Commit graph

17 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
7be0377505 deps: Upgrade github.com/bep/gitmap v1.4.0 => v1.6.0 (note)
Closes #8627
2024-07-17 10:54:28 +02:00
Bjørn Erik Pedersen
e1317dd322 Add css.TailwindCSS
Closes #12618
Closes #12620
2024-06-25 15:48:02 +02:00
Joe Mooring
b6def61727 config/security: Add SYSTEMDRIVE to OsEnv allowlist 2024-02-01 15:10:05 +01:00
Bjørn Erik Pedersen
9f978d387f
Pull in the latest code from Go's template packages (#11771)
Fixes #10707
Fixes #11507
2023-12-04 12:07:54 +01:00
David Karlsson
6c9ea022a9
config: Expand default security.exec.osEnv policy
To better support private Hugo modules and automatically
launching a text editor on content creation, this change
adds the following environment variables to the default
security policy:

- HOME
- XDG_CONFIG_HOME
- USERPROFILE
- SSH_AUTH_SOCK
- DISPLAY
- LANG

Fixes #9333
2023-07-07 13:54:06 +02:00
Bjørn Erik Pedersen
7f698c8934
Don't panic on invalid security whitelist regexp
Fixes #11176
2023-06-28 08:57:28 +02:00
Bjørn Erik Pedersen
ee359df172 Fix upstream Go templates bug with reversed key/value assignment
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b  added.

This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).

This will throw an error saying "... appears in a JS template literal".

If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:

```toml
[security]
[security.gotemplates]
allowActionJSTmpl = true
```

See https://github.com/golang/go/issues/59234

Fixes #11112
2023-06-15 23:04:33 +02:00
Bjørn Erik Pedersen
f210188da3 Upgrade to v2 of the Dart Sass Embedded Protocol
Fixes #11059
2023-06-12 13:47:38 +02:00
Bjørn Erik Pedersen
2637b4ef4d Allow whitelisting mediaTypes used in resources.GetRemote
Fixes #10286
2023-05-20 20:16:45 +02:00
Bjørn Erik Pedersen
241b21b0fd Create a struct with all of Hugo's config options
Primary motivation is documentation, but it will also hopefully simplify the code.

Also,

* Lower case the default output format names; this is in line with the custom ones (map keys) and how
it's treated all the places. This avoids doing `stringds.EqualFold` everywhere.

Closes #10896
Closes #10620
2023-05-16 18:01:29 +02:00
Bjørn Erik Pedersen
c6b3887696
config/security: Add O\w+ (e.g. GOROOT) to the default allowed list
Fixes #10429
2023-01-17 10:52:51 +01:00
septs
dc44bca963
config/security: Add CI env var to whitelist 2022-12-02 12:13:34 +01:00
Mathieu Parent
86653fa38e
config/security: Allow proxy variables in subcommands
In particular for go get
2022-09-19 12:37:35 +02:00
Bjørn Erik Pedersen
b80853de90
all: gofmt -w -r 'interface{} -> any' .
Updates #9687
2022-03-17 22:03:27 +01:00
Bjørn Erik Pedersen
623dda7174 Revert "config/security: Add HOME to default exec env var whitelist"
There have been one report in the wild suggesting that this needs to be tested better before doing:

https://discourse.gohugo.io/t/hugo-mod-failing-in-v0-91-1-but-works-in-v0-91-0/36180/5

This reverts commit fca266ebbb.
2021-12-23 16:23:15 +01:00
Bjørn Erik Pedersen
fca266ebbb config/security: Add HOME to default exec env var whitelist
See #9309
2021-12-22 11:33:59 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00