Allow whitelisting mediaTypes used in resources.GetRemote

Fixes #10286
This commit is contained in:
Bjørn Erik Pedersen 2023-05-20 17:37:04 +02:00
parent 7c7baa6183
commit 2637b4ef4d
5 changed files with 41 additions and 7 deletions

View file

@ -88,6 +88,9 @@ type HTTP struct {
// HTTP methods to allow. // HTTP methods to allow.
Methods Whitelist `json:"methods"` Methods Whitelist `json:"methods"`
// Media types where the Content-Type in the response is used instead of resolving from the file content.
MediaTypes Whitelist `json:"mediaTypes"`
} }
// ToTOML converts c to TOML with [security] as the root. // ToTOML converts c to TOML with [security] as the root.

View file

@ -163,8 +163,10 @@ func TestDecodeConfigDefault(t *testing.T) {
c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue) c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue)
c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue) c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue)
c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse) c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse)
c.Assert(pc.HTTP.MediaTypes.Accept("application/msword"), qt.IsFalse)
c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("GOROOT"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("GOROOT"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse) c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse)
} }

View file

@ -138,9 +138,9 @@ func TestSecurityPolicies(t *testing.T) {
} }
cb := func(b *sitesBuilder) { cb := func(b *sitesBuilder) {
b.WithConfigFile("toml", ` b.WithConfigFile("toml", `
[security] [security]
[security.exec] [security.exec]
allow="none" allow="none"
`) `)
b.WithTemplatesAdded("index.html", `{{ $scss := "body { color: #333; }" | resources.FromString "foo.scss" | resources.ToCSS (dict "transpiler" "dartsass") }}`) b.WithTemplatesAdded("index.html", `{{ $scss := "body { color: #333; }" | resources.FromString "foo.scss" | resources.ToCSS (dict "transpiler" "dartsass") }}`)
@ -166,6 +166,28 @@ func TestSecurityPolicies(t *testing.T) {
[security] [security]
[security.http] [security.http]
urls="none" urls="none"
`)
})
})
c.Run("resources.GetRemote, fake JSON", func(c *qt.C) {
c.Parallel()
httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, `(?s).*failed to resolve media type.*`,
func(b *sitesBuilder) {
b.WithConfigFile("toml", `
`)
})
})
c.Run("resources.GetRemote, fake JSON whitelisted", func(c *qt.C) {
c.Parallel()
httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, ``,
func(b *sitesBuilder) {
b.WithConfigFile("toml", `
[security]
[security.http]
mediaTypes=["application/json"]
`) `)
}) })
}) })

BIN
hugolib/testdata/fakejson.json vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 42 B

View file

@ -171,10 +171,17 @@ func (c *Client) FromRemote(uri string, optionsm map[string]any) (resource.Resou
contentType := res.Header.Get("Content-Type") contentType := res.Header.Get("Content-Type")
if isHeadMethod { // For HEAD requests we have no body to work with, so we need to use the Content-Type header.
// We have no body to work with, so we need to use the Content-Type header. if isHeadMethod || c.rs.ExecHelper.Sec().HTTP.MediaTypes.Accept(contentType) {
var found bool
mediaType, found = c.rs.MediaTypes().GetByType(contentType)
if !found {
// A media type not configured in Hugo, just create one from the content type string.
mediaType, _ = media.FromString(contentType) mediaType, _ = media.FromString(contentType)
} else { }
}
if mediaType.IsZero() {
var extensionHints []string var extensionHints []string