[security] - Database restore command injection via `sh -c`

[shieldx-bot]

• Description: shared/shieldx-common/pkg/database/backup.go builds gunzip -c <backupPath> | psql ... using fmt.Sprintf and executes through sh. An attacker controlling the backup path or DB settings can inject shell payloads.
• Location: BackupManager.Restore function, plain SQL branch when isCompressed is true.
• Recommendation: Avoid sh -c; stream gzip contents via Go (gzip.NewReader) or call pg_restore/psql with exec.CommandContext argument slices. Validate and whitelist paths.
• Done when: Restore uses argument-safe invocations, injection strings are rejected, and tests cover malicious paths.