mirror of
https://github.com/gohugoio/hugo.git
synced 2024-12-02 12:31:29 -05:00
f96384a3b5
39af43ef1 Update postprocess.md 3ec192d08 Update multilingual.md 7fc7bf862 Add a note about some changes in 0.112.0 742510ae8 Fix ordinal abbrev example fe557031a Correct spelling for 'GitHub' and 'GitLab' (#2082) 84a059b9a Fix typo in hosting-on-azure.md (#2080) 3383786fe Add i18n to list of directories affected by ignoreFiles 5bfb95234 Update 404.md (#2076) 87545a4fd Update hosting-on-cloudflare-pages.md (#2078) aa5952c28 Add default module mount to example (#2075) ced5292c8 Align permalinks examples (#2073) 77b5009fd Fix typo c79319a6a Clarify description of baseURL e93a9807b Fix typo in frontmatter description (#2071) 05fe9163a Remove erroneous statement aa59ef383 docs: Remove note about hugo server not using 404 (#2068) 4a387a6b8 Clarify findRESubmatch (#2065) 47a9181b5 Clarify findRE, replaceRE, and findRESubmatch (#2064) e5eedbb5e Update theme 5d392c3d4 Clarify pageRef menu property (#2059) a557b0ebf Fix typos on Configure Hugo page (#2058) 17ef283e6 Clarify module.replacements wording (#2052) 5db4aa421 Fixing broken links (#2057) 9afa0c2fa Fix broken links (#2055) 49b981b1f Correct repo URL for migration tool (contentful.com) (#2056) 969c24c16 Remove duplicate content 0b91e7676 Revert "Delete duplicate content" 3229e79f2 Delete duplicate content ec4eddb98 Fix typo 6509159d5 Describe snap package strict confinement (#2050) 1589bcdb7 Remove hugo.Generator admonition (#2048) 7e553d11b Add example 48bec0335 Replace blockquotes with admonitions where appropriate (#2043) 98226fe61 Remove orphaned param fron admonition calls (#2042) 2a37a1d21 Clarify cast functions (#2041) 03fd1d404 Fix typo 1898013ef Fix typos 944e27430 Replace output shortcode calls 0c66fb055 Add example of shortcode calls within sample code f25a79c69 Replace tip and warning shortcode calls 3afac22fc Refactor code shortcode ad65d2931 Clarify seq function 59f8a1f48 Clarify title function 47535dc87 Cleanup hasPrefix hasSuffix 7bee3e4c1 Cleanup action delimiters cc96070f0 Correct functions archetype ffe5d39b9 Remove duplicate shortcodes 075c9f3fe Remove old todos bc3ec033c Front matter cleanup (#2039) 928b94505 Add code fence types (#2038) 856fa293c Document .File.Filename (#2037) 0988c4a42 Update output-formats.md (#2036) 289da5658 Change findRe to findRE 1e50f0583 Update theme f90fb1bf5 Improve type formatting (#2032) 7785fa7d9 Use code-toggle shortcode where appropriate f11cabf37 Add space after and before action delimiters ac333c795 Replace erroneous use of nocopy shortcode param 064896c06 Use bool param when calling code-toggle fb33bf59b Update code-toggle shortcode 6ddeab4f8 Add missing go-html-template code fence type (#2030) 1bba4cefb Fix links (#2029) 77f4d6c32 Link destination cleanup (#2028) fc0ecc027 Improve breadcrumb example (#2026) 6148be2de Update the breadcrumb navigation example (#2025) 6ebb37b1b Clarify sort function (#2024) 31269bad9 Add Winget installation method (#1988) d6c5f940e Resource methods: add signatures, minor improvements (#2017) d2e594cbc Modify inner variable shortcode-template explanation (#1985) a54927a7f Update GitHub Pages starter workflow (#2023) 2964c2d44 Remove orphaned static files (#2022) 97e5567cc Complete documentation on '.Scratch' and '.Store' (#2016) fa7b2e299 Fix typo bdce77c57 Remove literal from example menu template c0f23b216 Correct and improve menu documentation (#2010) 464368fd9 Document .Page.Store (#2011) a3d7c4a3a Improve urls.Parse function (#2012) d2cec3776 Clarify postcss config option (#2013) eb3003fef Fixed typo (#2007) 90c82d7ea Clarify mermaid markdown example (#2004) 1b11dcd5c docs(Diagrams): Update mermaid import mechanism (#1967) 4aceb6855 Fingerprinting, asset management: minor improvements (#2003) bcbc519bb resources.GetRemote: minor improvement (#2002) d54185bef Clarify markdownify behavior (#1999) afb582a80 Clarify usage of slug in front matter (#1998) f71985315 Update hasSuffix.md 