fix: reject parent directory template locators

immanuwell · immanuwell · commit cf88ee2cc4ad · 2026-05-27T11:38:58.000+04:00
Signed-off-by: immanuwell &lt;pchpr.00@list.ru&gt;
diff --git a/pkg/limatmpl/abs.go b/pkg/limatmpl/abs.go
@@ -126,7 +126,7 @@ func absPath(locator, basePath string) (string, error) {
 			return "", errors.New("basePath is empty")
 		case basePath == "-":
 			return "", errors.New("can't use relative paths when reading template from STDIN")
-		case strings.Contains(locator, "../"):
+		case containsParentDir(locator):
 			return "", fmt.Errorf("relative locator path %q must not contain '../' segments", locator)
 		case volumeLen != 0:
 			return "", fmt.Errorf("relative locator path %q must not include a volume name", locator)
@@ -146,3 +146,14 @@ func absPath(locator, basePath string) (string, error) {
 	}
 	return withVolume(locator)
 }
+
+func containsParentDir(locator string) bool {
+	for _, segment := range strings.FieldsFunc(locator, func(r rune) bool {
+		return r == '/' || (runtime.GOOS == "windows" && r == '\\')
+	}) {
+		if segment == ".." {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/limatmpl/abs_test.go b/pkg/limatmpl/abs_test.go
@@ -249,6 +249,11 @@ func TestAbsPath(t *testing.T) {
 		assert.ErrorContains(t, err, "'../'")
 	})
 
+	t.Run("Relative parent directory locator must be underneath the basePath", func(t *testing.T) {
+		_, err = absPath("..", volume+"/root")
+		assert.ErrorContains(t, err, "'../'")
+	})
+
 	t.Run("locator must not be empty", func(t *testing.T) {
 		_, err = absPath("", "foo")
 		assert.ErrorContains(t, err, "locator is empty")
