Escape generated restore file paths before composing docker and shell cleanup commands so paths with spaces or metacharacters cannot break command execution. Update import form security coverage to target ImportForm directly.
- Add null checks for server instances in restore events to prevent errors - Escape S3 credentials to prevent command injection vulnerabilities - Fix file upload clearing custom location to prevent UI confusion - Optimize isSafeTmpPath helper by avoiding redundant dirname calls - Remove unnecessary --rm flag from long-running S3 restore container - Prioritize uploaded files over custom location in import logic - Add comprehensive unit tests for restore event null server handling 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