29ad622a3 netlify: Hugo 0.111.3 adf223ecc Merge branch 'tempv0.111.3' 06858c646 docs: Improve examples of variadic math functions 8b656994e tpl/math: Allow multi numbers in add, sub, mul, div, min and max 2a38c4046 tpl: Add hasSuffix alias 4e0b98d54 switch transfers to workers 11651ac0f customize parallel transfer count 142f5da81 Update GitHub hosting instructions (#1991) ad7901d2f netlify: Hugo 0.111.2 0651a76e0 add headings to distinguish render hook context params d96d75be4 netlify: Hugo 0.111.1 226cb9e3a Add a paragraph about the new page template function 4c0157a49 Add .Fragments docs 6c78c0679 netlify: Bump to Hugo 0.111.0 7b11c24cf Merge branch 'feat/related-fragments' 615d18ef8 Add Related fragments config a36449b0c cods: Regen docs helper 0272fa45f Merge commit '336622d5e7afd9334cd2de7150d4f16bdf7c24f9' c5a962b93 related: Add config option cardinalityThreshold f91677377 docs: Another fix related docs example 17aa939ea docs: Fix related docs example 12c449150 Merge commit 'cf591b7c0c598d34896709db6d28598da37e3ff6' cb998b3d6 Add page fragments support to Related git-subtree-dir: docs git-subtree-split: 39af43ef11c23b8eaea7e17b59ff065a169305ac
63 lines
3.8 KiB
Markdown
63 lines
3.8 KiB
Markdown
---
|
|
title: Hugo's Security Model
|
|
description: A summary of Hugo's security model.
|
|
layout: single
|
|
keywords: ["Security", "Privacy"]
|
|
menu:
|
|
docs:
|
|
parent: about
|
|
weight: 4
|
|
weight: 5
|
|
aliases: [/security/]
|
|
toc: true
|
|
---
|
|
|
|
## Runtime Security
|
|
|
|
Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with.
|
|
|
|
But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
|
|
|
|
**Hugo's main approach is that of sandboxing and a security policy with strict defaults:**
|
|
|
|
* Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
|
|
* Only the main project can walk symbolic links.
|
|
* User-defined components have read-only access to the filesystem.
|
|
* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
|
|
|
|
## Security Policy
|
|
|
|
Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar.
|
|
|
|
The default configuration is listed below. Any build using features not in the allow list of the security policy will fail with a detailed message about what needs to be done. Most of these settings are allow lists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing).
|
|
|
|
{{< code-toggle config="security" />}}
|
|
|
|
Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
|
|
|
|
```txt
|
|
HUGO_SECURITY_HTTP_URLS=none hugo
|
|
```
|
|
|
|
## Dependency Security
|
|
|
|
Hugo is built as a static binary using [Go Modules](https://github.com/golang/go/wiki/Modules) to manage its dependencies. Go Modules have several safeguards, one of them being the `go.sum` file. This is a database of the expected cryptographic checksums of all of your dependencies, including transitive dependencies.
|
|
|
|
[Hugo Modules](/hugo-modules/) is a feature built on top of the functionality of Go Modules. Like Go Modules, a Hugo project using Hugo Modules will have a `go.sum` file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of [dependency tampering](https://julienrenaux.fr/2019/12/20/github-actions-security-risk/).
|
|
|
|
## Web Application Security
|
|
|
|
These are the security threats as defined by [OWASP](https://en.wikipedia.org/wiki/OWASP).
|
|
|
|
For HTML output, this is the core security model:
|
|
|
|
<https://pkg.go.dev/html/template#hdr-Security_Model>
|
|
|
|
In short:
|
|
|
|
Template and configuration authors (you) are trusted, but the data you send in is not.
|
|
This is why you sometimes need to use the _safe_ functions, such as `safeHTML`, to avoid escaping of data you know is safe.
|
|
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
|
|
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
|
|
|
|
For content, the default Markdown renderer is [configured](/getting-started/configuration-markup) to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content.
|