diff --git a/cmd/limactl/editflags/editflags.go b/cmd/limactl/editflags/editflags.go index 6ff5f5f17aa..0447858fa56 100644 --- a/cmd/limactl/editflags/editflags.go +++ b/cmd/limactl/editflags/editflags.go @@ -68,7 +68,7 @@ func RegisterEdit(cmd *cobra.Command, commentPrefix string) { flags.Bool("rosetta", false, commentPrefix+"Enable Rosetta (for vz instances)") - flags.StringArray("set", []string{}, commentPrefix+"Modify the template inplace, using yq syntax. Can be passed multiple times.") + flags.StringArray("set", []string{}, commentPrefix+"Modify the template inplace, using yq syntax. Can be passed multiple times. See 'limactl help yq-restrictions' for limitations.") flags.StringArray("param", []string{}, commentPrefix+"Set a template parameter, e.g. name=value. Can be passed multiple times.") flags.Uint16("ssh-port", 0, commentPrefix+"SSH port (0 for random)") // colima-compatible diff --git a/cmd/limactl/main.go b/cmd/limactl/main.go index ae803cdbd22..0f36337021b 100644 --- a/cmd/limactl/main.go +++ b/cmd/limactl/main.go @@ -210,6 +210,7 @@ func newApp() *cobra.Command { newCloneCommand(), newRenameCommand(), newWatchCommand(), + newYQRestrictionsHelpCommand(), ) addPluginCommands(rootCmd) diff --git a/cmd/limactl/start.go b/cmd/limactl/start.go index 40a174529b9..9c55403fc24 100644 --- a/cmd/limactl/start.go +++ b/cmd/limactl/start.go @@ -57,6 +57,7 @@ func newCreateCommand() *cobra.Command { To create an instance "default" with yq expressions: $ limactl create --set='.cpus = 2 | .memory = "2GiB"' + Note: Some yq operators are restricted. See 'limactl help yq-restrictions'. To create an instance "default" with a template parameter: $ limactl create --name=default --param containerdSnapshotter=false template:docker diff --git a/cmd/limactl/yq_restrictions.go b/cmd/limactl/yq_restrictions.go new file mode 100644 index 00000000000..d543cd2da90 --- /dev/null +++ b/cmd/limactl/yq_restrictions.go @@ -0,0 +1,35 @@ +// SPDX-FileCopyrightText: Copyright The Lima Authors +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "github.com/spf13/cobra" +) + +func newYQRestrictionsHelpCommand() *cobra.Command { + return &cobra.Command{ + Use: "yq-restrictions", + Short: "Restrictions on yq expressions in Lima", + Long: `Lima uses yq (v4) syntax for the --set flag and provision mode "yq". + +Lima embeds yqlib (https://github.com/mikefarah/yq) as a library and +disables several operators to prevent template expressions from reading +the host environment or executing arbitrary commands: + + Disabled by Lima: + - env (environment variable access) + - load, load_str (arbitrary file reads) + + Disabled by yqlib default: + - system (arbitrary command execution) + +These restrictions exist because --set expressions and provision.yq +expressions may come from untrusted template files. Allowing them to +access environment variables, read files, or execute commands on the +host would be a security risk. + +For full yq v4 expression syntax, see: + https://mikefarah.gitbook.io/yq/`, + } +} diff --git a/hack/bats/tests/yq.bats b/hack/bats/tests/yq.bats index 89f034b29ac..8e51887cb6d 100644 --- a/hack/bats/tests/yq.bats +++ b/hack/bats/tests/yq.bats @@ -47,3 +47,8 @@ load "../helpers/load" run_e -1 limactl yq -n --security-disable-env-ops 'env(FOO)' assert_stderr "Error: env operations have been disabled" } + +@test 'yq multi-call command has system operations disabled by default' { + run -1 limactl yq -n 'system("echo hello")' + assert_output --partial "system operations are disabled" +}