Commit graph

98 commits

Author SHA1 Message Date
Oleksandr Redko
9009c8cdca all: Fix typos in function names and comments 2023-06-19 09:26:29 +02:00
Bjørn Erik Pedersen
7c9fada778 Replace the old log setup, with structured logging etc.
Fixes #11124
2023-06-18 13:03:04 +02:00
Bjørn Erik Pedersen
ee359df172 Fix upstream Go templates bug with reversed key/value assignment
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b  added.

This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).

This will throw an error saying "... appears in a JS template literal".

If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:

```toml
[security]
[security.gotemplates]
allowActionJSTmpl = true
```

See https://github.com/golang/go/issues/59234

Fixes #11112
2023-06-15 23:04:33 +02:00
Bjørn Erik Pedersen
60a2cdf72d
Fix config merge regression with root slices (e.g. disableKinds)
Fixes #11089
2023-06-13 18:01:23 +02:00
Oleksandr Redko
b8526f32fa commands,config: Fix typo in log and error messages 2023-06-12 16:45:20 +02:00
Bjørn Erik Pedersen
b7dc93ca11
config: Remove unexpected _merge keys introduced in author and social maps
Fixes #11083
2023-06-12 14:30:43 +02:00
Bjørn Erik Pedersen
f210188da3 Upgrade to v2 of the Dart Sass Embedded Protocol
Fixes #11059
2023-06-12 13:47:38 +02:00
Bjørn Erik Pedersen
0ef2952846 commands: Add --lang to hugo config
Fixes #11057
2023-06-01 10:49:21 +02:00
Bjørn Erik Pedersen
e3ae8f025d Make sure any default mounts show up in "hugo config"
Fixes #11040
2023-06-01 10:49:21 +02:00
Bjørn Erik Pedersen
9cdca1f958 Fail on invalid defaultContentLanguage
Fixes #11044
2023-05-30 15:59:43 +02:00
Bjørn Erik Pedersen
6462eecfbd Avoid panic in invalid language config
Fixes #11046
2023-05-30 15:59:43 +02:00
Bjørn Erik Pedersen
a7d6b1413f Don't panic on empty yaml config params
Fixes #11047
2023-05-30 15:59:43 +02:00
Bjørn Erik Pedersen
e3dfc76fa8
Fix it so languageCode on top level config still works
This is common for monolingual sites, and we broke this in Hugo 0.112.4.

Fixes #11037
2023-05-28 18:42:10 +02:00
Bjørn Erik Pedersen
2c3d4dfb74 Add cache busting config to support Tailwind 3
Fixes #10974
2023-05-22 14:14:35 +02:00
Bjørn Erik Pedersen
2637b4ef4d Allow whitelisting mediaTypes used in resources.GetRemote
Fixes #10286
2023-05-20 20:16:45 +02:00
Bjørn Erik Pedersen
7c7baa6183 Add hugo.WorkingDir
Fixes #10969
2023-05-20 17:45:56 +02:00
Bjørn Erik Pedersen
4f085e80da Make language merging of markup etc. config without values in the root
Updates #10953
2023-05-20 12:40:32 +02:00
Bjørn Erik Pedersen
03cb38e6c6
Allow legacy taxonomyTerm in disableKinds
Updates #10953
2023-05-19 09:17:55 +02:00
Andreas Deininger
ad4bc969da Fix warn message about custom params on the language top level 2023-05-19 08:43:02 +02:00
Oleksandr Redko
610cedaa61 all: Fix comments for exported functions and packages 2023-05-18 21:25:27 +02:00
Bjørn Erik Pedersen
7c647bcaeb Allow empty params.mainSections
Updates #10953
2023-05-18 17:55:29 +02:00
Bjørn Erik Pedersen
3f00f47535 commands: Load config before creating the filesystem
To allow publishDir to be set in config file.
2023-05-18 15:38:25 +02:00
Bjørn Erik Pedersen
8a69ccbb00 commands: Improve the common build flag handling
Updates #10947
2023-05-17 22:13:29 +02:00
Bjørn Erik Pedersen
7ce033a89d Support, but warn, about top level language custom params
Updates #10947
2023-05-17 22:13:29 +02:00
Bjørn Erik Pedersen
05542130ba Handle transient errors in config loading etc.
As in: Get the Kubernetes site to build with the new Hugo version.

Updates #10947
2023-05-17 22:13:29 +02:00
Bjørn Erik Pedersen
241b21b0fd Create a struct with all of Hugo's config options
Primary motivation is documentation, but it will also hopefully simplify the code.

Also,

* Lower case the default output format names; this is in line with the custom ones (map keys) and how
it's treated all the places. This avoids doing `stringds.EqualFold` everywhere.

Closes #10896
Closes #10620
2023-05-16 18:01:29 +02:00
Oleksandr Redko
36ce3a4a9d Correct typos in Go comments 2023-03-02 16:32:32 +01:00
Bjørn Erik Pedersen
c6b3887696
config/security: Add O\w+ (e.g. GOROOT) to the default allowed list
Fixes #10429
2023-01-17 10:52:51 +01:00
Bjørn Erik Pedersen
f38a2fbd2e Make hugo.toml the new config.toml
Both will of course work, but hugo.toml will win if both are set.

