Commit graph

41 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
1651beb2c1 Remove mmark
Closes #9350
2022-01-04 17:10:39 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Bjørn Erik Pedersen
d392893cd7
Misc config loading fixes
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster:

```
BenchmarkDefaultConfigProvider/Viper-16         	  252418	      4546 ns/op	    2720 B/op	      30 allocs/op
BenchmarkDefaultConfigProvider/Custom-16        	  450756	      2651 ns/op	    1008 B/op	       6 allocs/op
```

Fixes #8633
Fixes #8618
Fixes #8630
Updates #8591
Closes #6680
Closes #5192
2021-06-14 17:00:32 +02:00
Bjørn Erik Pedersen
d90e37e0c6 all: Format code with gofumpt
See https://github.com/mvdan/gofumpt
2020-12-03 13:12:58 +01:00
Derk Muenchhausen
f0266e2ef3
Rework external asciidoctor integration
This commit solves the relative path problem with asciidoctor tooling. An include will resolve relatively, so you can refer easily to files in the same folder.

Also `asciidoctor-diagram` and PlantUML rendering works now, because the created temporary files will be placed in the correct folder.

This patch covers just the Ruby version of asciidoctor. The old AsciiDoc CLI EOLs in Jan 2020, so this variant is removed from code.

The configuration is completely rewritten and now available in `config.toml` under the key `[markup.asciidocext]`:

```toml
[markup.asciidocext]
    extensions = ["asciidoctor-html5s", "asciidoctor-diagram"]
    workingFolderCurrent = true
    trace = true
    [markup.asciidocext.attributes]
        my-base-url = "https://example.com/"
        my-attribute-name = "my value"
```

- backends, safe-modes, and extensions are now whitelisted to the popular (ruby) extensions and valid values.
- the default for extensions is to not enable any, because they're all external dependencies so the build would break if the user didn't install them beforehand.
- the default backend is html5 because html5s is an external gem dependency.
- the default safe-mode is safe, explanations of the modes: https://asciidoctor.org/man/asciidoctor/
- the config is namespaced under asciidocext_config and the parser looks at asciidocext to allow a future native Go asciidoc.
- `uglyUrls=true` option and `--source` flag are supported
- `--destination` flag is required

Follow the updated documentation under `docs/content/en/content-management/formats.md`. 
  
This patch would be a breaking change, because you need to correct all your absolute include pathes to relative paths, so using relative paths must be configured explicitly by setting `workingFolderCurrent = true`.
2020-06-25 09:51:33 +02:00
Bjørn Erik Pedersen
0efb00c2a8 tpl/partials: Allow any key type in partialCached
Fixes #6572
2019-12-03 00:13:47 +01:00
Bjørn Erik Pedersen
bfb9613a14
Add Goldmark as the new default markdown handler
This commit adds the fast and CommonMark compliant Goldmark as the new default markdown handler in Hugo.

If you want to continue using BlackFriday as the default for md/markdown extensions, you can use this configuration:

```toml
[markup]
defaultMarkdownHandler="blackfriday"
```

Fixes #5963
Fixes #1778
Fixes #6355
2019-11-23 14:12:24 +01:00
Bjørn Erik Pedersen
9e57182705
tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
Bjørn Erik Pedersen
9f5a92078a
Add Hugo Modules
This commit implements Hugo Modules.

This is a broad subject, but some keywords include:

* A new `module` configuration section where you can import almost anything. You can configure both your own file mounts nd the file mounts of the modules you import. This is the new recommended way of configuring what you earlier put in `configDir`, `staticDir` etc. And it also allows you to mount folders in non-Hugo-projects, e.g. the `SCSS` folder in the Bootstrap GitHub project.
* A module consists of a set of mounts to the standard 7 component types in Hugo: `static`, `content`, `layouts`, `data`, `assets`, `i18n`, and `archetypes`. Yes, Theme Components can now include content, which should be very useful, especially in bigger multilingual projects.
* Modules not in your local file cache will be downloaded automatically and even "hot replaced" while the server is running.
* Hugo Modules supports and encourages semver versioned modules, and uses the minimal version selection algorithm to resolve versions.
* A new set of CLI commands are provided to manage all of this: `hugo mod init`,  `hugo mod get`,  `hugo mod graph`,  `hugo mod tidy`, and  `hugo mod vendor`.

All of the above is backed by Go Modules.

