Testing various injection patterns against safePath regex:
Regex: /^[a-zA-Z0-9/_.-]+$/

Pattern                           | Result     | Description
----------------------------------|------------|--------------------------------
/var/tmp/x;touch /tmp/pwned... | BLOCKED    | Semicolon injection
/var/tmp/x|touch /tmp/pwned... | BLOCKED    | Pipe injection
/var/tmp/x&&touch /tmp/pwne... | BLOCKED    | AND operator
/var/tmp/x||touch /tmp/pwne... | BLOCKED    | OR operator
/var/tmp/x`touch /tmp/pwned... | BLOCKED    | Backtick substitution
/var/tmp/x$(touch /tmp/pwne... | BLOCKED    | $() substitution
/var/tmp/x<>/tmp/pwned;/bin... | BLOCKED    | Redirection
/var/tmp/x；touch /tmp/pwned... | BLOCKED    | Full-width semicolon (U+FF1B)
/var/tmp/x؛touch /tmp/pwned... | BLOCKED    | Arabic semicolon (U+061B)
/usr/lib/postgresql/14/bin/... | PASSES(!)  | Legitimate postgres path

Notes:
- PASSES = pattern matches regex (would be allowed - DANGEROUS)
- BLOCKED = pattern rejected by regex (safe)
- Even if regex passes, execFile() prevents shell interpretation