Commit graph

92 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Bjørn Erik Pedersen
6c70e1f22f Fix error handling for the time func alias
Fixes #8835
2021-08-01 13:39:30 +02:00
Bjørn Erik Pedersen
d392893cd7
Misc config loading fixes
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster:

```
BenchmarkDefaultConfigProvider/Viper-16         	  252418	      4546 ns/op	    2720 B/op	      30 allocs/op
BenchmarkDefaultConfigProvider/Custom-16        	  450756	      2651 ns/op	    1008 B/op	       6 allocs/op
```

Fixes #8633
Fixes #8618
Fixes #8630
Updates #8591
Closes #6680
Closes #5192
2021-06-14 17:00:32 +02:00
Bjørn Erik Pedersen
f55d2f4376
tpl/fmt: Add erroridf template func
Fixes #8613
2021-06-07 19:11:03 +02:00
Ujjwal Goyal
c46fc838a9 tpl: Allow 'Querify' to take lone slice/interface argument
Querify can now take a lone string/interface slice (with string
keys) as a parameter, or multiple string parameters, to build
URL queries.

Querify earlier used 'Dictionary' to add key/value pairs to a
map to build URL queries. Changed to dynamically generate ordered
key/value pairs. Cannot take string slice as key (earlier
possible due to Dictionary).

Added tests and benchmarks for querify.

Closes #6735
2021-05-09 13:14:14 +02:00
Bjørn Erik Pedersen
e4dc9a82b5 tpl/collections: Fix where on type mismatches
Fixes #8353
2021-04-23 18:06:49 +02:00
Bjørn Erik Pedersen
bca40cf0c9 Fix Params case handling in where with slices of structs (e.g. Pages)
Fixes #7009
2021-04-21 19:28:18 +02:00
Phil Davis
04b89857e1
all: Fix minor typos 2020-12-16 12:11:32 +01:00
Bjørn Erik Pedersen
d90e37e0c6 all: Format code with gofumpt
See https://github.com/mvdan/gofumpt
2020-12-03 13:12:58 +01:00
Cameron Moore
6d95dc9d74 tpl: Fix reflection bug in merge
Value.Type().Key() must only be called on map values.

Fixes #7899
2020-10-29 19:19:41 +01:00
Cameron Moore
047af7cfe5 tpl: Extend merge to accept multiple parameters
Fixes #7595
2020-08-28 09:54:51 +02:00
Bjørn Erik Pedersen
42e150fbfa Fix server reload when non-HTML shortcode changes
Fixes #7448
2020-07-03 23:31:51 +02:00
Tom
04b1a6d997
Add support for sort by boolean 2020-05-02 11:57:34 +02:00
satotake
8279d2e227
Support unComparable args of uniq/complement/in
Fixes #6105
2020-03-09 13:32:38 +01:00
Carl Johnson
ae383f04c8 {{ in }} should work with html.Template type
Fixes #7002
2020-03-03 13:37:42 +01:00
Bjørn Erik Pedersen
c6d650c8c8
tpl/tplimpl: Rework template management to get rid of concurrency issues
This more or less completes the simplification of the template handling code in Hugo started in v0.62.

The main motivation was to fix a long lasting issue about a crash in HTML content files  without front matter.

But this commit also comes with a big functional improvement.

As we now have moved the base template evaluation to the build stage we now use the same lookup rules for `baseof` as for `list` etc. type of templates.

This means that in this simple example you can have a `baseof` template for the `blog` section without having to duplicate the others:

```
layouts
├── _default
│   ├── baseof.html
│   ├── list.html
│   └── single.html
└── blog
    └── baseof.html
```

Also, when simplifying code, you often get rid of some double work, as shown in the "site building" benchmarks below.

