fix: prevent argument injection / RCE in npm command handler

[tranquac]

Summary

Fix argument injection / RCE in the npm command handler by replacing escapeshellcmd with escapeshellarg and adding a command whitelist.

Problem

The node_npm() function uses escapeshellcmd() which is the wrong escaping function for this use case:

function node_npm($cmd) {
    $cmd = escapeshellcmd(NODE_DIR . "/bin/npm --cache ./.npm -- $cmd");
    passthru($cmd, $ret);
}

escapeshellcmd() escapes shell metacharacters like ;, |, & but does NOT prevent argument injection. Since $cmd comes from $_GET['npm'], an attacker can:

1. Install malicious packages: ?npm=install evil-package — installs arbitrary npm packages that can execute post-install scripts
2. Execute arbitrary commands via npm exec: ?npm=exec -- /bin/sh (npm 7+)
3. Exfiltrate data: ?npm=pack --pack-destination=/tmp combined with other attacks

escapeshellcmd vs escapeshellarg

• escapeshellcmd(): Escapes shell metacharacters in a complete command — prevents command chaining but NOT argument injection
• escapeshellarg(): Wraps a single argument in quotes — prevents both command chaining AND argument injection

Fix

1. Whitelist allowed npm subcommands (install, uninstall, update, list, etc.)
2. Replace escapeshellcmd with escapeshellarg for the user-supplied argument

Impact

• Type: Remote Code Execution via Argument Injection (CWE-88)
• Affected function: node_npm() via ?npm= parameter
• Risk: Arbitrary code execution via malicious npm packages or npm exec
• OWASP: A03:2021 — Injection