hugo/docs/content/en/about/security-model/index.md

64 lines
3.8 KiB
Markdown
Raw Normal View History

---
title: Hugo's Security Model
description: A summary of Hugo's security model.
layout: single
keywords: ["Security", "Privacy"]
menu:
docs:
Squashed 'docs/' changes from 6e32d0591..39af43ef1 39af43ef1 Update postprocess.md 3ec192d08 Update multilingual.md 7fc7bf862 Add a note about some changes in 0.112.0 742510ae8 Fix ordinal abbrev example fe557031a Correct spelling for 'GitHub' and 'GitLab' (#2082) 84a059b9a Fix typo in hosting-on-azure.md (#2080) 3383786fe Add i18n to list of directories affected by ignoreFiles 5bfb95234 Update 404.md (#2076) 87545a4fd Update hosting-on-cloudflare-pages.md (#2078) aa5952c28 Add default module mount to example (#2075) ced5292c8 Align permalinks examples (#2073) 77b5009fd Fix typo c79319a6a Clarify description of baseURL e93a9807b Fix typo in frontmatter description (#2071) 05fe9163a Remove erroneous statement aa59ef383 docs: Remove note about hugo server not using 404 (#2068) 4a387a6b8 Clarify findRESubmatch (#2065) 47a9181b5 Clarify findRE, replaceRE, and findRESubmatch (#2064) e5eedbb5e Update theme 5d392c3d4 Clarify pageRef menu property (#2059) a557b0ebf Fix typos on Configure Hugo page (#2058) 17ef283e6 Clarify module.replacements wording (#2052) 5db4aa421 Fixing broken links (#2057) 9afa0c2fa Fix broken links (#2055) 49b981b1f Correct repo URL for migration tool (contentful.com) (#2056) 969c24c16 Remove duplicate content 0b91e7676 Revert "Delete duplicate content" 3229e79f2 Delete duplicate content ec4eddb98 Fix typo 6509159d5 Describe snap package strict confinement (#2050) 1589bcdb7 Remove hugo.Generator admonition (#2048) 7e553d11b Add example 48bec0335 Replace blockquotes with admonitions where appropriate (#2043) 98226fe61 Remove orphaned param fron admonition calls (#2042) 2a37a1d21 Clarify cast functions (#2041) 03fd1d404 Fix typo 1898013ef Fix typos 944e27430 Replace output shortcode calls 0c66fb055 Add example of shortcode calls within sample code f25a79c69 Replace tip and warning shortcode calls 3afac22fc Refactor code shortcode ad65d2931 Clarify seq function 59f8a1f48 Clarify title function 47535dc87 Cleanup hasPrefix hasSuffix 7bee3e4c1 Cleanup action delimiters cc96070f0 Correct functions archetype ffe5d39b9 Remove duplicate shortcodes 075c9f3fe Remove old todos bc3ec033c Front matter cleanup (#2039) 928b94505 Add code fence types (#2038) 856fa293c Document .File.Filename (#2037) 0988c4a42 Update output-formats.md (#2036) 289da5658 Change findRe to findRE 1e50f0583 Update theme f90fb1bf5 Improve type formatting (#2032) 7785fa7d9 Use code-toggle shortcode where appropriate f11cabf37 Add space after and before action delimiters ac333c795 Replace erroneous use of nocopy shortcode param 064896c06 Use bool param when calling code-toggle fb33bf59b Update code-toggle shortcode 6ddeab4f8 Add missing go-html-template code fence type (#2030) 1bba4cefb Fix links (#2029) 77f4d6c32 Link destination cleanup (#2028) fc0ecc027 Improve breadcrumb example (#2026) 6148be2de Update the breadcrumb navigation example (#2025) 6ebb37b1b Clarify sort function (#2024) 31269bad9 Add Winget installation method (#1988) d6c5f940e Resource methods: add signatures, minor improvements (#2017) d2e594cbc Modify inner variable shortcode-template explanation (#1985) a54927a7f Update GitHub Pages starter workflow (#2023) 2964c2d44 Remove orphaned static files (#2022) 97e5567cc Complete documentation on '.Scratch' and '.Store' (#2016) fa7b2e299 Fix typo bdce77c57 Remove literal from example menu template c0f23b216 Correct and improve menu documentation (#2010) 464368fd9 Document .Page.Store (#2011) a3d7c4a3a Improve urls.Parse function (#2012) d2cec3776 Clarify postcss config option (#2013) eb3003fef Fixed typo (#2007) 90c82d7ea Clarify mermaid markdown example (#2004) 1b11dcd5c docs(Diagrams): Update mermaid import mechanism (#1967) 4aceb6855 Fingerprinting, asset management: minor improvements (#2003) bcbc519bb resources.GetRemote: minor improvement (#2002) d54185bef Clarify markdownify behavior (#1999) afb582a80 Clarify usage of slug in front matter (#1998) f71985315 Update hasSuffix.md 29ad622a3 netlify: Hugo 0.111.3 adf223ecc Merge branch 'tempv0.111.3' 06858c646 docs: Improve examples of variadic math functions 8b656994e