.go: the SSE handler parses the freq query parameter into a duration and passes it to time.NewTicker, which panics on zero or negative values. The value is now applied only when positive. The hello server also had no ReadHeaderTimeout, so one was added.
• diagnostic/network/collector_unix.go and collector_windows.go: DecodeLine indexed the filtered hop tokens without checking for an empty result, so a hop line with no index (for example a bare * * *) could cause an index-out-of-range panic. An explicit guard now returns an error and the line is skipped, matching how other unparseable lines are already handled. Added regression tests for both platforms.
• cmd/cloudflared/tunnel/login.go: replaced an unchecked type assertion on the os.Stat error with os.IsNotExist, which is the idiom used elsewhere in the codebase, and removed the now-unused syscall import.