Git command DSL

Closes #1847 (closed)

This change introduces a simple Domain Specific Language (DSL) for forming Git commands. The intention is to provide a more robust validation system to prevent flag injection exploits.

The following "unsafe" functions now have a "safe" version that uses this DSL:

• git.Command -> git.SafeCmd
• git.BareCommand -> git.SafeBareCmd
• git.CommandWithoutRepo -> git.SafeCmdWithoutRepo
• git.StdinCommand -> git.SafeStdinCmd

The next step is to deprecate the usage of the "unsafe" functions: !1480 (merged)

Then, replace the deprecated functions with the "safe" version. One RPC, RepositoryService.GarbageCollect, already has this done for demonstration purposes (see the files gc.go and repack.go).

Closes #1991 (closed)

Closes #1996 (closed)