fix fnplugin storagemounts validation

api/internal/plugins/loader/loader.go

@@ -251,7 +251,7 @@ func (l *Loader) loadPlugin(res *resource.Resource) (resmap.Configurable, error)
 				return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+
 					"mount paths must be relative to the current kustomization directory", res.OrgId(), mount.Src)
 			}
-			if strings.HasPrefix(filepath.Clean(mount.Src), "../") {
+			if strings.HasPrefix(filepath.Clean(mount.Src), "..") {
 				return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+
 					"mount paths must be under the current kustomization directory", res.OrgId(), mount.Src)
 			}

api/internal/plugins/loader/loader_test.go

@@ -96,3 +96,43 @@ func TestLoaderWithWorkingDir(t *testing.T) {
 		npLdr.Config().FnpLoadingOptions.WorkingDir,
 		"the plugin working dir is not updated")
 }
+
+func TestLoaderWithStorageMounts(t *testing.T) {
+	const storageMountTransformer = `
+apiVersion: com.example.kustomize/v1
+kind: Test
+metadata:
+  name: test-transformer
+  annotations:
+    config.kubernetes.io/function: |
+      container:
+        image: test
+        mounts:
+          - type: bind
+            src: ../
+            dst: /mount
+`
+	p := provider.NewDefaultDepProvider()
+	rmF := resmap.NewFactory(p.GetResourceFactory())
+	fsys := filesys.MakeFsInMemory()
+	fLdr, err := loader.NewLoader(
+		loader.RestrictionRootOnly,
+		filesys.Separator, fsys)
+	if err != nil {
+		t.Fatal(err)
+	}
+	configs, err := rmF.NewResMapFromBytes([]byte(storageMountTransformer))
+	if err != nil {
+		t.Fatal(err)
+	}
+	c := types.EnabledPluginConfig(types.BploLoadFromFileSys)
+	pLdr := NewLoader(c, rmF, fsys)
+	if pLdr == nil {
+		t.Fatal("expect non-nil loader")
+	}
+	_, err = pLdr.LoadTransformers(
+		fLdr, valtest_test.MakeFakeValidator(), configs)
+	if err == nil { // should fail because src specified is outside root
+		t.Fatal("the loader allowed a mount outside root")
+	}
+}