Commit graph

11 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
8859be1c01
Merge commit '87de22d7464e239c775fbd48ebce1665d5b1e80d' 2023-07-29 11:17:28 +02:00
Bjørn Erik Pedersen
b95e156940
Merge commit 'f96384a3b596f9bc0a3a035970b09b2c601f0ccb' 2023-05-22 16:47:07 +02:00
Bjørn Erik Pedersen
97b010f521
Merge commit '336622d5e7afd9334cd2de7150d4f16bdf7c24f9' 2023-03-01 11:56:07 +01:00
Bjørn Erik Pedersen
f04cc581e1
Merge commit '00c4484c7092181729f6f470805bc7d72e8ad17b' 2022-11-17 16:16:19 +01:00
Bjørn Erik Pedersen
d7497b28c1
Merge commit 'd276e901b36d2576ef8350ed96b17f66254eac1b' 2022-03-26 11:04:57 +02:00
Bjørn Erik Pedersen
c707b71cdf
Merge commit '230a495941b191af0bdaa7e2fc8c61607cb38207' 2022-02-14 12:58:42 +01:00
Bjørn Erik Pedersen
098254f175
Merge commit 'a8e9fc699a6ff7d578f97a7c553ce844efad8fdb' 2022-01-12 08:16:35 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Bjørn Erik Pedersen
0a9172672a
Merge commit 'efa74c5c6e6ff1daddeb5834ea7c69bed2acf171' 2020-06-16 14:19:31 +02:00
Onur Yaman
cd4d820201 docs: Fix typo in Hugo's Security Model 2020-04-18 14:16:42 +02:00
Bjørn Erik Pedersen
740b72558b
Merge commit '8a4005cf2b0ef34265ff8051a6b76226685fc226' 2019-12-22 22:51:45 +01:00