fix: validate backport branch name (#9548)

.github/workflows/backport.yaml

@@ -44,8 +44,12 @@ jobs:
         env:
           COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
-          BRANCH_NAME=$(echo $COMMENT_BODY | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
-          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+          BRANCH_NAME=$(echo "$COMMENT_BODY" | grep -oE '@aqua-bot backport\s+(\S+)' | awk '{print $3}')
+          if [[ -z "$BRANCH_NAME" || "$BRANCH_NAME" == *".."* || ! "$BRANCH_NAME" =~ ^[A-Za-z0-9._-]+(/[A-Za-z0-9._-]+)*$ ]]; then
+            echo "Error: Invalid branch name extracted (unsafe characters detected)." >&2
+            exit 1
+          fi
+          echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_ENV"
 
       - name: Set up Git user
         run: |
@@ -58,4 +62,4 @@ jobs:
           # This allows the created PR to trigger tests and other workflows
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
           ISSUE_NUMBER: ${{ github.event.issue.number }}
-        run: ./misc/backport/backport.sh "$BRANCH_NAME" "$ISSUE_NUMBER"
+        run: ./misc/backport/backport.sh "$BRANCH_NAME" "$ISSUE_NUMBER"