Harden ExecuteTask with per-arg escapeshellarg and allow-list

[dereuromark]

Summary

Two-part hardening of Queue.Execute:

• Switch from escapeshellcmd() to per-token escapeshellarg() for the command and each params entry. The previous primitive only neutralizes shell metacharacters and cannot defend against argument injection (e.g. a params entry like -r --some-flag /etc/passwd would still split into multiple shell tokens once exec() re-tokenized the line). With escapeshellarg() each entry is wrapped as one quoted token.
• Introduce a Queue.executeAllowedCommands allow-list that is enforced whenever debug is disabled. With debug off and no allow-list configured, every Execute job is rejected before exec() is reached. This protects environments where an attacker gains DB write access to queued_jobs, or where upstream code unexpectedly pipes user input into createJob('Queue.Execute', ...).

Notes

• Behavior change for callers that previously embedded multiple tokens inside a single params entry: they must now split such entries across the params array. The two existing tests that depended on the old behavior were updated to the supported shape.
• New regression tests cover token quoting for an arg-injection payload and the allow-list deny/empty/allow paths.
• Docs section docs/sections/tasks/execute.md updated to describe the new escaping primitive and the production allow-list requirement.

Verification

• vendor/bin/phpunit — 176 passing
• vendor/bin/phpstan analyze — no errors
• vendor/bin/phpcs src/ — clean

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 77.54%. Comparing base (34e8050) to head (a685e6e).

Files with missing lines	Patch %	Lines
src/Queue/Task/ExecuteTask.php	88.88%	1 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #485      +/-   ##
============================================
+ Coverage     77.38%   77.54%   +0.16%     
- Complexity      963      966       +3     
============================================
  Files            45       45              
  Lines          3232     3238       +6     
============================================
+ Hits           2501     2511      +10     
+ Misses          731      727       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.