These benchmarks looks suspiciously good, but I have repeated the below with ca. the same result. Compared to master:

```
name                              old time/op    new time/op    delta
SiteNew/Bundle_with_image-16        13.1ms ± 1%    10.5ms ± 1%  -19.34%  (p=0.029 n=4+4)
SiteNew/Bundle_with_JSON_file-16    13.0ms ± 0%    10.7ms ± 1%  -18.05%  (p=0.029 n=4+4)
SiteNew/Tags_and_categories-16      46.4ms ± 2%    43.1ms ± 1%   -7.15%  (p=0.029 n=4+4)
SiteNew/Canonify_URLs-16            52.2ms ± 2%    47.8ms ± 1%   -8.30%  (p=0.029 n=4+4)
SiteNew/Deep_content_tree-16        77.9ms ± 1%    70.9ms ± 1%   -9.01%  (p=0.029 n=4+4)
SiteNew/Many_HTML_templates-16      43.0ms ± 0%    37.2ms ± 1%  -13.54%  (p=0.029 n=4+4)
SiteNew/Page_collections-16         58.2ms ± 1%    52.4ms ± 1%   -9.95%  (p=0.029 n=4+4)

name                              old alloc/op   new alloc/op   delta
SiteNew/Bundle_with_image-16        3.81MB ± 0%    2.22MB ± 0%  -41.70%  (p=0.029 n=4+4)
SiteNew/Bundle_with_JSON_file-16    3.60MB ± 0%    2.01MB ± 0%  -44.20%  (p=0.029 n=4+4)
SiteNew/Tags_and_categories-16      19.3MB ± 1%    14.1MB ± 0%  -26.91%  (p=0.029 n=4+4)
SiteNew/Canonify_URLs-16            70.7MB ± 0%    69.0MB ± 0%   -2.40%  (p=0.029 n=4+4)
SiteNew/Deep_content_tree-16        37.1MB ± 0%    31.2MB ± 0%  -15.94%  (p=0.029 n=4+4)
SiteNew/Many_HTML_templates-16      17.6MB ± 0%    10.6MB ± 0%  -39.92%  (p=0.029 n=4+4)
SiteNew/Page_collections-16         25.9MB ± 0%    21.2MB ± 0%  -17.99%  (p=0.029 n=4+4)

name                              old allocs/op  new allocs/op  delta
SiteNew/Bundle_with_image-16         52.3k ± 0%     26.1k ± 0%  -50.18%  (p=0.029 n=4+4)
SiteNew/Bundle_with_JSON_file-16     52.3k ± 0%     26.1k ± 0%  -50.16%  (p=0.029 n=4+4)
SiteNew/Tags_and_categories-16        336k ± 1%      269k ± 0%  -19.90%  (p=0.029 n=4+4)
SiteNew/Canonify_URLs-16              422k ± 0%      395k ± 0%   -6.43%  (p=0.029 n=4+4)
SiteNew/Deep_content_tree-16          401k ± 0%      313k ± 0%  -21.79%  (p=0.029 n=4+4)
SiteNew/Many_HTML_templates-16        247k ± 0%      143k ± 0%  -42.17%  (p=0.029 n=4+4)
SiteNew/Page_collections-16           282k ± 0%      207k ± 0%  -26.55%  (p=0.029 n=4+4)
```

Fixes #6716
Fixes #6760
Fixes #6768
Fixes #6778
2020-01-22 09:39:49 +01:00
Bjørn Erik Pedersen
ccb1bf1abb
tpl/collections: Some more params merge adjustments
* If the end result is maps.Params, we need to lower the keys
* Also make sure to handle nested maps of different type

Update #6633
2019-12-19 20:50:30 +01:00
Bjørn Erik Pedersen
1b785a7a6d
tpl/collections: Fix merge vs Params
Fixes #6633
2019-12-18 21:31:34 +01:00
Bjørn Erik Pedersen
a03c631c42
Rework template handling for function and map lookups
This is a big commit, but it deletes lots of code and simplifies a lot.

