Commit graph

52 commits

Author SHA1 Message Date
Joachim Ansorg
a4b9f1a92c don't use path.Join, because it cleans the final path 2021-12-16 21:14:33 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Patrick Kollitsch
9369d13e59
modules: Improve error message 2021-11-10 09:32:17 +01:00
Bjørn Erik Pedersen
64e1613fb3 Fix panic when specifying multiple excludeFiles directives
Fixes #9076
2021-10-25 19:50:18 +02:00
Bjørn Erik Pedersen
471ed91c60 hugofs: Add includeFiles and excludeFiles to mount configuration
Fixes #9042
2021-10-20 05:00:17 +02:00
Bjørn Erik Pedersen
1cabf61ddf
modules: Add some help text to the 'unknown revision' error
I had a head scratching moment with this myself, so it's safe to say that others will.

See #6825
2021-09-17 09:34:35 +02:00
Bjørn Erik Pedersen
0fc2ce9e4b
Update to Go 1.17
Go 1.17 now lazy-loads dependencies when `go.mod` is version `go17`. This does not work for us for new projects started with `hugo mod init`.

Before this commit, starting a project with Go 1.17 with `hugo mod init` and then start adding dependencies with transitive dependenies to `config.toml` would treat the transitive dependencies as new, and you would potentially get a too recent version of those.

Note that this does not effect existing projects, where all dependencies are already recorded in `go.mod`.

Fixes #8930
2021-08-31 11:19:51 +02:00
Bjørn Erik Pedersen
d70c485707
Make sure module config loading errors have file positioning info
Fixes #8845
2021-08-03 09:57:14 +02:00
Bjørn Erik Pedersen
022c479551
hugofs: Make FileMeta a struct
This commit started out investigating a `concurrent map read write` issue, ending by replacing the map with a struct.

This is easier to reason about, and it's more effective:

```
name                                  old time/op    new time/op    delta
SiteNew/Regular_Deep_content_tree-16    71.5ms ± 3%    69.4ms ± 5%    ~     (p=0.200 n=4+4)

name                                  old alloc/op   new alloc/op   delta
SiteNew/Regular_Deep_content_tree-16    29.7MB ± 0%    27.9MB ± 0%  -5.82%  (p=0.029 n=4+4)

name                                  old allocs/op  new allocs/op  delta
SiteNew/Regular_Deep_content_tree-16      313k ± 0%      303k ± 0%  -3.35%  (p=0.029 n=4+4)
```

See #8749
2021-07-15 17:14:26 +02:00
Bjørn Erik Pedersen
40dfdd0952
modules: Add module.import.noMounts config
Fixes #8708
2021-06-28 10:39:52 +02:00
Bjørn Erik Pedersen
3a6dc6d3f4
modules: Use value type for module.Time
Which is in line with how we do it elsewhere.
2021-06-27 18:06:52 +02:00
Bjørn Erik Pedersen
6cd2110ab2
commands: Add version time to "hugo config mounts" 2021-06-27 18:00:20 +02:00
Bjørn Erik Pedersen
bb2aa08709 Implement configuration in a directory for modules
Fixes #8654
2021-06-18 12:54:30 +02:00
Bjørn Erik Pedersen
d392893cd7
Misc config loading fixes
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster:

```
BenchmarkDefaultConfigProvider/Viper-16         	  252418	      4546 ns/op	    2720 B/op	      30 allocs/op
BenchmarkDefaultConfigProvider/Custom-16        	  450756	      2651 ns/op	    1008 B/op	       6 allocs/op
```

Fixes #8633
Fixes #8618
Fixes #8630
Updates #8591
Closes #6680
Closes #5192
2021-06-14 17:00:32 +02:00
Shohei Ueda
504c78da4b
modules/npm: Change SetEscapeHTML to false
Closes #8512
2021-05-09 00:20:28 +02:00
Bjørn Erik Pedersen
bdfbcf6f4b modules: Add config option modules.vendorClosest
Fixes #8235
Fixes #8242
2021-02-16 16:30:01 +01:00
Bjørn Erik Pedersen
3a5ee0d2d6
modules: Allow absolute paths for any modules resolved via project replacement
Fixes #8240
2021-02-15 11:11:34 +01:00
Bjørn Erik Pedersen
4ffaeaf155
modules: Throw an error running hugo mod vendor on mountless module 2021-02-15 10:47:32 +01:00
Bjørn Erik Pedersen
cea1574023
Add Dart Sass support
But note that the Dart Sass Embedded Protocol is still in beta (beta 5), a main release scheduled for Q1 2021.

Fixes #7380
Fixes #8102
2020-12-30 17:32:25 +01:00
Bjørn Erik Pedersen
10ae7c3210
Improve LookPath 2020-12-19 17:03:07 +01:00
Phil Davis
04b89857e1
all: Fix minor typos 2020-12-16 12:11:32 +01:00
Bjørn Erik Pedersen
d90e37e0c6 all: Format code with gofumpt
See https://github.com/mvdan/gofumpt
2020-12-03 13:12:58 +01:00
Bjørn Erik Pedersen
beabc8d998
modules: Allow absolute paths for project imports
Fixes #7910
2020-10-30 10:14:08 +01:00
Bjørn Erik Pedersen
173187e263
Add module.replacements
Fixes #7904
Fixes #7908
2020-10-30 09:41:05 +01:00
Bjørn Erik Pedersen
fdfa4a5fe6 Allow getJSON errors to be ignored
This change is mostly motivated to get a more stable CI build (we're building the Hugo site there, with Instagram and Twitter shortcodes sometimes failing).

