Follow-up from the security readiness review (T227346).
While it's fairly common for MediaWiki maintenance scripts (e.g. populateFreebaseMapping.php, fetchSuggestions.php, createFileListFromCategoriesAndTemplates.php, createFileListFromGlobalImageLinks.php) include/require files with dynamically-created paths via variables like $basePath and RUN_MAINTENANCE_IF_MAIN, these get picked up by various linters/static analysis tools as potential means of remote code injection. While such vulnerabilities should be difficult to exploit in the case of MediaWiki maintenance scripts, fortifying such includes/requires with checks for valid/expected paths is still probably a worthwhile effort in defensive coding. The same also applies for any file names/paths passed to any of PHP's file system functions (e.g. file_put_contents() within createFileListFromCategoriesAndTemplates.php and createFileListFromGlobalImageLinks.php.)