mirror of
https://github.com/gohugoio/hugo.git
synced 2024-11-14 20:37:55 -05:00
89044b8f87
ec0abe052 Update index.md ed44339cd Update bio.md cef04eb95 Minor edits 4d45dcc8d Submitting Digital.gov to the Hugo Showcase d35126af7 Azure uses storage containers, not buckets; edited accordingly. (#1078) 9c249cc89 fix grammatical error 9728699a3 Release Hugo 0.69.2 cccabed0c Merge branch 'temp692' 3d0a740c4 releaser: Add release notes to /docs for release of 0.69.2 b760aceb1 HTTPS external links in docs 49e4631b0 Release 0.69.1 01f3da870 Merge branch 'temp691' 8280d85aa releaser: Add release notes to /docs for release of 0.69.1 40ea44d24 fix typo (#1088) 725f53643 Rebuild cache 80ee1efd9 Add KeyCDN Showcase f253e906e docs: Fix typo in Hugo's Security Model b3ffd1ad3 Mentioning a range is equivalent to foreach (#1086) 0c396911f Update jsonify function docs 376befc9a Fix typo (#1084) 4bdc9bc72 Mark .Page.UniqueID as deprecated and add .File.UniqueID 30a7b7bf2 Update hosting-on-github.md c5db4ba2b Update postprocess.md 1121f74a5 Update install guide with Scoop extended 8988aa6fa Merge branch 'postprocess' 225d3f9c7 Release Hugo 0.69.0 4caf7a89a releaser: Add release notes to /docs for release of 0.69.0 664b2a0fa Document resources.PostProcess and buildStats 9737b34e9 docs: Regen docs helper 0fab3ba24 Merge commit 'da3c3e5fbd0de65f956618cd2e35401460a3cd02' 96dad83b1 Update hosting-on-aws-amplify.md 57eb27897 Merge commit 'c494c37a4523fbf2db6274dc87e0877fd5bec24b' dcc7afef7 fix typo in getting started git-subtree-dir: docs git-subtree-split: ec0abe052bcfebc65c323df4ff14ad277bb405d8
54 lines
3.1 KiB
Markdown
54 lines
3.1 KiB
Markdown
---
|
|
title: Hugo's Security Model
|
|
description: A summary of Hugo's security model.
|
|
date: 2019-10-01
|
|
layout: single
|
|
keywords: ["Security", "Privacy"]
|
|
menu:
|
|
docs:
|
|
parent: "about"
|
|
weight: 4
|
|
weight: 5
|
|
sections_weight: 5
|
|
draft: false
|
|
aliases: [/security/]
|
|
toc: true
|
|
---
|
|
|
|
## Runtime Security
|
|
|
|
Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.
|
|
|
|
But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
|
|
|
|
**Hugo's main approach is that of sandboxing:**
|
|
|
|
* Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
|
|
* Only the main project can walk symbolic links.
|
|
* User-defined components have only read-access to the filesystem.
|
|
* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
|
|
|
|
Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true.
|
|
|
|
## Dependency Security
|
|
|
|
Hugo builds as a static binary using [Go Modules](https://github.com/golang/go/wiki/Modules) to manage its dependencies. Go Modules have several safeguards, one of them being the `go.sum` file. This is a database of the expected cryptographic checksums of all of your dependencies, including any transitive.
|
|
|
|
[Hugo Modules](/hugo-modules/) is built on top of Go Modules functionality, and a Hugo project using Hugo Modules will have a `go.sum` file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of [dependency tampering](https://julienrenaux.fr/2019/12/20/github-actions-security-risk/).
|
|
|
|
## Web Application Security
|
|
|
|
These are the security threats as defined by [OWASP](https://en.wikipedia.org/wiki/OWASP).
|
|
|
|
For HTML output, this is the core security model:
|
|
|
|
https://golang.org/pkg/html/template/#hdr-Security_Model
|
|
|
|
In short:
|
|
|
|
Templates authors (you) are trusted, but the data you send in is not.
|
|
This is why you sometimes need to use the _safe_ functions, such as `safeHTML`, to avoid escaping of data you know is safe.
|
|
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
|
|
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
|
|
|
|
For content, the default Markdown renderer is [configured](/getting-started/configuration-markup) to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.
|