fix(app-server): block env command bypass

[OnlyYu1996]

Summary

• block env and other wrapper executors that can run blocked programs indirectly
• normalize Windows executable suffixes before checking the blocklist
• block versioned runtime names such as python3.11, ruby3.2, perl5, and php8.3
• add regression coverage for the env python3 -c ... bypass

Fixes PlatformNetwork/bounty-challenge#53251.

Validation

• cargo +1.90.0 fmt --package cortex-app-server --check
• rustc +1.90.0 --edition=2024 --test src\\cortex-app-server\\src\\tools\\security.rs -o %TEMP%\\cortex_security_tests.exe && %TEMP%\\cortex_security_tests.exe

I also attempted the targeted app-server cargo tests, but the local Windows build is blocked before reaching this crate's tests by the existing aws-lc-sys C build under MSVC (cl.exe fails while compiling aws-lc/crypto/fipsmodule/bcm.c).

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.