fix(security): shell escape paths in HostDiskUsageService; null-prototype objects in batch parser

[KernelDeimos]

Summary

Security audit fixes for two findings:

• HostDiskUsageService — paths passed to df via execSync string interpolation were unescaped. Replaced hand-rolled quoting with shescape (Shescape({ shell: 'bash', quote: true })), which also strips control characters that the previous implementation missed.
• routers/drivers/call.js — multipart field values parsed via JSON.parse and spread onto params with for...in were vulnerable to prototype pollution. Fixed by:
  • Using Object.create(null) for params and all sub-objects created in on_field
  • Adding a JSON.parse reviver that converts every parsed object to a null-prototype object

Findings reviewed but not changed

Finding	Outcome
ProcessService — shell: true	False positive — callers pass only trusted config values
LocalTerminalService — user-supplied args	False positive — intentional dev-mode terminal emulator
_default.js — allow_traversal: true	False positive — config-controlled path, res.sendFile({ root }) prevents user traversal
send-pass-recovery-email — user enumeration	Intentional design decision
batch/all.js — JSON.parse	False positive — wrapped in try-catch, no for...in spread
CSRF	False positive — cookie/subdomain split + JSON-only body parsers on puter.com routes is an intentional mitigation strategy
OIDC opener_origin	False positive — user consents via login; postMessage targetOrigin prevents spoofing to a different origin
Kernel.js — shell: true with npm	Low, static args, not actionable

Test plan

• Start Puter and verify disk usage reporting still works on macOS and Linux
• Make a multipart driver call and verify params are parsed correctly
• Confirm no regressions in filesystem batch operations

🤖 Generated with Claude Code