Fix command injection vulnerability in HelmInstallService

[nicolst]

No description provided.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[nicolst]

This uses the official recommended regex for Semver 2 versions, but it is quite long

[nicolst]

Tested in our dev environment and the API now returns a 404 when given an invalid and/or non-existent version instead of passing it on to the command executor.

I have looked a bit more at the code and I can't see any other immediate candidates for this vulnerability. The env and timeout arguments to installService could have had the same vulnerability, but env is never used outside of suspend/resume where it is hardcoded and timeout is retrieved from the catalog config.

A lot of these kinds of problems would probably have been avoided if the API were written in Go using Helm's official SDK, but rewriting is of course quite a large job and maybe not realistic at this point.