* Resolving the template funcs at execution time means we don't have to create template clones per site
* Having a custom map resolver means that we can remove the AST lower case transformation for the special lower case Params map

Not only is the above easier to reason about, it's also faster, especially if you have more than one language, as in the benchmark below:

```
name                          old time/op    new time/op    delta
SiteNew/Deep_content_tree-16    53.7ms ± 0%    48.1ms ± 2%  -10.38%  (p=0.029 n=4+4)

name                          old alloc/op   new alloc/op   delta
SiteNew/Deep_content_tree-16    41.0MB ± 0%    36.8MB ± 0%  -10.26%  (p=0.029 n=4+4)

name                          old allocs/op  new allocs/op  delta
SiteNew/Deep_content_tree-16      481k ± 0%      410k ± 0%  -14.66%  (p=0.029 n=4+4)
```

This should be even better if you also have lots of templates.

Closes #6594
2019-12-12 10:04:35 +01:00
Bjørn Erik Pedersen
167c01530b
Create lightweight forks of text/template and html/template
This commit also removes support for Ace and Amber templates.

Updates #6594
2019-12-12 09:59:34 +01:00
Bjørn Erik Pedersen
a3fe5e5e35
Fix Params case handling in the index, sort and where func
This means that you can now do:

```
{{ range where .Site.Pages "Params.MYPARAM" "foo" }}
```
2019-11-22 18:41:50 +01:00
Bjørn Erik Pedersen
a2670bf460 tpl/collections: Allow dict to create nested structures
Fixes #6497
2019-11-11 21:55:16 +01:00
Bjørn Erik Pedersen
90d0cdf236
tpl/collections: Add collections.Reverse
Fixes #6499
2019-11-11 18:33:22 +01:00
Bjørn Erik Pedersen
95ef93be66
tpl/collections: Make index work with slice as the last arg
Fixes #6496
2019-11-11 13:54:57 +01:00
Bjørn Erik Pedersen
5f6b6ec689
Prepare for Goldmark
This commmit prepares for the addition of Goldmark as the new Markdown renderer in Hugo.

This introduces a new `markup` package with some common interfaces and each implementation in its own package.

See #5963
2019-11-06 19:09:08 +01:00
Bjørn Erik Pedersen
9f46a72c7e tpl/collections: Add some index map test cases
See #3974
2019-11-04 11:13:27 +01:00
Baibhav Vatsa
65b7d4221b tpl: Modify error messages of after, first, and last
Modified the messages functions after, first, and last threw on being passed invalid parameters (index or limit) to be more standardised and resemble what Go compiler would throw.

Fixes #6415
2019-10-12 18:07:46 +02:00
Baibhav Vatsa
0e75af74db tpl: Last now accepts 0 as limit
Modified the if conditional because of which last threw an error if 0 was passed as limit. The function now returns an empty slice if it is called with 0 as limit. The behavior of first and last is now the same when 0 is passed as limit. Also added tests to test the new behavior.

Fixes #6419
2019-10-11 20:34:51 +02:00
Baibhav Vatsa
096a4b67b9 tpl: After now accepts 0 as index
Modified the if conditional because of which after threw an error if called with 0 as index. The function now returns the whole original slice if 0 is passed as an index. Also added tests to test the new behavior.

Fixes #6388
2019-10-11 08:35:27 +02:00
Bjørn Erik Pedersen
9e57182705
tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
Christian Muehlhaeuser
c577a9ed23 Fixed ineffectual assignments
Dropped/fixed ineffectual assignments after static code analysis.
2019-08-10 20:11:51 +02:00
XhmikosR
f7f549e3a7 Fix assorted typos 2019-08-01 13:55:48 +02:00
Bjørn Erik Pedersen
53077b0da5
Merge pull request #6149 from bep/sort-caseinsensitive
Implement lexicographically string sorting
2019-08-01 10:19:19 +02:00
Bjørn Erik Pedersen
c624a77992 tpl/collections: Add Merge function
Merges two maps recursively and returns a new one. Merge is case-insensitive.

Fixes #5992
2019-07-15 20:47:35 +02:00
Bjørn Erik Pedersen
e8a716b23a tpl/collections: Fix slice type handling in sort
The `sort` template func was producing a `[]page.Page` which did not work in `.Paginate`.