Fixes #7866
2020-10-22 09:09:29 +02:00
Bjørn Erik Pedersen
214afe4c1b modules/npm: Preserve the original package.json if it exists
Fixes #7690
2020-09-15 01:04:31 +02:00
Bjørn Erik Pedersen
85ba9bfffb Add "hugo mod npm pack"
This commit also introduces a convention where these common JS config files, including `package.hugo.json`, gets mounted into:

```
assets/_jsconfig
´``

These files mapped to their real filename will be added to the environment when running PostCSS, Babel etc., so you can do `process.env.HUGO_FILE_TAILWIND_CONFIG_JS` to resolve the real filename.

But do note that `assets` is a composite/union filesystem, so if your config file is not meant to be overridden, name them something specific.

This commit also adds adds `workDir/node_modules` to `NODE_PATH` and `HUGO_WORKDIR` to the env when running the JS tools above.

Fixes #7644
Fixes #7656
Fixes #7675
2020-09-13 20:55:29 +02:00
Bjørn Erik Pedersen
d4611c4322 modules: Add noVendor to module config
Fixes #7647
2020-09-10 08:47:05 +02:00
Bjørn Erik Pedersen
20af9a0781 modules: Add ignoreImports to module imports config
Fixes #7646
2020-09-10 08:47:05 +02:00
Bjørn Erik Pedersen
9a1e6d15a3 modules: Make ignoreVendor a glob pattern
Fixes #7642
2020-09-10 08:47:05 +02:00
Bjørn Erik Pedersen
ec37420468 Improve stderr logging for PostCSS and simlilar
Fixes #7584
2020-08-20 22:32:20 +02:00
Bjørn Erik Pedersen
d8d6a25b57
modules: Fix hugo mod vendor for regular file mounts
Fixes #7140
2020-04-07 10:13:55 +02:00
Bjørn Erik Pedersen
dce210ab56
modules: Improve "hugo mod clean"
* Only clean project modules
* Optional glob pattern of module paths to clean

Closes #6907
2020-02-19 17:14:35 +01:00
Bjørn Erik Pedersen
0b96aba022
commands: Add "hugo mod verify"
See #6907
2020-02-19 17:14:35 +01:00
Bjørn Erik Pedersen
20f2211fce
modules: Do not try to get local themes in "hugo mod get"
Fixes #6893
2020-02-18 14:08:58 +01:00
Bjørn Erik Pedersen
49ef647203 modules: Fix "hugo mod get -u" with no arguments
Fixes #6826
Closes #6825
2020-01-30 17:15:35 +01:00
Bjørn Erik Pedersen
ad6504e6b5 Fix abs path handling in module mounts
Fixes #6622
2019-12-19 18:51:59 +01:00
Bjørn Erik Pedersen
14a1de14fb
modules: Add some more output if modules download takes time
Closes #6519
2019-11-27 09:51:47 +01:00
Bjørn Erik Pedersen
2dcc1318d1 Add some more output if loading modules takes time
Also include the time to collect modules etc. in the "Total in ..." time reported for the `hugo` command.

Fixes #6519
2019-11-21 18:11:07 +01:00
Bjørn Erik Pedersen
20ec9fa2bb
modules: Do not check for remote modules if main project is vendored
Fixes #6506
2019-11-14 12:24:55 +01:00
Bjørn Erik Pedersen
43298f028c Make the "is this a Hugo Module" logic more lenient
Now we only try to load modules via Go if there is one or more modules imported in project config.

Fixes #6299
2019-09-03 15:12:33 +02:00
Bjørn Erik Pedersen
321418f22a
modules: Disable "auto tidy" for now
See #6115
2019-08-15 16:50:02 +02:00
Bjørn Erik Pedersen
6315098104 modules: Do not fail build on errors in theme.toml
Fixes #6162
2019-08-13 18:09:11 +02:00
Bjørn Erik Pedersen
9e57182705
tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
XhmikosR
f7f549e3a7 Fix assorted typos 2019-08-01 13:55:48 +02:00
Bjørn Erik Pedersen
d7c233afee commands: Add "hugo config mounts" command
This prints the effective file mounts in a project.

Fixes #6144
2019-07-31 12:10:05 +02:00
Bjørn Erik Pedersen
4b6c5eba30 Move the mount duplicate filter to the modules package
Also simplify the mount validation logic. There are plenty of ways a user can create mount configs that behaves oddly.
2019-07-31 12:10:05 +02:00
Bjørn Erik Pedersen
36220851e4 Fix self-mounts on the main project
Fixes #6143
2019-07-31 12:10:05 +02:00
Bjørn Erik Pedersen
e5fe378925
modules: Set GO111MODULE=on
Fixes #6114
2019-07-26 10:55:50 +02:00
Bjørn Erik Pedersen
87a07282a2
modules: Gofmt 2019-07-24 23:31:30 +02:00