fix: avoid mutating input slice in cmd.prettyCmd()

[stasadev]

The Issue

I noticed a flaw in cmd.prettyCmd():

https://go.dev/play/p/EVaaARj1uYn

cmd := []string{"bash", "-c", `echo "test"`}
fmt.Printf("original cmd: %v\n", cmd)            # original cmd: [bash -c echo "test"]
fmt.Printf("  pretty cmd: %v\n", prettyCmd(cmd)) #   pretty cmd: bash -c "echo "test""
fmt.Printf("original cmd: %v\n", cmd)            # original cmd: [bash -c "echo "test""] - bad

How This PR Solves The Issue

Makes a copy, escapes double quotes.

Manual Testing Instructions

https://go.dev/play/p/ZDcMH1TgqE1

cmd := []string{"bash", "-c", `echo "test"`}
fmt.Printf("original cmd: %v\n", cmd)            # original cmd: [bash -c echo "test"]
fmt.Printf("  pretty cmd: %v\n", prettyCmd(cmd)) #   pretty cmd: bash -c "echo \"test\""
fmt.Printf("original cmd: %v\n", cmd)            # original cmd: [bash -c echo "test"] - good

Automated Testing Overview

Release/Deployment Notes

[rfay]

Do I remember that this class of problem was fixed up in latest golang?

[github-actions]

Download the artifacts for this pull request:

• all-ddev-executables.zip
• ddev-macos-amd64.zip
• ddev-macos-arm64.zip
• ddev-linux-arm64.zip
• ddev-linux-amd64.zip
• ddev-windows-amd64.zip
• ddev-windows-amd64-installer.zip
• ddev-windows-arm64.zip
• ddev-windows-arm64-installer.zip

See Testing a PR.

[stasadev]

I'm testing it using the latest go1.24.5.

It was a rather random discovery, I was trying to debug ddev auth ssh and used cmd.prettyCmd() in several places and then noticed this mutation.

It doesn't affect our current code, since it's only used in the final error output in ddev auth ssh (the original input isn't used afterward) and in ddev debug rebuild (where the command args don't have spaces, so they are not modified), but it should be fixed.

[rfay]

Thanks. I guess I was thinking of this change in go 1.22, https://go.dev/blog/loopvar-preview

[rfay]

Thanks! The go playground approach to demo was really nice too.