replace all system() shell invocation with safer non-shell alternative

src/lib/Hydra/Plugin/S3Backup.pm

@@ -7,6 +7,8 @@ use File::Temp;
 use File::Basename;
 use Fcntl;
 use IO::File;
+use IPC::Run qw(run);
+use IPC::Run3;
 use Net::Amazon::S3;
 use Net::Amazon::S3::Client;
 use Digest::SHA;
@@ -27,11 +29,11 @@ my %compressors = ();
 $compressors{"none"} = "";
 
 if (defined($Nix::Config::bzip2)) {
-    $compressors{"bzip2"} = "| $Nix::Config::bzip2",
+    $compressors{"bzip2"} = "$Nix::Config::bzip2",
 }
 
 if (defined($Nix::Config::xz)) {
-    $compressors{"xz"} = "| $Nix::Config::xz",
+    $compressors{"xz"} = "$Nix::Config::xz",
 }
 
 my $lockfile = Hydra::Model::DB::getHydraPath . "/.hydra-s3backup.lock";
@@ -111,7 +113,16 @@ sub buildFinished {
             }
             next unless @incomplete_buckets;
             my $compressor = $compressors{$compression_type};
-            system("$Nix::Config::binDir/nix-store --dump $path $compressor > $tempdir/nar") == 0 or die;
+            if ($compressor eq "") {
+                # No compression - use IPC::Run3 to redirect stdout to file
+                run3(["$Nix::Config::binDir/nix-store", "--dump", $path],
+                     \undef, "$tempdir/nar", \undef) or die "nix-store --dump failed: $!";
+            } else {
+                # With compression - use IPC::Run to pipe nix-store output to compressor
+                my $dump_cmd = ["$Nix::Config::binDir/nix-store", "--dump", $path];
+                my $compress_cmd = [$compressor];
+                run($dump_cmd, '|', $compress_cmd, '>', "$tempdir/nar") or die "Pipeline failed: $?";
+            }
             my $digest = Digest::SHA->new(256);
             $digest->addfile("$tempdir/nar");
             my $file_hash = $digest->hexdigest;