Security: Command injection vulnerability in script execution

[sainesh-MW]

Commands are constructed to be run on the runners (both github and self hosted runners) using string concatenation, allowing potential command injection if paths contain special characters.
I would suggest using exec.exec() with array arguments instead of concatenated command strings.

[sameagen-MW]

I've gone through the code paths for everywhere we use exec, and we never concatenate user input into the commands, so I don't believe that this represents a vulnerability. As such, fixing this doesn't appear urgent to me. However, I'm supportive of switching to using an array of arguments rather than a full string as a best practice to improve the hygiene of the codebase.

I'll keep this on the radar, or if you have the bandwidth @sainesh-MW feel free to author a pr and tackle it. Thanks for creating the issue, seems like a good improvement!