fix: reject parent directory template locators

Signed-off-by: immanuwell <pchpr.00@list.ru>

Author: immanuwell

pkg/limatmpl/abs.go

@@ -11,6 +11,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 
 	"github.com/lima-vm/lima/v2/pkg/localpathutil"
@@ -126,7 +127,7 @@ func absPath(locator, basePath string) (string, error) {
 			return "", errors.New("basePath is empty")
 		case basePath == "-":
 			return "", errors.New("can't use relative paths when reading template from STDIN")
-		case strings.Contains(locator, "../"):
+		case containsParentDir(locator):
 			return "", fmt.Errorf("relative locator path %q must not contain '../' segments", locator)
 		case volumeLen != 0:
 			return "", fmt.Errorf("relative locator path %q must not include a volume name", locator)
@@ -146,3 +147,9 @@ func absPath(locator, basePath string) (string, error) {
 	}
 	return withVolume(locator)
 }
+
+func containsParentDir(locator string) bool {
+	return slices.Contains(strings.FieldsFunc(locator, func(r rune) bool {
+		return r == '/' || (runtime.GOOS == "windows" && r == '\\')
+	}), "..")
+}

pkg/limatmpl/abs_test.go

@@ -249,6 +249,11 @@ func TestAbsPath(t *testing.T) {
 		assert.ErrorContains(t, err, "'../'")
 	})
 
+	t.Run("Relative parent directory locator must be underneath the basePath", func(t *testing.T) {
+		_, err = absPath("..", volume+"/root")
+		assert.ErrorContains(t, err, "'../'")
+	})
+
 	t.Run("locator must not be empty", func(t *testing.T) {
 		_, err = absPath("", "foo")
 		assert.ErrorContains(t, err, "locator is empty")