fix(security): Replace execSync with execFileSync to prevent command injection

[fix-it-felix-sentry]

Summary

This PR fixes a potential command injection vulnerability by replacing child_process.execSync() with child_process.execFileSync() in the clang-format script.

Changes

• Replace execSync with execFileSync for clang-format execution
• Replace execSync with execFileSync for git status execution
• Pass arguments as arrays instead of shell command strings

Security Impact

While the original code used hardcoded arguments (making it a false positive in practice), using execFileSync with an array of arguments is a more secure approach that:

• Prevents shell interpretation
• Eliminates potential command injection vulnerabilities
• Follows Node.js security best practices

Testing

The clang-format script has been tested and continues to work correctly with the new implementation.

References

• Parent ticket: https://linear.app/getsentry/issue/VULN-1070
• Child ticket: https://linear.app/getsentry/issue/JS-1460
• Node.js Security Guide - Command Injection
• OWASP Command Injection Prevention

[linear]

JS-1460 Command Injection vulnerability in getsentry/sentry-javascript-profiling-node-binaries scripts/clang-format.js

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

Bug Fixes 🐛

• (security) Replace execSync with execFileSync to prevent command injection by fix-it-felix-sentry[bot] in #23

Internal Changes 🔧

Release

• Fix changelog-preview permissions by BYK in #22
• Bump Craft version to fix issues by BYK in #20
• Switch from action-prepare-release to Craft by BYK in #18

Other

• Use pull_request_target for changelog preview by BYK in #21
• macos-13 deprecation by timfish in #19
• Build Linux in container for wider glibc support by timfish in #16

---

_{🤖 This preview updates automatically when you update the PR.}