tpl/math: Allow multi numbers in add, sub, mul, div, min and max 2a38c4046 tpl: Add hasSuffix alias 4e0b98d54 switch transfers to workers 11651ac0f customize parallel transfer count 142f5da81 Update GitHub hosting instructions (#1991) ad7901d2f netlify: Hugo 0.111.2 0651a76e0 add headings to distinguish render hook context params d96d75be4 netlify: Hugo 0.111.1 226cb9e3a Add a paragraph about the new page template function 4c0157a49 Add .Fragments docs 6c78c0679 netlify: Bump to Hugo 0.111.0 7b11c24cf Merge branch 'feat/related-fragments' 615d18ef8 Add Related fragments config a36449b0c cods: Regen docs helper 0272fa45f Merge commit '336622d5e7afd9334cd2de7150d4f16bdf7c24f9' c5a962b93 related: Add config option cardinalityThreshold f91677377 docs: Another fix related docs example 17aa939ea docs: Fix related docs example 12c449150 Merge commit 'cf591b7c0c598d34896709db6d28598da37e3ff6' cb998b3d6 Add page fragments support to Related git-subtree-dir: docs git-subtree-split: 39af43ef11c23b8eaea7e17b59ff065a169305ac
2023-05-22 10:43:12 -04:00
parent: about
weight: 4
weight: 5
aliases: [/security/]
toc: true
---
## Runtime Security
Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.
But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
**Hugo's main approach is that of sandboxing and a security policy with strict defaults:**
* Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
* Only the main project can walk symbolic links.
* User-defined components have read-only access to the filesystem.
* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
## Security Policy
Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar.
The default configuration is listed below. Any build using features not in the allow list of the security policy will fail with a detailed message about what needs to be done. Most of these settings are allow lists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing).
{{< code-toggle config="security" />}}
Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
Squashed 'docs/' changes from 392668f4f..32cb8785e 32cb8785e Fix page weights in content management section (#1896) 11977b96f Make relURL and related functions consistent (#1895) f12180207 Clarify github deployment (#1894) 958877789 Remove remaining references to Highlight.js (#1893) fc487d263 Minor edit to taxonomy page 3b6a224b2 Update theme b28553b62 Change "flavor" to "edition" when referring to builds (#1892) 660e7581c Replaced sudo in OpenBSD with doas (#1891) e3fcdea10 fix a few minor grammatical issues on Firebase docs (#1889) e4c8b30eb update Static Web Apps docs (#1890) da2197c9e Update hosting-on-firebase.md (#1347) 5f2a0c271 Adding deployment guide for Azure Static Web Apps (#1456) 5aaf570cd add Azure Static Web App config to 404 template 35fc54362 add Azure Static Web App config to 404 template d48f67ba1 Update 01-flavors.md 11debae8d Cleaned Use of ref and relref section, added refs of index.md and _in… (#1744) b77604078 docs: Add link to menu entry variables (#1827) 0fa8a6bf0 Misc copy edits (#1887) c27b545ac Improve explanation of safeHTMLAttr's function (#1503) b04a4b32e Make CLI command summaries meaningful (#1886) dbf00a81f Fix a typo in diagrams documentation (#1885) 11f884327 docs: Clarify how to remove draft/future/expired content (#1831) 6dc9e9860 Improve complement function (#1884) 56448a51a Remove erroneous sourcemap desc (#1883) a0d0d2829 Merge branch 'divinerites-patch-1' 10f20cb5e Add a plausible-hugo theme component 9f1413eb5 Minor edits to showcase example 7d78420db fix broken link to Isso Comments 925cb291f Make directory tree consistent with other examples 300fff092 Add link to security policy from getenv.md (#1746) 7b4c517a6 Fix docs menu weights ce35775e0 Update faq.md (#1763) f3fb791a4 Remove dated new-in flags (#1879) b6c634629 Remove deprecated templating langs (#1880) 1b25ca34f Update the findRE and replaceRE functions (#1881) 28757ec73 Add Alora Labs website to showcase (#1494) e3c4bc4e7 Remove unimplemented "ugly" property 86afd84ff Update editors.md (#1878) 44c093911 Add urlquery function docs (#1633) 16a8c3548 Update links to installation page (#1876) 9e357f078 Add missing sections to BSD installation page (#1875) 1b1291634 Promote "Installation" to a section 9dd51235b Add detail to description of .Plain page variable (#1870) d333d0287 Minor markdown linting fix and URL updates (#1873) d57c8aa50 Remove extraneous apostrophe (#1871) 8c25cfc5c Update index.md 09fea41e0 Add lang to fenced code block 35b904798 Add small documentation about .Site.Social.twitter variable (#1854) 672042f89 Consolidate site configuration dfd4dd873 Add help.ampio.com showcase. (#1863) e8d0e7bdf Include link to internal templates code (#1794) 7db6f0c01 Add example to split function (#1867) be87dba80 Clarify split function docs (#1792) a079193f1 Fix typo on data templates page b234c70ee Fix data templates page (#1855) 074232b45 Update front-matter.md (#1856) 711c8fa80 Added missing default value (#1862) 034762882 Fixed some grammar issues and typos (#1865) 764574a4d Fix spelling error 2698f2d44 update URLs to prevent redirects (#1864) 68f05fdc8 Fenced code blocks should have a language specified (#1861) 24393315b GitHub Workflows security hardening (#1859) 3eeee13bf Markdown formatting: Add Fenced code block languages (#1858) e152cdf1f netlify: Hugo 0.105.0 4c7fc9f7e Merge branch 'tempv0.105.0' d16710afc Change anchor reference to use relref function calls (#1853) f52af8e4a tpl/encoding: Add noHTMLEscape option to jsonify eca0046c4 Update hosting-on-keycdn docs (#1852) ffbe17a48 Add note for rsync deploy command (#1415) c482133f1 docs: Update quick start to clarify the need of extended version (#1828) 1e3b33804 use correct URL for Google Search console verification (#1851) dac034f63 Markdown and formatting fixes (#1850) 43f177e3c Fix LiveReload in quick-start (#1739) f78deaa5f Add link for ''Hugo Shortcode Syntax Highlighting' VS Code extension (#1765) 08087ecd7 Remove some hidden pages (#1848) b6cb5ae48 Markdown linting fixes (#1846) 527ec5941 Update hugo.md (#1742) 83e8f2168 Clarify that a shortcode with .Inner must be closed (#1785) 4193f4445 Add Super Linter GitHub Action (#1845) fd91bfe1a Formatting and grammar fixes (#1844) ab5a49c49 Create codeql-analysis GitHub Action (#1812) 63b3e082e Add tutorial on using fusejs to search examples (#1756) 54c253ab0 Note that Google Universal Analytics are deprecated (#1770) 385fa77c6 Update articles.toml (#1840) 5e336bd26 Replace awkward wording (ESL?) (#1842) 2446ad349 Added Introduction to Hugo tutorial/video series (#1736) 7b21b2e76 Don't use self-closing generator tag ef73712ff Image processing. available methods: add method 'Colors' (#1837) 018f83bbe [comment platform] - add new alternative (#1751) 5636c208b Grammar and spelling fixes (#1836) 3f2e26f77 Change link of repojacking vulnerable link - JekyllToHugo (#1834) 301379fc3 fix: use shorter image URL to make it easier to read (#1835) de5fa7b30 Update search.md to include Pagefind (#1826) e9d72bcda Breadcrumb example: add basic accessibility (#1832) 6cffff87a netlify: Hugo 0.104.3 892360f61 Update output-formats.md 09a7a46ae Remove my defunct and little used migrator (#1824) 347434cca netlify: Hugo 0.104.2 f8c721162 Update postcss.md c2baf7155 netlify: Hugo 0.104.1 05d1192cd Update diagrams.md (#1823) 3c43a8bbe netlify: Hugo 0.104.0 57973b334 Merge branch 'tempv0.104.0' da775a36d docs: Regen docs helper ae48b5901 docs: Regenerate CLI docs af4a823b1 resources/images: Add $image.Colors 8e3f9ca64 Remove outdated IE conditional comments example (#1821) d1a84701b fix typo in template introduction (#1820) c0c7339e0 Update internal.md 17aefc515 Remove the recommendation about where to put the GA tempalte 263297236 Adjust GA template instructions 1cc265d99 Update the GA template usage section e11968338 config/security: Allow proxy variables in subcommands 9218ab993 netlify: Hugo 0.103.1 0b0e890d1 Update markdownify and RenderString documentation (#1818) 50f5d4776 Fix internal link (#1817) 6beb443c5 netlify: Hugo 0.103.0 14b5af248 Merge branch 'tempv0.103.0' 548e7aa62 server: Add 404 support 3a20aa0ba Update theme git-subtree-dir: docs git-subtree-split: 32cb8785ea74d5b82f2e2bea79d059cab497902a
2022-11-17 10:14:29 -05:00
```txt
HUGO_SECURITY_HTTP_URLS=none hugo
```
## Dependency Security
Hugo is built as a static binary using [Go Modules](https://github.com/golang/go/wiki/Modules) to manage its dependencies. Go Modules have several safeguards, one of them being the `go.sum` file. This is a database of the expected cryptographic checksums of all of your dependencies, including transitive dependencies.
