The world’s fastest framework for building websites.
Find a file
Bjørn Erik Pedersen f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
.circleci Update to Go 1.17.5 2021-12-10 10:36:02 +01:00
.github Update to Go 1.17 2021-08-31 11:19:51 +02:00
bufferpool tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
cache Remove the retries on error in remote resources.Get 2021-12-10 11:10:41 +01:00
codegen all: Fix minor typos 2020-12-16 12:11:32 +01:00
commands commands: Make sure pollInterval is always set 2021-11-13 21:45:51 +01:00
common Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
compare all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
config Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
create Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
deploy Remove debug statement 2021-12-11 22:59:36 +01:00
deps Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
docs Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
docshelper Some minify configuration adjustments 2020-03-20 20:35:57 +01:00
examples examples: Remove unneeded meta tag from blog example 2020-11-24 20:20:04 +01:00
helpers Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
htesting Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
hugofs Fix content dir resolution when main project is a Hugo Module 2021-11-16 20:42:34 +01:00
hugolib Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
identity all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
langs Validate private use language tags 2021-12-02 16:30:53 +01:00
lazy lazy: Reset error in Reset 2021-12-02 18:06:19 +01:00
livereload all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
markup Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
media Improve handling of remote image/jpeg resources (#9278) 2021-12-13 08:55:15 +01:00
metrics all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
minifiers Pass minification errors to the user 2021-09-22 20:54:40 +02:00
modules Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
navigation Improve handling of <nil> Params 2021-07-30 21:07:52 +02:00
output output: Make WebAppManifestFormat NotAlternative=true 2021-06-18 13:19:37 +02:00
parser parser: Add a test case in format resolution 2021-12-03 10:34:34 +01:00
publisher Misc config loading fixes 2021-06-14 17:00:32 +02:00
related Misc config loading fixes 2021-06-14 17:00:32 +02:00
releaser releaser: Simplify the release process 2021-12-08 09:38:15 +01:00
resources Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
scripts/fork_go_templates Pull in latest Go 1.16 template source 2021-02-18 14:11:48 +01:00
snap releaser: Prepare repository for 0.91.0-DEV 2021-12-10 11:42:18 +00:00
source source: Make ContentBaseName() return the directory for branch bundles 2021-11-01 21:06:39 +01:00
temp releaser: Prepare repository for 0.91.0-DEV 2021-12-10 11:42:18 +00:00
tpl Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
transform all: Fix minor typos 2020-12-16 12:11:32 +01:00
watcher Add polling as a fallback to native filesystem events in server watch 2021-07-04 16:12:28 +02:00
.dockerignore Support Docker args TAGS, WORKDIR, CGO; speed up repetitive builds 2019-02-22 11:53:17 -08:00
.gitattributes .gitattributes: Exclude *.svg from CRLF/LF conversion 2018-07-09 21:06:15 -06:00
.gitignore Squashed 'docs/' changes from 316cec249..4eb10c1a9 2021-12-13 21:04:12 +01:00
.gitmodules Remove the theme submodule from /docs 2017-08-10 14:54:19 +02:00
.mailmap Add .mailmap to get a more correct author log 2015-01-28 16:50:36 +01:00
bench.sh Add GOEXE to support building with different versions of go 2017-07-16 00:35:15 +02:00
benchbep.sh Add Hugo Modules 2019-07-24 09:35:53 +02:00
benchSite.sh all: Fix minor typos 2020-12-16 12:11:32 +01:00
bepdock.sh build: Update the temp docker script 2018-09-24 12:41:12 +02:00
CONTRIBUTING.md Update CONTRIBUTING.md 2021-02-25 11:50:08 +01:00
Dockerfile Fix Dockerfile 2021-12-12 14:45:08 +01:00
go.mod Squashed 'docs/' changes from 316cec249..4eb10c1a9 2021-12-13 21:04:12 +01:00
go.sum Squashed 'docs/' changes from 316cec249..4eb10c1a9 2021-12-13 21:04:12 +01:00
goreleaser-hook-post-linux.sh releaser: Update to Go go1.17.2 2021-10-10 16:53:44 +02:00
goreleaser.yml Revert "releaser: Fat MacOS binaries" 2021-11-05 16:31:19 +01:00
LICENSE Add a GitHub compatible Apache 2 license text 2018-04-16 00:03:30 +02:00
magefile.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
main.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
merge-release.sh Add merge helper 2020-10-08 19:32:53 +02:00
pull-docs.sh Allow the pull-docs script to pull other than master 2017-09-23 10:13:40 +02:00
README.md readme: Update dependency list 2021-11-03 17:15:33 +01:00
SECURITY.md Update SECURITY.md 2020-12-22 10:09:59 +01:00

Hugo

A Fast and Flexible Static Site Generator built with love by bep, spf13 and friends in Go.