Fixes #6023
2019-06-10 08:32:44 +02:00
Bjørn Erik Pedersen
8d898ad667 tpl/collections: Unwrap any interface value in sort and where
Hugo `0.55.0` introduced some new interface types for `Page` etc.

This worked great in general, but there were cases where this would fail in `where` and `sort`.

One such example would be sorting by `MenuItem.Page.Date` where `Page` on `MenuItem` was a small subset of the bigger `page.Page` interface.

This commit fixes that by unwrapping such interface values.

Fixes #5989
2019-06-09 16:54:36 +02:00
Anton Harniakou
fb007e9ae5 tpl/collections: Convert numeric values to float64 and compare them
Fixes #5685
2019-05-30 11:32:58 +02:00
Cameron Moore
f76e50118b tpl: Provide more detailed errors in Where 2019-04-27 09:54:22 +02:00
Bjørn Erik Pedersen
7fbfedf013
tpl/collections: Return error on invalid input in in
See #5875
2019-04-19 08:58:12 +02:00
Bjørn Erik Pedersen
06f56fc983 tpl/collections: Make Pages etc. work with the in func
Fixes #5875
2019-04-18 23:42:01 +02:00
Bjørn Erik Pedersen
d7a67dcb51 tpl/collections: Make Pages etc. work in uniq
Fixes #5852
2019-04-18 16:50:13 +02:00
Bjørn Erik Pedersen
b5f39d23b8 all: Apply staticcheck recommendations 2019-03-24 16:14:51 +01:00
Bjørn Erik Pedersen
d30e845485
Run gofmt -s 2019-03-23 20:15:06 +01:00
Bjørn Erik Pedersen
597e418cb0
Make Page an interface
The main motivation of this commit is to add a `page.Page` interface to replace the very file-oriented `hugolib.Page` struct.
This is all a preparation step for issue  #5074, "pages from other data sources".

But this also fixes a set of annoying limitations, especially related to custom output formats, and shortcodes.

Most notable changes:

* The inner content of shortcodes using the `{{%` as the outer-most delimiter will now be sent to the content renderer, e.g. Blackfriday.
  This means that any markdown will partake in the global ToC and footnote context etc.
* The Custom Output formats are now "fully virtualized". This removes many of the current limitations.
* The taxonomy list type now has a reference to the `Page` object.
  This improves the taxonomy template `.Title` situation and make common template constructs much simpler.

See #5074
Fixes #5763
Fixes #5758
Fixes #5090
Fixes #5204
Fixes #4695
Fixes #5607
Fixes #5707
Fixes #5719
Fixes #3113
Fixes #5706
Fixes #5767
Fixes #5723
Fixes #5769
Fixes #5770
Fixes #5771
Fixes #5759
Fixes #5776
Fixes #5777
Fixes #5778
2019-03-23 18:51:22 +01:00
Anton Harniakou
908692fae5 Support nested keys/fields with missing values with the where function
Before this commit `where` would produce an error and bail building the
site. Now, `where` simply skips an element of a collection and does not
add it to the final result.

Closes #5637
Closes #5416
2019-02-06 19:53:34 +01:00
Cameron Moore
30a7c9ea37 tpl: Add godoc packages comments
Also fix package name in tpl/templates.
2018-11-30 08:56:30 +01:00
Cameron Moore
112461fded tpl/collections: Add float64 support to where
Fixes #5466
2018-11-27 09:04:02 +01:00
Bjørn Erik Pedersen
79a06aa4b6
tpl/collections: Properly handle pointer types in complement/symdiff
We cannot compare them by values, because that gets `hash of unhashable type` for the prime use case.
2018-11-07 09:29:13 +01:00
Bjørn Erik Pedersen
488776b649 tpl/collections: Add collections.SymDiff
Fixes #5410
2018-11-06 16:51:49 +01:00
Bjørn Erik Pedersen
42d8dfc8c8 tpl/collections: Add collections.Complement
Fixes #5400
2018-11-06 08:48:58 +01:00