[Hugo Modules](/hugo-modules/) is a feature built on top of the functionality of Go Modules. Like Go Modules, a Hugo project using Hugo Modules will have a `go.sum` file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of [dependency tampering](https://julienrenaux.fr/2019/12/20/github-actions-security-risk/).
## Web Application Security
These are the security threats as defined by [OWASP](https://en.wikipedia.org/wiki/OWASP).
For HTML output, this is the core security model:
Squashed 'docs/' changes from 392668f4f..32cb8785e 32cb8785e Fix page weights in content management section (#1896) 11977b96f Make relURL and related functions consistent (#1895) f12180207 Clarify github deployment (#1894) 958877789 Remove remaining references to Highlight.js (#1893) fc487d263 Minor edit to taxonomy page 3b6a224b2 Update theme b28553b62 Change "flavor" to "edition" when referring to builds (#1892) 660e7581c Replaced sudo in OpenBSD with doas (#1891) e3fcdea10 fix a few minor grammatical issues on Firebase docs (#1889) e4c8b30eb update Static Web Apps docs (#1890) da2197c9e Update hosting-on-firebase.md (#1347) 5f2a0c271 Adding deployment guide for Azure Static Web Apps (#1456) 5aaf570cd add Azure Static Web App config to 404 template 35fc54362 add Azure Static Web App config to 404 template d48f67ba1 Update 01-flavors.md 11debae8d Cleaned Use of ref and relref section, added refs of index.md and _in… (#1744) b77604078 docs: Add link to menu entry variables (#1827) 0fa8a6bf0 Misc copy edits (#1887) c27b545ac Improve explanation of safeHTMLAttr's function (#1503) b04a4b32e Make CLI command summaries meaningful (#1886) dbf00a81f Fix a typo in diagrams documentation (#1885) 11f884327 docs: Clarify how to remove draft/future/expired content (#1831) 6dc9e9860 Improve complement function (#1884) 56448a51a Remove erroneous sourcemap desc (#1883) a0d0d2829 Merge branch 'divinerites-patch-1' 10f20cb5e Add a plausible-hugo theme component 9f1413eb5 Minor edits to showcase example 7d78420db fix broken link to Isso Comments 925cb291f Make directory tree consistent with other examples 300fff092 Add link to security policy from getenv.md (#1746) 7b4c517a6 Fix docs menu weights ce35775e0 Update faq.md (#1763) f3fb791a4 Remove dated new-in flags (#1879) b6c634629 Remove deprecated templating langs (#1880) 1b25ca34f Update the findRE and replaceRE functions (#1881) 28757ec73 Add Alora Labs website to showcase (#1494) e3c4bc4e7 Remove unimplemented "ugly" property 86afd84ff Update editors.md (#1878) 44c093911 Add urlquery function docs (#1633) 16a8c3548 Update links to installation page (#1876) 9e357f078 Add missing sections to BSD installation page (#1875) 1b1291634 Promote "Installation" to a section 9dd51235b Add detail to description of .Plain page variable (#1870) d333d0287 Minor markdown linting fix and URL updates (#1873) d57c8aa50 Remove extraneous apostrophe (#1871) 8c25cfc5c Update index.md 09fea41e0 Add lang to fenced code block 35b904798 Add small documentation about .Site.Social.twitter variable (#1854) 672042f89 Consolidate site configuration dfd4dd873 Add help.ampio.com showcase. (#1863) e8d0e7bdf Include link to internal templates code (#1794) 7db6f0c01 Add example to split function (#1867) be87dba80 Clarify split function docs (#1792) a079193f1 Fix typo on data templates page b234c70ee Fix data templates page (#1855) 074232b45 Update front-matter.md (#1856) 711c8fa80 Added missing default value (#1862) 034762882 Fixed some grammar issues and typos (#1865) 764574a4d Fix spelling error 2698f2d44 update URLs to prevent redirects (#1864) 68f05fdc8 Fenced