Use shell-quote.quote in testCdsCommand()

Attempts to resolve an "Indirect uncontrolled command line" code
scanning alert from the recent additon of the `testCdsCommand` function.

Uses the `quote` function from the `shell-quote` library to "quote" the
offending CDS extractor script argument before using the arg / string
within the `testCdsCommand` function.

Author: data-douser

extractors/cds/tools/src/cds/compiler/command.ts

@@ -2,6 +2,8 @@ import { execFileSync } from 'child_process';
 import { existsSync, readdirSync } from 'fs';
 import { join } from 'path';
 
+import { quote } from 'shell-quote';
+
 import { fileExists } from '../../filesystem';
 import { cdsExtractorLog } from '../../logging';
 
@@ -93,7 +95,9 @@ function testCdsCommand(
         env: cleanEnv,
       }).toString();
     } else {
-      result = execFileSync('sh', ['-c', `${command} --version`], {
+      // Use shell-quote to properly escape the command and prevent injection
+      const escapedCommand = quote([command, '--version']);
+      result = execFileSync('sh', ['-c', escapedCommand], {
         encoding: 'utf8',
         stdio: 'pipe',
         timeout: 5000, // Reduced timeout for faster failure