mounts: prohibit relative paths in YAML

Relative paths are still allowed in CLI:
`limactl create --mount=DIR`

Fix issue 3948

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

cmd/limactl/editflags/editflags.go

@@ -16,6 +16,7 @@ import (
 	"github.com/spf13/cobra"
 	flag "github.com/spf13/pflag"
 
+	"github.com/lima-vm/lima/v2/pkg/localpathutil"
 	"github.com/lima-vm/lima/v2/pkg/registry"
 )
 
@@ -174,6 +175,10 @@ func buildMountListExpression(ss []string) (string, error) {
 	for i, s := range ss {
 		writable := strings.HasSuffix(s, ":w")
 		loc := strings.TrimSuffix(s, ":w")
+		loc, err := localpathutil.Expand(loc)
+		if err != nil {
+			return "", err
+		}
 		expr += fmt.Sprintf(`{"location": %q, "writable": %v}`, loc, writable)
 		if i < len(ss)-1 {
 			expr += ","

cmd/limactl/editflags/editflags_test.go

@@ -4,10 +4,13 @@
 package editflags
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/spf13/cobra"
 	"gotest.tools/v3/assert"
+
+	"github.com/lima-vm/lima/v2/pkg/localpathutil"
 )
 
 func TestCompleteCPUs(t *testing.T) {
@@ -160,6 +163,13 @@ func TestParsePortForward(t *testing.T) {
 }
 
 func TestYQExpressions(t *testing.T) {
+	expand := func(s string) string {
+		s, err := localpathutil.Expand(s)
+		assert.NilError(t, err)
+		// `D:\foo` -> `D:\\foo` (appears in YAML)
+		s = strings.ReplaceAll(s, "\\", "\\\\")
+		return s
+	}
 	tests := []struct {
 		name        string
 		args        []string
@@ -169,15 +179,15 @@ func TestYQExpressions(t *testing.T) {
 	}{
 		{
 			name:        "mount",
-			args:        []string{"--mount", "/foo", "--mount", "/bar:w"},
+			args:        []string{"--mount", "/foo", "--mount", "./bar:w"},
 			newInstance: false,
-			expected:    []string{`.mounts += [{"location": "/foo", "writable": false},{"location": "/bar", "writable": true}] | .mounts |= unique_by(.location)`},
+			expected:    []string{`.mounts += [{"location": "` + expand("/foo") + `", "writable": false},{"location": "` + expand("./bar") + `", "writable": true}] | .mounts |= unique_by(.location)`},
 		},
 		{
 			name:        "mount-only",
 			args:        []string{"--mount-only", "/foo", "--mount-only", "/bar:w"},
 			newInstance: false,
-			expected:    []string{`.mounts = [{"location": "/foo", "writable": false},{"location": "/bar", "writable": true}]`},
+			expected:    []string{`.mounts = [{"location": "` + expand("/foo") + `", "writable": false},{"location": "` + expand("/bar") + `", "writable": true}]`},
 		},
 		{
 			name:        "mixture of mount and mount-only",

pkg/limayaml/defaults.go

@@ -713,6 +713,15 @@ func FillDefault(ctx context.Context, y, d, o *limatype.LimaYAML, filePath strin
 				mounts[i].NineP.Cache = ptr.Of(Default9pCacheForRO)
 			}
 		}
+		// The location must be an absolute path or a path that begins with `~`.
+		// This condition should have been validated before reaching here in Load().
+		// FIXME: support Windows
+		if runtime.GOOS != "windows" && !filepath.IsAbs(mount.Location) && !localpathutil.IsTildePath(mount.Location) {
+			// NOTREACHED
+			err := fmt.Errorf("mount location %q must be an absolute path or a path that begins with `~`", mount.Location)
+			panic(err)
+		}
+		// Expand a path that begins with `~`. Relative paths are prohibited (see above, issue #3948).
 		if location, err := localpathutil.Expand(mount.Location); err == nil {
 			mounts[i].Location = location
 		} else {

pkg/limayaml/load.go

@@ -9,12 +9,14 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 
 	"github.com/sirupsen/logrus"
 
 	"github.com/lima-vm/lima/v2/pkg/limatype"
 	"github.com/lima-vm/lima/v2/pkg/limatype/dirnames"
 	"github.com/lima-vm/lima/v2/pkg/limatype/filenames"
+	"github.com/lima-vm/lima/v2/pkg/localpathutil"
 )
 
 // Load loads the yaml and fulfills unspecified fields with the default values.
@@ -69,6 +71,15 @@ func load(ctx context.Context, b []byte, filePath string, warn bool) (*limatype.
 		return nil, err
 	}
 
+	for _, mount := range y.Mounts {
+		// The location must be an absolute path or a path that begins with `~`.
+		// This has to be validated before calling FillDefault(), which may expand `~`.
+		// FIXME: support Windows
+		if runtime.GOOS != "windows" && !filepath.IsAbs(mount.Location) && !localpathutil.IsTildePath(mount.Location) {
+			return nil, fmt.Errorf("mount location %q must be an absolute path or a path that begins with `~`", mount.Location)
+		}
+	}
+
 	FillDefault(ctx, &y, &d, &o, filePath, warn)
 
 	return &y, nil

pkg/limayaml/load_test.go

@@ -4,6 +4,7 @@
 package limayaml
 
 import (
+	"runtime"
 	"testing"
 
 	"gotest.tools/v3/assert"
@@ -68,3 +69,39 @@ additionalDisks:
 	assert.Equal(t, y.AdditionalDisks[0].FSArgs[0], "-i")
 	assert.Equal(t, y.AdditionalDisks[0].FSArgs[1], "size=512")
 }
+
+func TestLoadMounts(t *testing.T) {
+	tests := []struct {
+		name    string
+		mounts  string
+		wantErr string
+	}{
+		{
+			name:    "Valid",
+			mounts:  `mounts: [{location: "/foo", writable: false}, {location: "~/foo", writable: true}]`,
+			wantErr: "",
+		},
+		{
+			name:   "Invalid (relative)",
+			mounts: `mounts: [{location: ".", writable: false}]`,
+			wantErr: func() string {
+				if runtime.GOOS == "windows" {
+					// FIXME: support Windows paths
+					return ""
+				}
+				return "must be an absolute path"
+			}(),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := Load(t.Context(), []byte(tt.mounts), "lima.yaml")
+			if tt.wantErr != "" {
+				assert.ErrorContains(t, err, tt.wantErr)
+			} else {
+				assert.NilError(t, err)
+			}
+		})
+	}
+}