🤖 fix: use single quotes for script argument escaping to prevent injection

Change-Id: Id4e929b2fb40a1583cb4f0740a52d6d134a7cc0e
Signed-off-by: Thomas Kosiewski <[email protected]>

Author: ThomasK33

src/node/services/scriptRunner.ts

@@ -98,9 +98,10 @@ export async function runWorkspaceScript(
   // Quote arguments safely - basic quote wrapping for bash
   const escapedArgs = args
     .map((arg) => {
-      // Basic escaping for bash arguments
-      const safeArg = arg.replace(/"/g, `${String.fromCharCode(92)}"`);
-      return `"${safeArg}"`;
+      // Use single quotes for stronger escaping (preserves literals)
+      // Replace ' with '\'' to safely break out and insert a literal quote
+      const safeArg = arg.replace(/'/g, "'\\''");
+      return `'${safeArg}'`;
     })
     .join(" ");