Potential fix for code scanning alert no. 1: Uncontrolled command line

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: KyFaSt

pages/api/user-search.js

@@ -2,7 +2,7 @@
 // DO NOT USE IN PRODUCTION
 // This API endpoint demonstrates a command injection vulnerability for CodeQL detection
 
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 
 export default function handler(req, res) {
   const { username } = req.query;
@@ -11,11 +11,10 @@ export default function handler(req, res) {
     return res.status(400).json({ error: 'Username is required' });
   }
 
-  // VULNERABILITY: User input is directly concatenated into a shell command
-  // An attacker could inject malicious commands using input like: "user; rm -rf /"
-  const command = `grep ${username} /var/log/users.log`;
-  
-  exec(command, (error, stdout, stderr) => {
+  // SAFER: Use execFile with arguments array to avoid shell command injection
+  const args = [username, '/var/log/users.log'];
+
+  execFile('grep', args, (error, stdout, stderr) => {
     if (error) {
       return res.status(500).json({ error: error.message });
     }