fix regex security check

Signed-off-by: xliuqq <xlzq1992@gmail.com>

pkg/common/label.go

@@ -51,8 +51,9 @@ const (
 )
 
 var (
-	// fluid cache label for scheduling pod, format: 'fluid.io/dataset.{dataset name}.sched]'
-	LabelAnnotationPodSchedRegex = regexp.MustCompile("^" + LabelAnnotationDataset + "\\.([A-Za-z0-9.-]*)\\.sched$")
+	// LabelAnnotationPodSchedRegex is the fluid cache label for scheduling pod, format: 'fluid.io/dataset.{dataset name}.sched]'
+	// use string literal to meet security check.
+	LabelAnnotationPodSchedRegex = regexp.MustCompile("^fluid\\.io/dataset\\.([A-Za-z0-9.-]*)\\.sched$")
 )
 
 type OperationType string

pkg/common/label_test.go

@@ -232,3 +232,33 @@ func TestHitTarget(t *testing.T) {
 	}
 
 }
+
+func TestLabelAnnotationPodSchedRegex(t *testing.T) {
+	testCases := map[string]struct {
+		target string
+		got    string
+		match  bool
+	}{
+		"correct": {
+			target: LabelAnnotationDataset + ".dsA.sched",
+			match:  true,
+			got:    "dsA",
+		},
+		"wrong": {
+			target: "fluidaio/dataset.dsA.sched",
+			match:  false,
+		},
+	}
+
+	for index, item := range testCases {
+		submatch := LabelAnnotationPodSchedRegex.FindStringSubmatch(item.target)
+
+		if !item.match && len(submatch) == 2 {
+			t.Errorf("[%s] check match, want:%t, got:%t", index, item.match, len(submatch) == 2)
+		}
+
+		if len(submatch) == 2 && submatch[1] != item.got {
+			t.Errorf("[%s] check failure, want:%s, got:%s", index, item.got, submatch[1])
+		}
+	}
+}