Needs escaping

EDIT (2025-10-20): Added an example of bad f:

. | .name=strenv(SOME_SECRET_ENV) | select(.

I tested numerous escaping approaches as asked, but it breaks the yq expressions. What string escape approach would you recommend? Thanks @AkihiroSuda

@AkihiroSuda I don't see why this needs escaping. The filter expression should be inserted literally inside the select().

Without escaping the code looks vulnerable to "Bobby Tables".
Unlikely to result in breaking data in our case though

How is this different from any code you specify via --yq? The only difference is that the --filter argument is wrapped inside a select() call.

The user can literally send the same command via --yq "$(printf "select(%s)" "$FILTER")".

Any escaping would simply break the filter expression.

Can't we just add a new option in the YQ library to prohibit accessing envs?

I don't know; there doesn't seem to be an easy way to pass settings to the env operator etc.

I agree that this would be a good enhancement (so we could make it apply to all our yqlib calls), but for limactl list it seems like overkill because I don't see an easy way to implement it.

@AkihiroSuda Are you ok with using os.Clearenv() in this particular case (limactl list, just before calling yqlib, printing the result, and exiting)?

I suspect @olamilekan000 is waiting for a decision before addressing the remaining issues, so this would be blocking it from being included in Lima 2.0.

Yes. That's what I am waiting for

I still don't like to approve os.Clearenv() even if it works for the particular case, for long-term maintainability.

Is there any reason that we have to rush to merge this in v2.0?

What if we just support --format table with --yq?

Originally posted by @AkihiroSuda in #4187 (comment)

Maybe we do not need this flag. We can just add --yq select() examples to --help and call it a day

That's why I wrote in #4007:

This alone doesn't seem worthwhile, but I would want --filter to also work with --format table and --format '{{GO-TMPL}}'.

So you can do this (which isn't possible with --yq):

❯ cat ~/bin/limactl-ps
#!/bin/sh
limactl ls --filter '.status == "Running"' "$@"

❯ l ps
NAME       STATUS     SSH                VMTYPE    ARCH       CPUS    MEMORY    DISK      DIR
docker     Running    127.0.0.1:60763    vz        aarch64    4       4GiB      100GiB    ~/.lima/docker
qemu       Running    127.0.0.1:63754    qemu      aarch64    4       4GiB      100GiB    ~/.lima/qemu

❯ l ps -f '.config.vmType == "vz"'
NAME       STATUS     SSH                VMTYPE    ARCH       CPUS    MEMORY    DISK      DIR
docker     Running    127.0.0.1:60763    vz        aarch64    4       4GiB      100GiB    ~/.lima/docker

I've not had time yet to review this PR to see if this is properly implemented.

What if we just support --format table with --yq?

I think you should be able to combine --filter and --yq as long as the output format is json or yaml.

So you could just drop the check here because yq is already incompatible with the other output formats.

This isn't too clear to me but is there anything wrong with the way it currently is?

Yes:

❯ l ls -l '.status == "Running"'
NAME          STATUS     SSH                VMTYPE    ARCH       CPUS    MEMORY    DISK      DIR
alpine-iso    Running    127.0.0.1:50496    vz        aarch64    4       4GiB      100GiB    ~/.lima/alpine-iso

❯ l ls -l '.status == "Running"' --yq .name
FATA[0000] option --filter conflicts with option --yq

❯ l ls --yq 'select(.status == "Running")' --yq .name
alpine-iso

I expect the last 2 commands to work exactly the same. There is no reason for the len(yq) check to exist.

@AkihiroSuda I don't see why this needs escaping. The filter expression should be inserted literally inside the select().

Despite what the --help output says, every string except table, json, and yaml is treated as a Go template, so the check for the double braces prefix/suffix is not correct:

❯ l ls -f 'Name is: {{.Name}}'
Name is: alpine-iso
Name is: alpine-lima-3.22.2
Name is: foo

Always use %q when printing use input.

Also applies to the next error message.

Is this AND-matching or OR-matching?

I assume you want the description updated to clarify.

It is AND so you can do this:

❯ cat ~/bin/limactl-ps
#!/bin/sh
limactl ls --filter 'select(.status == "Running")' "$@"

❯ l ls
NAME                  STATUS     SSH                VMTYPE    ARCH       CPUS    MEMORY      DISK      DIR
alpine-iso            Running    127.0.0.1:50496    vz        aarch64    4       4GiB        100GiB    ~/.lima/alpine-iso
alpine-lima-3.22.2    Stopped    127.0.0.1:0        vz        aarch64    4       4GiB        100GiB    ~/.lima/alpine-lima-3.22.2
default               Running    127.0.0.1:54512    qemu      aarch64    4       4GiB        100GiB    ~/.lima/default
foo                   Stopped    127.0.0.1:0        vz        aarch64    4       1.177MiB    100GiB    ~/.lima/foo

❯ l ps
NAME          STATUS     SSH                VMTYPE    ARCH       CPUS    MEMORY    DISK      DIR
alpine-iso    Running    127.0.0.1:50496    vz        aarch64    4       4GiB      100GiB    ~/.lima/alpine-iso
default       Running    127.0.0.1:54512    qemu      aarch64    4       4GiB      100GiB    ~/.lima/default

❯ l ps -l '.vmType == "vz"'
NAME          STATUS     SSH                VMTYPE    ARCH       CPUS    MEMORY    DISK      DIR
alpine-iso    Running    127.0.0.1:50496    vz        aarch64    4       4GiB      100GiB    ~/.lima/alpine-iso

I don't think this is useful. The whole point of --filter and --yq is to provide YQ expressions that are going to be evaluated. There is no vulnerability; the expression is provided by the user themselves.

And we already get an error when the YQ expression is invalid, e.g.

❯ l ls -l '.vmType =='
FATA[0000] failed to apply filter select(.vmType ==): '==' expects 2 args but there is 1

So I don't understand the purpose of this "validation", especially since it might make legitimate use cases invalid (e.g. you are restricting which characters are allowed inside literal strings).

The l shorthand should be probably reserved for --label

• Feature suggestion: labels for VMs and disks (and networks) #3240