Fixes #5973
Fixes #5996
Fixes #6010
Fixes #5911
Fixes #5940
Fixes #6074
Fixes #6082
Fixes #6092
2019-07-24 09:35:53 +02:00
Bjørn Erik Pedersen
597e418cb0
Make Page an interface
The main motivation of this commit is to add a `page.Page` interface to replace the very file-oriented `hugolib.Page` struct.
This is all a preparation step for issue  #5074, "pages from other data sources".

But this also fixes a set of annoying limitations, especially related to custom output formats, and shortcodes.

Most notable changes:

* The inner content of shortcodes using the `{{%` as the outer-most delimiter will now be sent to the content renderer, e.g. Blackfriday.
  This means that any markdown will partake in the global ToC and footnote context etc.
* The Custom Output formats are now "fully virtualized". This removes many of the current limitations.
* The taxonomy list type now has a reference to the `Page` object.
  This improves the taxonomy template `.Title` situation and make common template constructs much simpler.

See #5074
Fixes #5763
Fixes #5758
Fixes #5090
Fixes #5204
Fixes #4695
Fixes #5607
Fixes #5707
Fixes #5719
Fixes #3113
Fixes #5706
Fixes #5767
Fixes #5723
Fixes #5769
Fixes #5770
Fixes #5771
Fixes #5759
Fixes #5776
Fixes #5777
Fixes #5778
2019-03-23 18:51:22 +01:00
Bjørn Erik Pedersen
822dc627a1
tpl/transform: Add transform.Unmarshal func
Fixes #5428
2018-12-23 10:02:42 +01:00
Bjørn Erik Pedersen
80230f26a3
Add support for theme composition and inheritance
This commit adds support for theme composition and inheritance in Hugo.

With this, it helps thinking about a theme as a set of ordered components:

```toml
theme = ["my-shortcodes", "base-theme", "hyde"]
```

The theme definition example above in `config.toml` creates a theme with the 3 components with presedence from left to right.

So, Hugo will, for any given file, data entry etc., look first in the project, and then in `my-shortcode`, `base-theme` and lastly `hyde`.

Hugo uses two different algorithms to merge the filesystems, depending on the file type:

* For `i18n` and `data` files, Hugo merges deeply using the translation id and data key inside the files.
* For `static`, `layouts` (templates) and `archetypes` files, these are merged on file level. So the left-most file will be chosen.

The name used in the `theme` definition above must match a folder in `/your-site/themes`, e.g. `/your-site/themes/my-shortcodes`. There are  plans to improve on this and get a URL scheme so this can be resolved automatically.

Also note that a component that is part of a theme can have its own configuration file, e.g. `config.toml`. There are currently some restrictions to what a theme component can configure:

* `params` (global and per language)
* `menu` (global and per language)
* `outputformats` and `mediatypes`

The same rules apply here: The left-most param/menu etc. with the same ID will win. There are some hidden and experimental namespace support in the above, which we will work to improve in the future, but theme authors are encouraged to create their own namespaces to avoid naming conflicts.

A final note: Themes/components can also have a `theme` definition in their `config.toml` and similar, which is the "inheritance" part of this commit's title. This is currently not supported by the Hugo theme site. We will have to wait for some "auto dependency" feature to be implemented for that to happen, but this can be a powerful feature if you want to create your own theme-variant based on others.

Fixes #4460
Fixes #4450
2018-06-10 23:55:20 +02:00
Bjørn Erik Pedersen
612dcc1944
helpers: Avoid writing the last MD5 buff part twice 2017-12-28 22:52:27 +01:00
Bjørn Erik Pedersen
e50a8c7a14 resource: Use MD5 to identify image files
But only a set of byte chunks spread around in the image file to calculate the fingerprint, which is much faster than reading the whole file:

```bash
BenchmarkMD5FromFileFast/full=false-4         	  300000	      4356 ns/op	     240 B/op	       5 allocs/op
BenchmarkMD5FromFileFast/full=true-4          	   30000	     42899 ns/op	   32944 B/op	       5 allocs/op
```

Fixes #4186
2017-12-28 17:41:51 +01:00
Brian Chen
e69da7a4cb Add Pandoc support, refactor external helpers
Recognize the Pandoc format under the file extension .pandoc or .pdc,
and shell out to pandoc as an external helper to format Pandoc content.

