From e115ba6240c03ee4c21111c778b61abcc92bc0c6 Mon Sep 17 00:00:00 2001
From: totegamma <github@gammalab.net>
Date: Thu, 10 Jul 2025 22:08:22 +0900
Subject: [PATCH 1/2] fix fnplugin storagemounts validation

---
 api/internal/plugins/loader/loader.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/internal/plugins/loader/loader.go b/api/internal/plugins/loader/loader.go
index 2edf8791f..afae8940d 100644
--- a/api/internal/plugins/loader/loader.go
+++ b/api/internal/plugins/loader/loader.go
@@ -251,7 +251,7 @@ func (l *Loader) loadPlugin(res *resource.Resource) (resmap.Configurable, error)
 				return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+
 					"mount paths must be relative to the current kustomization directory", res.OrgId(), mount.Src)
 			}
-			if strings.HasPrefix(filepath.Clean(mount.Src), "../") {
+			if strings.HasPrefix(filepath.Clean(mount.Src), "..") {
 				return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+
 					"mount paths must be under the current kustomization directory", res.OrgId(), mount.Src)
 			}

From 4bdc3f3f7e127c1ebec0177854a665717ec85d5f Mon Sep 17 00:00:00 2001
From: totegamma <github@gammalab.net>
Date: Thu, 11 Sep 2025 21:40:16 +0900
Subject: [PATCH 2/2] add test for plugin loader

---
 api/internal/plugins/loader/loader_test.go | 40 ++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/api/internal/plugins/loader/loader_test.go b/api/internal/plugins/loader/loader_test.go
index fd95a358c..b2154c0be 100644
--- a/api/internal/plugins/loader/loader_test.go
+++ b/api/internal/plugins/loader/loader_test.go
@@ -96,3 +96,43 @@ func TestLoaderWithWorkingDir(t *testing.T) {
 		npLdr.Config().FnpLoadingOptions.WorkingDir,
 		"the plugin working dir is not updated")
 }
+
+func TestLoaderWithStorageMounts(t *testing.T) {
+	const storageMountTransformer = `
+apiVersion: com.example.kustomize/v1
+kind: Test
+metadata:
+  name: test-transformer
+  annotations:
+    config.kubernetes.io/function: |
+      container:
+        image: test
+        mounts:
+          - type: bind
+            src: ../
+            dst: /mount
+`
+	p := provider.NewDefaultDepProvider()
+	rmF := resmap.NewFactory(p.GetResourceFactory())
+	fsys := filesys.MakeFsInMemory()
+	fLdr, err := loader.NewLoader(
+		loader.RestrictionRootOnly,
+		filesys.Separator, fsys)
+	if err != nil {
+		t.Fatal(err)
+	}
+	configs, err := rmF.NewResMapFromBytes([]byte(storageMountTransformer))
+	if err != nil {
+		t.Fatal(err)
+	}
+	c := types.EnabledPluginConfig(types.BploLoadFromFileSys)
+	pLdr := NewLoader(c, rmF, fsys)
+	if pLdr == nil {
+		t.Fatal("expect non-nil loader")
+	}
+	_, err = pLdr.LoadTransformers(
+		fLdr, valtest_test.MakeFakeValidator(), configs)
+	if err == nil { // should fail because src specified is outside root
+		t.Fatal("the loader allowed a mount outside root")
+	}
+}