We should have done this a long time ago, of course, but the reason I'm picking this up now is that my VS Code setup by default picks up some
JSON config schema from some random other software which also names its config files config.toml.

Fixes #8979
2023-01-16 15:34:16 +01:00
Bjørn Erik Pedersen
e402d91ee1 Misc doc, code refactoring to improve documentation 2023-01-04 18:01:26 +01:00
septs
dc44bca963
config/security: Add CI env var to whitelist 2022-12-02 12:13:34 +01:00
Ricardo N Feliciano
e3f31352d4
config/security: Fix filename 2022-10-02 12:52:04 +02:00
Mathieu Parent
86653fa38e
config/security: Allow proxy variables in subcommands
In particular for go get
2022-09-19 12:37:35 +02:00
Bjørn Erik Pedersen
a5cda5ca4d server: Add 404 support 2022-09-14 14:25:33 +02:00
Bjørn Erik Pedersen
fd75f129b2 deps: Update github.com/pelletier/go-toml/v2 v2.0.2 => v2.0.4
Closes #10210
2022-08-26 18:30:46 +02:00
Bjørn Erik Pedersen
87a22eb6d6 server: Fix SIGINT handling after loading bad configuration
Also fix the config error messages.

Fixes #9664
2022-05-15 22:58:05 +02:00
Bjørn Erik Pedersen
4b189d8fd9 postcss: Fix import error handling
Note that we will now fail if `inlineImports` is enabled and we cannot resolve an import.

You can work around this by either:

* Use url imports or imports with media queries.
* Set `skipInlineImportsNotFound=true` in the options

Also get the argument order in the different NewFileError* funcs in line.

Fixes #9895
2022-05-15 20:25:25 +02:00
Bjørn Erik Pedersen
5c96bda70a
errors: Misc improvements
* Redo the server error template
* Always add the content file context if relevant
* Remove some now superflous error string matching
* Move the server error template to _server/error.html
* Add file context (with position) to codeblock render blocks
* Improve JS build errors

Fixes #9892
Fixes #9891
Fixes #9893
2022-05-14 13:40:56 +02:00
Bjørn Erik Pedersen
f2946da9e8 Improve error messages, esp. when the server is running
* Add file context to minifier errors when publishing
* Misc fixes (see issues)
* Allow custom server error template in layouts/server/error.html

To get to this, this commit also cleans up and simplifies the code surrounding errors and files. This also removes the usage of `github.com/pkg/errors`, mostly because of https://github.com/pkg/errors/issues/223 -- but also because most of this is now built-in to Go.

Fixes #9852
Fixes #9857
Fixes #9863
2022-05-06 19:43:22 +02:00
Bjørn Erik Pedersen
d070bdf10f
Rework the Destination filesystem to make --renderStaticToDisk work
See #9626
2022-04-08 13:26:17 +02:00
Bjørn Erik Pedersen
0e305d6958 all: Use strings.Cut
Updates #9687
2022-03-21 09:32:35 +01:00
Bjørn Erik Pedersen
b80853de90
all: gofmt -w -r 'interface{} -> any' .
Updates #9687
2022-03-17 22:03:27 +01:00
Bjørn Erik Pedersen
ec8b767fa6 Remove Viper as a dependency 2022-02-23 22:40:23 +01:00
Bjørn Erik Pedersen
623dda7174 Revert "config/security: Add HOME to default exec env var whitelist"
There have been one report in the wild suggesting that this needs to be tested better before doing:

https://discourse.gohugo.io/t/hugo-mod-failing-in-v0-91-1-but-works-in-v0-91-0/36180/5

This reverts commit fca266ebbb.
2021-12-23 16:23:15 +01:00
Bjørn Erik Pedersen
fca266ebbb config/security: Add HOME to default exec env var whitelist
See #9309
2021-12-22 11:33:59 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Bjørn Erik Pedersen
f4ffeea71d Fix it so disableKinds etc. does not get merged in from theme
Unless the merge strategy is set up to do so.

For `disableKinds` the current workaround is to make sure the project config has an entry, even if is empty:

```
disableKinds = []
```

Note that this issue only touches root, non-map config-values that either is not set in project config or in Hugo's defaults.

Fixes #8866
2021-08-22 13:25:20 +02:00
Bjørn Erik Pedersen
d70c485707
Make sure module config loading errors have file positioning info
Fixes #8845
2021-08-03 09:57:14 +02:00
Bjørn Erik Pedersen
c7252224c4 Deprecate Blackfriday and fix a potential deadlock in config
Note that the deadlock has not been seen earlier, in tests on in real Hugo sites.

Fixes #8792
Fixes #8791
2021-07-26 16:28:16 +02:00
Bjørn Erik Pedersen
5cb52c2315 Add config.cascade
This commit adds support for using the `cascade` keyword in your configuration file(s), e.g. `config.toml`.

Note that

* Every feature of `cascade` is available, e.g. `_target` to target specific page sets.
* Pages, e.g. the home page, can overwrite the cascade defined in config.

Fixes #8741
2021-07-10 11:13:41 +02:00