Refactor out repeated code with external helpers. Change the error
output formatting. I did not see any of the external helpers print the
string "<input>" to represent stdin as a file; just prepending the file
name to error output is more general and doesn't sacrifice that much in
terms of readability.

Closes #234
2017-11-30 12:15:52 +01:00
Bjørn Erik Pedersen
8fb594bfb0 Make the title case style guide configurable
This works for the `title` func and the other places where Hugo makes title case.

* AP style (new default)
* Chicago style
* Go style (what we have today)

Fixes #989
2017-07-31 22:16:46 +02:00
Bjørn Erik Pedersen
a1d260b41a hugolib: Extend the sections API
This commit adds some section related methods that have been asked for:

* .CurrentSection
* .IsDescendant
* .IsAncestor

Fixes #3591
2017-07-04 09:11:49 +02:00
Cameron Moore
de7c32a1a8 tpl: Add template function namespaces
This commit moves almost all of the template functions into separate
packages under tpl/ and adds a namespace framework.  All changes should
be backward compatible for end users, as all existing function names in
the template funcMap are left intact.

Seq and DoArithmatic have been moved out of the helpers package and into
template namespaces.

Most of the tests involved have been refactored, and many new tests have
been written.  There's still work to do, but this is a big improvement.

I got a little overzealous and added some new functions along the way:

- strings.Contains
- strings.ContainsAny
- strings.HasSuffix
- strings.TrimPrefix
- strings.TrimSuffix

Documentation is forthcoming.

Fixes #3042
2017-04-30 10:56:38 +02:00
Chase Adams
86e8dd62f0 all: Add org-mode support
Fixes #1483 
See #936
2017-02-21 08:46:03 +01:00
Bjørn Erik Pedersen
40b1b8f703 Fix case issue Viper vs Blackfriday config
There are still work to be done in the case department, but that will have to be another day.

Fixes #2581
See https://github.com/spf13/viper/issues/261
2016-10-16 19:28:21 +02:00
Cameron Moore
e2aea65170 helpers: Remove ToReader funcs
Remove StringToReader and BytesToReader in favor of using the stdlib directly.
2016-06-25 17:57:05 -05:00
Bjørn Erik Pedersen
91ffc76b24 helpers: Remove unused code 2016-03-14 15:20:36 +01:00
Anthony Fok
8509727fe8 Add copyright header to that source files that don’t have one.
See #1646
2015-12-10 15:19:38 -07:00
Bjørn Erik Pedersen
831e936846 Improve "watching for ..." logging 2015-11-23 16:32:06 +01:00
Bjørn Erik Pedersen
8d8fa7222f Remove some superficial tests 2015-11-19 20:27:02 +01:00
bep
be7404e337 Support Fish and Chips section
Section names are also used as the title of the list pages, but naming section folders as `Fish and Chips` and similar didn't work very well.

This commit fixes that.

This commit also changes the title casing of the section titles. Some may argue that this is a breaking change, but the old behaviour was also pretty broken,
even for languages that use title capitalizations, as it didn't follow any particular style guide, `fish and chips` became `Fish And Chips` etc.

Now it just turns the first letter into upper case, so `Fish and Chips` will be left as `Fish and Chips`.

People wanting the good old behaviour can use the `title` template func.

Fixes #1176
2015-05-28 23:05:17 +02:00
bep
a52e508d46 Update test logs for uniformity and consistency
Many minor fixes to make test logs more consistent and correct a
mispelling.

Standardize on "[%i] got X but expected Y" for log messages. Using
a consistent layout makes it easier to read the test results. This
was mostly changing "Got" to "got". Swapped the order of values on
several calls to bring them in line with the convention.

A few log messages had a sequence number added to identify the
exact scenario that failed. Otherwise, there would be no way to
ascertain which failed When there are many scenarios.

Correct spelling of "expected."

Fixes #1028
Merged be2097e1ad

[close #1040]
2015-05-08 22:27:00 -04:00
Anthony Fok
563a6302a0 Very experimental support for mmark
Either name the content files as `*.mmark`,
or add `markup = "mmark"` in the front matter
of your `*.md` content files.
2015-05-08 22:05:41 -04:00
bep
bea42218b6 helpers: fix some go vet errors 2015-04-03 21:20:25 +02:00
bep
be21e2cbed Add some more corner tests for ReaderContains 2015-03-30 01:22:09 +02:00
bep
be6696c34b Handle views in combo with Ace base templates
As views looks like a regular template, but doesn't need a base template, we have to look inside it.

