ExDoc could potentially wipe out any directory

[eksperimental]

While working on improving the make docs command in Elixir, I accidentally discovered this bug that deleted my entire Elixir repo locally loosing all local branches. I don't know if there could be any implication of anybody running ExDoc, but it could potentially wipe out the entire disk in a remote or a local user machine.

When --output is provided to the ex_doc command, and it is empty, it will deleted --output "" --output ~ will wipe out your home dir.
My case was that --output was set to "${VAR}" and VAR didn't get set properly and was evaluated to an empty string, so the project root directory was gone.

Additionally, I think we should review the use of File.rm_rf! across the project.
https://github.com/elixir-lang/ex_doc/search?q=File.rm_rf%21

These are the lines causing such behaviour.

ex_doc/lib/ex_doc/formatter/html.ex

Lines 159 to 160 in 6ba40a7

	File.rm_rf!(config.output)
	File.mkdir_p!(config.output)

This removing of the output directory is intended to clean out old documentation copies. If a .build file in found, only files listed in .build are removed.

[Eiji7]

Securing an empty string should be simple, but the general problem is that we can erase any directory that wasn't created for generating an Elixir application documentation. How about a simple check for existence of empty file called .ex_doc within output directory?

Note: Creating of said file would need to be done immediately after mkdir call, so in case of any bug the code would know if said output directory can be erased.