f4389e48ce
This ommmit contains some security hardening measures for the Hugo build runtime.
There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".
For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.
These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.
You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.
The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.
```toml
[security]
enableInlineShortcodes = false
[security.exec]
allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']
[security.funcs]
getenv = ['^HUGO_']
[security.http]
methods = ['(?i)GET|POST']
urls = ['.*']
```
3.8 KiB
| title | description | date | layout | keywords | menu | weight | sections_weight | draft | aliases | toc | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Hugo's Security Model | A summary of Hugo's security model. | 2019-10-01 | single |
|
|
5 | 5 | false |
|
true |
Runtime Security
Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.
But when developing and building your site, the runtime is the hugo executable. Securing a runtime can be a real challenge.
Hugo's main approach is that of sandboxing and a security policy with strict defaults:
- Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
- Only the main project can walk symbolic links.
- User-defined components have only read-access to the filesystem.
- We shell out to some external binaries to support Asciidoctor and similar, but those binaries and their flags are predefined and disabled by default (see Security Policy). General functions to run arbitrary external OS commands have been discussed, but not implemented because of security concerns.
Security Policy
{{< new-in "0.91.0" >}}
Hugo has a built-in security policy that restricts access to os/exec, remote communication and similar.
The defdault configuration is listed below. And build using features not whitelisted in the security policy will faill with a detailed message about what needs to be done. Most of these settings are whitelists (string or slice, Regular Expressions or none which matches nothing).
{{< code-toggle config="security" />}}
Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
HUGO_SECURITY_HTTP_URLS=none hugo
Dependency Security
Hugo builds as a static binary using Go Modules to manage its dependencies. Go Modules have several safeguards, one of them being the go.sum file. This is a database of the expected cryptographic checksums of all of your dependencies, including any transitive.
Hugo Modules is built on top of Go Modules functionality, and a Hugo project using Hugo Modules will have a go.sum file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of dependency tampering.
Web Application Security
These are the security threats as defined by OWASP.
For HTML output, this is the core security model:
https://golang.org/pkg/html/template/#hdr-Security_Model
In short:
Templates authors (you) are trusted, but the data you send in is not.
This is why you sometimes need to use the safe functions, such as safeHTML, to avoid escaping of data you know is safe.
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
For content, the default Markdown renderer is configured to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.