Altough really not needed by this commit, reading the full file content into memory just to do a substring search is a waste.
So this commit implements a `ReaderContains` func that in most cases should be much faster than doing an `ioutil.ReadAll` and `bytes.Contains`:

```
benchmark                   old ns/op     new ns/op     delta
BenchmarkReaderContains     78452         20260         -74.18%

benchmark                   old allocs     new allocs     delta
BenchmarkReaderContains     46             20             -56.52%

benchmark                   old bytes     new bytes     delta
BenchmarkReaderContains     46496         1258          -97.29%
```

Fixes #999
2015-03-29 21:12:13 +02:00
bep
9688ed2585 Comment out shaky Seq test 2015-03-18 12:42:00 +01:00
bep
e39a258ec4 Improve type handling in Seq 2015-03-18 11:30:37 +01:00
bep
0be2aade99 Add Seq template func
Very similar to GNU's seq.

Fixes #552

Conflicts:
	tpl/template.go
2015-03-12 22:08:36 -04:00
Anthony Fok
358dcce7a6 Experimental AsciiDoc support with external helpers
See #470

 * Based on existing support for reStructuredText files

 * Handles content files with extensions `.asciidoc` and `.ad`

 * Pipes content through `asciidoctor --safe -`.
   If `asciidoctor` is not installed, then `asciidoc --safe -`.

 * To make sure `asciidoctor` or `asciidoc` is found, after adding
   a piece of AsciiDoc content, run `hugo` with the `-v` flag
   and look for this message:

        INFO: 2015/01/23 Rendering with /usr/bin/asciidoctor ...

Caveats:

 * The final "Last updated" timestamp is currently not stripped.

 * When `hugo` is run with `-v`, you may see a lot of these messages

        INFO: 2015/01/23 Rendering with /usr/bin/asciidoctor ...

   if you have lots of `*.ad`, `*.adoc` or `*.asciidoc` files.

 * Some versions of `asciidoc` may have trouble with its safe mode.
   To test if you are affected, try this:

        $ echo "Hello" | asciidoc --safe -
        asciidoc: ERROR: unsafe: ifeval invalid
        asciidoc: FAILED: ifeval invalid safe document

   If so, I recommend that you install `asciidoctor` instead.

Feedback and patches welcome!

Ideally, we should be using https://github.com/VonC/asciidocgo,
@VonC's wonderful Go implementation of Asciidoctor.  However,
there is still a bit of work needed for asciidocgo to expose
its API so that Hugo can actually use it.

Until then, hope this "experimental AsciiDoc support through external
helpers" can serve as a stopgap solution for our community. :-)

2015-01-30: Updated for the replaceShortcodeTokens() syntax change
2015-02-21: Add `.adoc` extension as suggested by @Fale

Conflicts:
	helpers/content.go
2015-03-12 22:01:49 -04:00
bep
bd2b679eaf helpers: apply some Golint rules 2015-03-07 00:02:06 +01:00
bep
103ea842f8 Fix errors reported by Go Vet 2015-03-06 15:25:19 +01:00
bep
420c9e4d3d Add writable context to Node
The variable scope in the Go templates makes it hard, if possible at all, to write templates with counter variables or similar state.

This commit fixes that by adding a writable context to Node, backed by a map: Scratch.

This context has three methods, Get, Set and Add. The Add is tailored for counter variables, but can be used for any built-in numeric values or strings.
2015-01-31 22:01:30 +01:00
bep
9e688507a7 Add more tests to general helper 2015-01-20 18:13:47 +01:00
Marek Stanley
49f5eb5c84 Moved a test regarding a content.go function to a new test file content_test.go.
Added some tests for general helpers, especially as a way to document the expected behavior,
and as a warm-up welcome contribution.
2015-01-09 12:42:13 +01:00
Owen Waller
57cd953997 Added the general modules test files
Added the new general module's test file, general_test.go. This replaces the
helpers_test.go file.

There is also a minor defect fix in general.go's StripHTML function.
The correct xhtml tag for a break is <br /> not </br>. I've also removed
the unnecessary spaces before the replacement "\n".

The new test module also reflects this change.

Conflicts:
	helpers/general.go
2014-11-04 11:13:41 -05:00