fix(wasm): shell command built from environment values

[odaysec]

The issue occurs because the shell command is constructed as a string containing environment-derived values (WASM_SRC, etc.) and then executed via execSync, which invokes the shell and interprets special characters. To fix the issue, we should avoid shell interpretation of dynamic arguments:

• Replace the use of execSync with execFileSync. This API directly executes binaries and takes command-line arguments as an array, avoiding shell interpolation and interpretation of special characters.
• Build the command and its arguments as an array, separating fixed command strings from variable paths and flags to ensure no shell metacharacters can interfere.
• Apply this fix to the block starting from line 99 where the problematic command is built and executed.
• Default WASM_CC may be a compiler (clang), so the command should be formatted as:
  WASM_CC [WASM_CFLAGS components..., "-msimd128", ...WASM_LDFLAGS components..., src files, "-Iinclude", "-o", output wasm filename, ...WASM_LDLIBS components...]
• We will need to split environment variable flags into arrays instead of interpolating strings (unless they're static).
• All environment-derived values should be split and sanitized: e.g., handle WASM_CFLAGS, WASM_LDFLAGS, WASM_LDLIBS as arrays (splitting on whitespace).
• No new imports are needed; only additional variable handling and replacement of the exec call.

Status

• I have read and agreed to the Developer's Certificate of Origin
• Tested
• Benchmarked (optional)
• Documented
• Review ready
• In review
• Merge ready

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.86%. Comparing base (b435604) to head (69f7ce9).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4639   +/-   ##
=======================================
  Coverage   92.85%   92.86%           
=======================================
  Files         106      106           
  Lines       33111    33111           
=======================================
+ Hits        30744    30747    +3     
+ Misses       2367     2364    -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Uzlopak]

Claims to solve an issue, but it is not clear what the issue is. This script is alone "worthless" and is only used to build the wasm files when we update llhttp every 1-2 years.

I have a proposed PR which ensures the integrity of the wasm files, which is more relevant than ensuring that you sanitize the env variables in this script.

[Uzlopak]

Closing due to inactivity