From 670d9f3d180e888b77ae89dba71bb2455acae430 Mon Sep 17 00:00:00 2001
From: ZePan110 <ze.pan@intel.com>
Date: Tue, 29 Apr 2025 19:44:48 +0800
Subject: [PATCH] Fix security issue. (#1892)

Signed-off-by: ZePan110 <ze.pan@intel.com>
---
 .github/workflows/_helm-e2e.yml | 44 ++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/_helm-e2e.yml b/.github/workflows/_helm-e2e.yml
index 7f150f389..a66b3204b 100644
--- a/.github/workflows/_helm-e2e.yml
+++ b/.github/workflows/_helm-e2e.yml
@@ -131,32 +131,32 @@ jobs:
           ref: ${{ steps.get-checkout-ref.outputs.CHECKOUT_REF }}
           fetch-depth: 0
 
-      - name: Validate Inputs
-        run: |
-          cd ${{ github.workspace }}
-          folders=($(find . -maxdepth 1 -type d ! -name ".*" -printf "%f\n" | tr '[:upper:]' '[:lower:]'))
-          echo "folders: ${folders[@]}"
-          echo "example: ${{ inputs.example }}"
-          example_lower=$(echo "${{ inputs.example }}" | tr '[:upper:]' '[:lower:]')
-          if [[ ! " ${folders[@]} " =~ " ${example_lower} " ]]; then
-            echo "Error: Input '${example_lower}' is not in the list of folders."
-            exit 1
-          fi
-
       - name: Set variables
         env:
           example: ${{ inputs.example }}
         run: |
-          CHART_NAME="${example,,}"  # CodeGen
-          echo "CHART_NAME=$CHART_NAME" >> $GITHUB_ENV
-          echo "RELEASE_NAME=${CHART_NAME}$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
-          echo "NAMESPACE=${CHART_NAME}-$(head -c 4 /dev/urandom | xxd -p)" >> $GITHUB_ENV
-          echo "ROLLOUT_TIMEOUT_SECONDS=600s" >> $GITHUB_ENV
-          echo "TEST_TIMEOUT_SECONDS=600s" >> $GITHUB_ENV
-          echo "KUBECTL_TIMEOUT_SECONDS=60s" >> $GITHUB_ENV
-          echo "should_cleanup=false" >> $GITHUB_ENV
-          echo "skip_validate=false" >> $GITHUB_ENV
-          echo "CHART_FOLDER=${example}/kubernetes/helm" >> $GITHUB_ENV
+          if [[ ! "$example" =~ ^[a-zA-Z]{1,20}$ ]] || [[ "$example" =~ \.\. ]] || [[ "$example" == -* || "$example" == *- ]]; then
+            echo "Error: Invalid input - only lowercase alphanumeric and internal hyphens allowed"
+            exit 1
+          fi
+          # SAFE_PREFIX="kb-"
+          CHART_NAME="${SAFE_PREFIX}$(echo "$example" | tr '[:upper:]' '[:lower:]')"
+          RAND_SUFFIX=$(openssl rand -hex 2 | tr -dc 'a-f0-9')
+
+          cat <<EOF >> $GITHUB_ENV
+          CHART_NAME=${CHART_NAME}
+          RELEASE_NAME=${CHART_NAME}-$(date +%s)
+          NAMESPACE=ns-${CHART_NAME}-${RAND_SUFFIX}
+          ROLLOUT_TIMEOUT_SECONDS=600s
+          TEST_TIMEOUT_SECONDS=600s
+          KUBECTL_TIMEOUT_SECONDS=60s
+          should_cleanup=false
+          skip_validate=false
+          CHART_FOLDER=${example}/kubernetes/helm
+          EOF
+
+          echo "Generated safe variables:" >> $GITHUB_STEP_SUMMARY
+          echo "- CHART_NAME: ${CHART_NAME}" >> $GITHUB_STEP_SUMMARY
 
       - name: Helm install
         id: install