Merge branch 'check_harmful_cmd' of https://github.com/opea-project/G…

…enAIExamples into check_harmful_cmd

Signed-off-by: Wenxin Zhang <wenxin.zhang@intel.com>

.github/workflows/_example-workflow.yml

@@ -69,12 +69,6 @@ jobs:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
 
-      - name: Check Dangerous Command Injection
-        run: |
-            export WORKSPACE=${{ github.workspace }}
-            cd ${{ github.workspace }}
-            bash -x .github/workflows/scripts/check_cmd_injection.sh
-
       - name: Clone Required Repo
         run: |
           cd ${{ github.workspace }}/${{ inputs.example }}/docker_image_build

.github/workflows/_get-test-matrix.yml

@@ -41,7 +41,14 @@ jobs:
         with:
           ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
-
+
+      - name: Check Dangerous Command Injection
+        if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
+        run: |
+              export WORKSPACE=${{ github.workspace }}
+              cd ${{ github.workspace }}
+              bash -x .github/workflows/scripts/check_cmd_injection.sh
+              
       - name: Get test matrix
         id: get-test-matrix
         run: |

.github/workflows/scripts/check_cmd_injection.sh

@@ -5,15 +5,16 @@
 set -e
 cd ${WORKSPACE}
 [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file
+source .github/workflows/scripts/change_color
 # docker control/rm/scp/rsync/git cmd
 check_list=("docker stop" "docker rm" "docker kill" "sudo rm" "git .* -f")
 
 # exclude path
-exclude_check_path="${WORKSPACE}/.github/workflows/scripts"
+exclude_check_path=".github/workflows/scripts"
 
 # get change file lists (exclude delete files)
 git fetch origin main
-change_files=$(git diff main --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}')
+change_files=$(git diff FETCH_HEAD --name-status -- :^$exclude_check_path | grep -v "D" | awk '{print $2}')
 
 status="success"
 for file in ${change_files};
@@ -26,22 +27,13 @@ do
         exit 0
     fi
     # get added command
-    git diff main ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file
-    #cat diff_file | while read line; do 
-    #    echo $line; 
-    #    for (( i=0; i<${#check_list[@]}; i++)); do 
-    #        if [[ $line == *"${check_list[$i]}"* ]]; then
-    #            echo "Found Dangerous Command: $line in $file, Please Check"
-    #            status="failed"
-    #        fi; 
-    #    done; 
-    #done
-    for (( i=0; i<${#check_list[@]}; i++)); do 
+    git diff FETCH_HEAD ${file} | grep "^\+.*" | grep -v "^+++" | sed "s|\+||g" > ${WORKSPACE}/diff_file
+    for (( i=0; i<${#check_list[@]}; i++)); do
         if [[ $(cat diff_file | grep -c "${check_list[$i]}") != 0 ]]; then
-            echo "Found Dangerous Command: $line in $file, Please Check"
+            $BOLD_RED && echo "Found Dangerous Command: [ ${check_list[$i]} ] in [ $file ], Please Check"
             status="failed"
-        fi; 
-    done; 
+        fi;
+    done;
 done
 [[ -f ${WORKSPACE}/diff_file ]] && rm -f ${WORKSPACE}/diff_file
 [[ $status == "failed" ]] && exit 1 || exit 0