Skip to content

Fix security issue #1884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix security issue #1884

wants to merge 2 commits into from

Conversation

ZePan110
Copy link
Collaborator

@ZePan110 ZePan110 commented Apr 25, 2025
edited
Loading

Description

The summary of the proposed changes as long as the relevant motivation and context.

Issues

https://github.com/opea-project/GenAIExamples/security/code-scanning/30

Type of change

List the type of change like below. Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds new functionality)
  • Breaking change (fix or feature that would break existing design and interface)
  • Others (enhancement, documentation, validation, etc.)

Dependencies

List the newly introduced 3rd party dependency if exists.

Tests

https://github.com/opea-project/GenAIExamples/actions/runs/14658733798

@Copilot Copilot AI review requested due to automatic review settings April 25, 2025 05:06
@ZePan110 ZePan110 requested a review from chensuyue as a code owner April 25, 2025 05:06
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 25, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

Copilot
Copilot AI reviewed Apr 25, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security issue by introducing an input validation step in the workflow.

  • Adds a new "Validate Inputs" step in the Helm E2E workflow.
  • Implements a case statement to check the validity of the input example.

.github/workflows/_helm-e2e.yml Outdated
Comment on lines 137 to 138
AgentQnA,AudioQnA,AvatarChatbot,ChatQnA,CodeGen,CodeTrans,DBQnA,DocIndexRetriever,DocSum,EdgeCraftRAG,GraphRAG,InstructionTuning,MultimodalQnA,ProductivitySuite,RerankFinetuning,SearchQnA,Text2Image,Translation,VideoQnA,VisualQnA,WorkflowExecAgent)
echo "Valid example input: ${{ inputs.example }}"
Copy link
Preview

Copilot AI Apr 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The input is being converted to lowercase while the allowed values in the case pattern remain in mixed case, which may cause valid inputs to be rejected. Consider updating the allowed case patterns to lowercase or removing the lowercase conversion.

Suggested change
AgentQnA,AudioQnA,AvatarChatbot,ChatQnA,CodeGen,CodeTrans,DBQnA,DocIndexRetriever,DocSum,EdgeCraftRAG,GraphRAG,InstructionTuning,MultimodalQnA,ProductivitySuite,RerankFinetuning,SearchQnA,Text2Image,Translation,VideoQnA,VisualQnA,WorkflowExecAgent)
echo "Valid example input: ${{ inputs.example }}"
agentqna,audioqna,avatarchatbot,chatqna,codegen,codetrans,dbqna,docindexretriever,docsum,edgecraftrag,graphrag,instructiontuning,multimodalqna,productivitysuite,rerankfinetuning,searchqna,text2image,translation,videoqna,visualqna,workflowexecagent)
echo "Valid example input: ${{ inputs.example,, }}"

Copilot uses AI. Check for mistakes.

@ZePan110 ZePan110 force-pushed the FixSEC branch 4 times, most recently from cd20b2f to 998989d Compare April 25, 2025 06:51
@ZePan110
Fix security issue
9fd05e1 
Signed-off-by: ZePan110 <ze.pan@intel.com>
chensuyue
chensuyue reviewed Apr 25, 2025
View reviewed changes
.github/workflows/_helm-e2e.yml
folders=($(find . -maxdepth 1 -type d ! -name ".*" -printf "%f\n" | tr '[:upper:]' '[:lower:]'))
echo "folders: ${folders[@]}"
echo "example: ${{ inputs.example }}"
example_lower=$(echo "CodeGen" | tr '[:upper:]' '[:lower:]')
Copy link
Collaborator

@chensuyue chensuyue Apr 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why CodeGen here? Test code?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chensuyue chensuyue chensuyue left review comments

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ZePan110 @chensuyue