hugo/hugolib
Bjørn Erik Pedersen f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
..
assets/images Image resource refactor 2019-08-26 15:00:44 +02:00
filesystems Fix content dir resolution when main project is a Hugo Module 2021-11-16 20:42:34 +01:00
paths Misc config loading fixes 2021-06-14 17:00:32 +02:00
testdata Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
testsite hugolib: Add testfile to .gitignore 2019-07-07 13:01:30 +02:00
404_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
alias.go tpl/fmt: Add erroridf template func 2021-06-07 19:11:03 +02:00
alias_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
breaking_changes_test.go all: Fix minor typos 2020-12-16 12:11:32 +01:00
cascade_test.go Add config.cascade 2021-07-10 11:13:41 +02:00
case_insensitive_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
collections.go tpl/fmt: Add erroridf template func 2021-06-07 19:11:03 +02:00
collections_test.go tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
config.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
config_test.go config: Set HUGO_ENABLEGITINFO=false override in Set_in_string 2021-10-22 19:40:18 +02:00
configdir_test.go Switch to go-toml v2 2021-07-28 11:51:13 +02:00
content_factory.go Improve error when we cannot determine content directory in "hugo new" 2021-11-15 11:21:39 +01:00
content_factory_test.go Fix path resolution in hugo new 2021-11-08 14:10:46 +01:00
content_map.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
content_map_page.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
content_map_test.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
content_render_hooks_test.go markup/goldmark: Support auto links in render hook 2021-07-15 10:14:52 +02:00
datafiles_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
dates_test.go Fix error handling for the time func alias 2021-08-01 13:39:30 +02:00
disableKinds_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
embedded_shortcodes_test.go Update Twitter shortcode oEmbed endpoint 2021-11-01 15:51:00 +01:00
embedded_templates_test.go Remove empty href element from pagination template 2021-12-02 09:14:30 +01:00
fileInfo.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
fileInfo_test.go tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
gitinfo.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
hugo_modules_test.go Validate private use language tags 2021-12-02 16:30:53 +01:00
hugo_sites.go Add a cross process build lock and use it in the archetype content builder 2021-10-18 12:13:13 +02:00
hugo_sites_build.go Add a cross process build lock and use it in the archetype content builder 2021-10-18 12:13:13 +02:00
hugo_sites_build_errors_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
hugo_sites_build_test.go para: Skip para test when not on CI 2020-12-23 19:47:20 +01:00
hugo_sites_multihost_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
hugo_sites_rebuild_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
hugo_smoke_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
image_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
js_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
language_content_dir_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
language_test.go Reduce binary size vs locale, update to CLDR v36.1 2021-08-02 19:40:32 +02:00
menu_test.go Improve handling of <nil> Params 2021-07-30 21:07:52 +02:00
minify_publisher_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
mount_filters_test.go Fix panic when specifying multiple excludeFiles directives 2021-10-25 19:50:18 +02:00
multilingual.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
openapi_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page.go Allow user to handle/ignore errors in resources.Get 2021-12-10 11:10:41 +01:00
page__common.go all: Fix minor typos 2020-12-16 12:11:32 +01:00
page__content.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page__data.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page__menus.go Simplify "active menu" logic for section menus 2021-07-20 17:50:59 +02:00
page__meta.go Add timezone support for front matter dates without one 2021-07-27 19:02:48 +02:00
page__new.go tpl/fmt: Add erroridf template func 2021-06-07 19:11:03 +02:00
page__output.go Fix output format handling for render hooks 2021-03-09 13:26:39 +01:00
page__paginator.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page__paths.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page__per_output.go Fix output format handling for render hooks 2021-03-09 13:26:39 +01:00
page__position.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page__ref.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page__tree.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page_kinds.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page_permalink_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
page_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
page_unwrap.go Make Page an interface 2019-03-23 18:51:22 +01:00
page_unwrap_test.go Add render template hooks for links and images 2019-12-18 11:44:40 +01:00
pagebundler_test.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
pagecollections.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
pagecollections_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
pages_capture.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
pages_capture_test.go Reimplement archetypes 2021-10-16 15:22:03 +02:00
pages_language_merge_test.go Fix BenchmarkMergeByLanguage 2020-12-09 17:47:10 +01:00
pages_process.go hugofs: Make FileMeta a struct 2021-07-15 17:14:26 +02:00
pages_test.go Add a benchmark 2021-05-04 17:59:04 +02:00
paginator_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
permalinker.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
prune_resources.go cache/filecache: Add a cache prune func 2018-11-14 23:14:51 +01:00
resource_chain_babel_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
resource_chain_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
robotstxt_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
rss_test.go tests: Convert from testify to quicktest 2019-08-12 13:26:32 +02:00
securitypolicies_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
shortcode.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
shortcode_page.go Add render template hooks for links and images 2019-12-18 11:44:40 +01:00
shortcode_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
site.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
site_benchmark_new_test.go Add a TOML front matter benchmark 2021-07-27 19:27:54 +02:00
site_output.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
site_output_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
site_render.go tpl/fmt: Add erroridf template func 2021-06-07 19:11:03 +02:00
site_sections.go Simplify page tree logic 2019-08-08 20:13:39 +02:00
site_sections_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
site_stats_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
site_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
site_url_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
siteJSONEncode_test.go all: Format code with gofumpt 2020-12-03 13:12:58 +01:00
sitemap_test.go tpl/embedded: Exclude pages without Permalink from sitemap 2021-02-06 18:30:09 +01:00
taxonomy.go Simplify page tree logic 2019-08-08 20:13:39 +02:00
taxonomy_test.go all: Fix minor typos 2020-12-16 12:11:32 +01:00
template_test.go Misc config loading fixes 2021-06-14 17:00:32 +02:00
testhelpers_test.go Add some basic security policies with sensible defaults 2021-12-16 09:40:22 +01:00
translations.go Introduce a tree map for all content 2020-02-18 09:49:42 +01:00