Website | Forum | Documentation | Installation Guide | Contribution Guide | Twitter

GoDoc Tests on Linux, MacOS and Windows Go Report Card

Overview

Hugo is a static HTML and CSS website generator written in Go. It is optimized for speed, ease of use, and configurability. Hugo takes a directory with content and templates and renders them into a full HTML website.

Hugo relies on Markdown files with front matter for metadata, and you can run Hugo from any directory. This works well for shared hosts and other systems where you dont have a privileged account.

Hugo renders a typical website of moderate size in a fraction of a second. A good rule of thumb is that each piece of content renders in around 1 millisecond.

Hugo is designed to work well for any kind of website including blogs, tumbles, and docs.

Supported Architectures

Currently, we provide pre-built Hugo binaries for Windows, Linux, FreeBSD, NetBSD, DragonFly BSD, OpenBSD, macOS (Darwin), and Android for x64, i386 and ARM architectures.

Hugo may also be compiled from source wherever the Go compiler tool chain can run, e.g. for other operating systems including Plan 9 and Solaris.

Complete documentation is available at Hugo Documentation.

Choose How to Install

If you want to use Hugo as your site generator, simply install the Hugo binaries. The Hugo binaries have no external dependencies.

To contribute to the Hugo source code or documentation, you should fork the Hugo GitHub project and clone it to your local machine.

Finally, you can install the Hugo source code with go, build the binaries yourself, and run Hugo that way. Building the binaries is an easy task for an experienced go getter.

Install Hugo as Your Site Generator (Binary Install)

Use the installation instructions in the Hugo documentation.

Build and Install the Binaries from Source (Advanced Install)

Prerequisite Tools

Fetch from GitHub

Since Hugo 0.48, Hugo uses the Go Modules support built into Go 1.11 to build. The easiest is to clone Hugo in a directory outside of GOPATH, as in the following example:

mkdir $HOME/src
cd $HOME/src
git clone https://github.com/gohugoio/hugo.git
cd hugo
go install

If you are a Windows user, substitute the $HOME environment variable above with %USERPROFILE%.

If you want to compile with Sass/SCSS support use --tags extended and make sure CGO_ENABLED=1 is set in your go environment. If you don't want to have CGO enabled, you may use the following command to temporarily enable CGO only for hugo compilation:

CGO_ENABLED=1 go install --tags extended

The Hugo Documentation

The Hugo documentation now lives in its own repository, see https://github.com/gohugoio/hugoDocs. But we do keep a version of that documentation as a git subtree in this repository. To build the sub folder /docs as a Hugo site, you need to clone this repo:

git clone git@github.com:gohugoio/hugo.git

Contributing to Hugo

For a complete guide to contributing to Hugo, see the Contribution Guide.

We welcome contributions to Hugo of any kind including documentation, themes, organization, tutorials, blog posts, bug reports, issues, feature requests, feature implementations, pull requests, answering questions on the forum, helping to manage issues, etc.

The Hugo community and maintainers are very active and helpful, and the project benefits greatly from this activity.

Asking Support Questions

We have an active discussion forum where users and developers can ask questions. Please don't use the GitHub issue tracker to ask questions.

Reporting Issues

If you believe you have found a defect in Hugo or its documentation, use the GitHub issue tracker to report the problem to the Hugo maintainers. If you're not sure if it's a bug or not, start by asking in the discussion forum. When reporting the issue, please provide the version of Hugo in use (hugo version).

Submitting Patches

The Hugo project welcomes all contributors and contributions regardless of skill or experience level. If you are interested in helping with the project, we will help you with your contribution. Hugo is a very active project with many contributions happening daily.

We want to create the best possible product for our users and the best contribution experience for our developers, we have a set of guidelines which ensure that all contributions are acceptable. The guidelines are not intended as a filter or barrier to participation. If you are unfamiliar with the contribution process, the Hugo team will help you and teach you how to bring your contribution in accordance with the guidelines.

For a complete guide to contributing code to Hugo, see the Contribution Guide.

Dependencies

Hugo stands on the shoulder of many great open source libraries.

If you run hugo env -v you will get a complete and up to date list.

In Hugo 0.89.0 that list is, in lexical order:

cloud.google.com/go/storage="v1.10.0"
cloud.google.com/go="v0.87.0"
github.com/Azure/azure-pipeline-go="v0.2.2"
github.com/Azure/azure-storage-blob-go="v0.9.0"
github.com/BurntSushi/locker="v0.0.0-20171006230638-a6e239ea1c69"
github.com/BurntSushi/toml="v0.3.1"
github.com/PuerkitoBio/purell="v1.1.1"
github.com/PuerkitoBio/urlesc="v0.0.0-20170810143723-de5bf2ad4578"
github.com/alecthomas/chroma="v0.9.4"
github.com/armon/go-radix="v1.0.0"
github.com/aws/aws-sdk-go="v1.41.14"
github.com/bep/debounce="v1.2.0"
github.com/bep/gitmap="v1.1.2"
github.com/bep/godartsass="v0.12.0"
github.com/bep/golibsass="v1.0.0"
github.com/bep/gowebp="v0.1.0"
github.com/bep/tmc="v0.5.1"
github.com/cli/safeexec="v1.0.0"
github.com/cpuguy83/go-md2man/v2="v2.0.0"
github.com/disintegration/gift="v1.2.1"
github.com/dlclark/regexp2="v1.4.0"
github.com/dustin/go-humanize="v1.0.0"
github.com/evanw/esbuild="v0.13.12"
github.com/fsnotify/fsnotify="v1.5.1"
github.com/getkin/kin-openapi="v0.80.0"
github.com/ghodss/yaml="v1.0.0"
github.com/go-openapi/jsonpointer="v0.19.5"
github.com/go-openapi/swag="v0.19.5"
github.com/gobuffalo/flect="v0.2.3"
github.com/gobwas/glob="v0.2.3"
github.com/gohugoio/go-i18n/v2="v2.1.3-0.20210430103248-4c28c89f8013"
github.com/gohugoio/locales="v0.14.0"
github.com/gohugoio/localescompressed="v0.14.0"
github.com/golang/groupcache="v0.0.0-20200121045136-8c9f03a8e57e"
github.com/golang/protobuf="v1.5.2"
github.com/google/go-cmp="v0.5.6"
github.com/google/uuid="v1.1.2"
github.com/google/wire="v0.4.0"
github.com/googleapis/gax-go/v2="v2.0.5"
github.com/googleapis/gax-go="v2.0.2+incompatible"
github.com/gorilla/websocket="v1.4.2"
github.com/inconshreveable/mousetrap="v1.0.0"
github.com/jdkato/prose="v1.2.1"
github.com/jmespath/go-jmespath="v0.4.0"
github.com/kyokomi/emoji/v2="v2.2.8"
github.com/mailru/easyjson="v0.0.0-20190626092158-b2ccc519800e"
github.com/mattn/go-ieproxy="v0.0.1"
github.com/mattn/go-isatty="v0.0.14"
github.com/mattn/go-runewidth="v0.0.9"
github.com/miekg/mmark="v1.3.6"
github.com/mitchellh/hashstructure="v1.1.0"
github.com/mitchellh/mapstructure="v1.4.2"
github.com/muesli/smartcrop="v0.3.0"
github.com/niklasfasching/go-org="v1.5.0"
github.com/olekukonko/tablewriter="v0.0.5"
github.com/pelletier/go-toml/v2="v2.0.0-beta.3.0.20210727221244-fa0796069526"
github.com/pkg/errors="v0.9.1"
github.com/rogpeppe/go-internal="v1.8.0"
github.com/russross/blackfriday/v2="v2.0.1"
github.com/russross/blackfriday="v1.5.3-0.20200218234912-41c5fccfd6f6"
github.com/rwcarlsen/goexif="v0.0.0-20190401172101-9e8deecbddbd"
github.com/sanity-io/litter="v1.5.1"
github.com/sass/libsass="3.6.5"
github.com/shurcooL/sanitized_anchor_name="v1.0.0"
github.com/spf13/afero="v1.6.0"
github.com/spf13/cast="v1.4.1"
github.com/spf13/cobra="v1.2.1"
github.com/spf13/fsync="v0.9.0"
github.com/spf13/jwalterweatherman="v1.1.0"
github.com/spf13/pflag="v1.0.5"
github.com/tdewolff/minify/v2="v2.9.22"
github.com/tdewolff/parse/v2="v2.5.21"
github.com/webmproject/libwebp="v1.2.0"
github.com/yuin/goldmark-highlighting="v0.0.0-20200307114337-60d527fdb691"
github.com/yuin/goldmark="v1.4.2"
go.opencensus.io="v0.23.0"
gocloud.dev="v0.20.0"
golang.org/x/image="v0.0.0-20210220032944-ac19c3e999fb"
golang.org/x/net="v0.0.0-20210614182718-04defd469f4e"
golang.org/x/oauth2="v0.0.0-20210628180205-a41e5a781914"
golang.org/x/sync="v0.0.0-20210220032951-036812b2e83c"
golang.org/x/sys="v0.0.0-20210908233432-aa78b53d3365"
golang.org/x/text="v0.3.7"
golang.org/x/xerrors="v0.0.0-20200804184101-5ec99f83aff1"
google.golang.org/api="v0.51.0"
google.golang.org/genproto="v0.0.0-20210716133855-ce7ef5c701ea"
google.golang.org/grpc="v1.39.0"
google.golang.org/protobuf="v1.27.1"
gopkg.in/yaml.v2="v2.4.0"