code blocks should have a language specified (#1861) 24393315b GitHub Workflows security hardening (#1859) 3eeee13bf Markdown formatting: Add Fenced code block languages (#1858) e152cdf1f netlify: Hugo 0.105.0 4c7fc9f7e Merge branch 'tempv0.105.0' d16710afc Change anchor reference to use relref function calls (#1853) f52af8e4a tpl/encoding: Add noHTMLEscape option to jsonify eca0046c4 Update hosting-on-keycdn docs (#1852) ffbe17a48 Add note for rsync deploy command (#1415) c482133f1 docs: Update quick start to clarify the need of extended version (#1828) 1e3b33804 use correct URL for Google Search console verification (#1851) dac034f63 Markdown and formatting fixes (#1850) 43f177e3c Fix LiveReload in quick-start (#1739) f78deaa5f Add link for ''Hugo Shortcode Syntax Highlighting' VS Code extension (#1765) 08087ecd7 Remove some hidden pages (#1848) b6cb5ae48 Markdown linting fixes (#1846) 527ec5941 Update hugo.md (#1742) 83e8f2168 Clarify that a shortcode with .Inner must be closed (#1785) 4193f4445 Add Super Linter GitHub Action (#1845) fd91bfe1a Formatting and grammar fixes (#1844) ab5a49c49 Create codeql-analysis GitHub Action (#1812) 63b3e082e Add tutorial on using fusejs to search examples (#1756) 54c253ab0 Note that Google Universal Analytics are deprecated (#1770) 385fa77c6 Update articles.toml (#1840) 5e336bd26 Replace awkward wording (ESL?) (#1842) 2446ad349 Added Introduction to Hugo tutorial/video series (#1736) 7b21b2e76 Don't use self-closing generator tag ef73712ff Image processing. available methods: add method 'Colors' (#1837) 018f83bbe [comment platform] - add new alternative (#1751) 5636c208b Grammar and spelling fixes (#1836) 3f2e26f77 Change link of repojacking vulnerable link - JekyllToHugo (#1834) 301379fc3 fix: use shorter image URL to make it easier to read (#1835) de5fa7b30 Update search.md to include Pagefind (#1826) e9d72bcda Breadcrumb example: add basic accessibility (#1832) 6cffff87a netlify: Hugo 0.104.3 892360f61 Update output-formats.md 09a7a46ae Remove my defunct and little used migrator (#1824) 347434cca netlify: Hugo 0.104.2 f8c721162 Update postcss.md c2baf7155 netlify: Hugo 0.104.1 05d1192cd Update diagrams.md (#1823) 3c43a8bbe netlify: Hugo 0.104.0 57973b334 Merge branch 'tempv0.104.0' da775a36d docs: Regen docs helper ae48b5901 docs: Regenerate CLI docs af4a823b1 resources/images: Add $image.Colors 8e3f9ca64 Remove outdated IE conditional comments example (#1821) d1a84701b fix typo in template introduction (#1820) c0c7339e0 Update internal.md 17aefc515 Remove the recommendation about where to put the GA tempalte 263297236 Adjust GA template instructions 1cc265d99 Update the GA template usage section e11968338 config/security: Allow proxy variables in subcommands 9218ab993 netlify: Hugo 0.103.1 0b0e890d1 Update markdownify and RenderString documentation (#1818) 50f5d4776 Fix internal link (#1817) 6beb443c5 netlify: Hugo 0.103.0 14b5af248 Merge branch 'tempv0.103.0' 548e7aa62 server: Add 404 support 3a20aa0ba Update theme git-subtree-dir: docs git-subtree-split: 32cb8785ea74d5b82f2e2bea79d059cab497902a
2022-11-17 10:14:29 -05:00
<https://pkg.go.dev/html/template#hdr-Security_Model>
In short:
Template and configuration authors (you) are trusted, but the data you send in is not.
This is why you sometimes need to use the _safe_ functions, such as `safeHTML`, to avoid escaping of data you know is safe.
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
For content, the default Markdown renderer is [configured](/getting-started/configuration-markup) to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.