diff options
| author | Bjørn Erik Pedersen <[email protected]> | 2023-06-28 08:56:35 +0200 |
|---|---|---|
| committer | Bjørn Erik Pedersen <[email protected]> | 2023-06-28 08:57:28 +0200 |
| commit | 7f698c89346acb5e5116736d25325a046652ba81 (patch) | |
| tree | 31f82eff1f17b7bf53581583f6d856bf551036dd /config/security | |
| parent | fa0e16f4c79a703d122f1e3a3a99f4b779aea9b2 (diff) | |
| download | hugo-7f698c89346acb5e5116736d25325a046652ba81.tar.gz hugo-7f698c89346acb5e5116736d25325a046652ba81.zip | |
Don't panic on invalid security whitelist regexp
Fixes #11176
Diffstat (limited to 'config/security')
| -rw-r--r-- | config/security/securityConfig.go | 12 | ||||
| -rw-r--r-- | config/security/whitelist.go | 23 | ||||
| -rw-r--r-- | config/security/whitelist_test.go | 12 |
3 files changed, 30 insertions, 17 deletions
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go index 5d0db2fb9..3d17b7a48 100644 --- a/config/security/securityConfig.go +++ b/config/security/securityConfig.go @@ -34,7 +34,7 @@ const securityConfigKey = "security" // DefaultConfig holds the default security policy. var DefaultConfig = Config{ Exec: Exec{ - Allow: NewWhitelist( + Allow: MustNewWhitelist( "^(dart-)?sass(-embedded)?$", // sass, dart-sass, dart-sass-embedded. "^go$", // for Go Modules "^npx$", // used by all Node tools (Babel, PostCSS). @@ -42,14 +42,14 @@ var DefaultConfig = Config{ ), // These have been tested to work with Hugo's external programs // on Windows, Linux and MacOS. - OsEnv: NewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$`), + OsEnv: MustNewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$`), }, Funcs: Funcs{ - Getenv: NewWhitelist("^HUGO_", "^CI$"), + Getenv: MustNewWhitelist("^HUGO_", "^CI$"), }, HTTP: HTTP{ - URLs: NewWhitelist(".*"), - Methods: NewWhitelist("(?i)GET|POST"), + URLs: MustNewWhitelist(".*"), + Methods: MustNewWhitelist("(?i)GET|POST"), }, } @@ -221,7 +221,7 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType { wl := types.ToStringSlicePreserveString(data) - return NewWhitelist(wl...), nil + return NewWhitelist(wl...) } } diff --git a/config/security/whitelist.go b/config/security/whitelist.go index 72a80da2e..92eb3102f 100644 --- a/config/security/whitelist.go +++ b/config/security/whitelist.go @@ -45,9 +45,9 @@ func (w Whitelist) MarshalJSON() ([]byte, error) { // NewWhitelist creates a new Whitelist from zero or more patterns. // An empty patterns list or a pattern with the value 'none' will create // a whitelist that will Accept none. -func NewWhitelist(patterns ...string) Whitelist { +func NewWhitelist(patterns ...string) (Whitelist, error) { if len(patterns) == 0 { - return Whitelist{acceptNone: true} + return Whitelist{acceptNone: true}, nil } var acceptSome bool @@ -68,7 +68,7 @@ func NewWhitelist(patterns ...string) Whitelist { if !acceptSome { return Whitelist{ acceptNone: true, - } + }, nil } var patternsr []*regexp.Regexp @@ -78,10 +78,23 @@ func NewWhitelist(patterns ...string) Whitelist { if p == "" { continue } - patternsr = append(patternsr, regexp.MustCompile(p)) + re, err := regexp.Compile(p) + if err != nil { + return Whitelist{}, fmt.Errorf("failed to compile whitelist pattern %q: %w", p, err) + } + patternsr = append(patternsr, re) } - return Whitelist{patterns: patternsr, patternsStrings: patternsStrings} + return Whitelist{patterns: patternsr, patternsStrings: patternsStrings}, nil +} + +// MustNewWhitelist creates a new Whitelist from zero or more patterns and panics on error. +func MustNewWhitelist(patterns ...string) Whitelist { + w, err := NewWhitelist(patterns...) + if err != nil { + panic(err) + } + return w } // Accept reports whether name is whitelisted. diff --git a/config/security/whitelist_test.go b/config/security/whitelist_test.go index 5c4196dff..89d1bc2b1 100644 --- a/config/security/whitelist_test.go +++ b/config/security/whitelist_test.go @@ -24,21 +24,21 @@ func TestWhitelist(t *testing.T) { c := qt.New(t) c.Run("none", func(c *qt.C) { - c.Assert(NewWhitelist("none", "foo").Accept("foo"), qt.IsFalse) - c.Assert(NewWhitelist().Accept("foo"), qt.IsFalse) - c.Assert(NewWhitelist("").Accept("foo"), qt.IsFalse) - c.Assert(NewWhitelist(" ", " ").Accept("foo"), qt.IsFalse) + c.Assert(MustNewWhitelist("none", "foo").Accept("foo"), qt.IsFalse) + c.Assert(MustNewWhitelist().Accept("foo"), qt.IsFalse) + c.Assert(MustNewWhitelist("").Accept("foo"), qt.IsFalse) + c.Assert(MustNewWhitelist(" ", " ").Accept("foo"), qt.IsFalse) c.Assert(Whitelist{}.Accept("foo"), qt.IsFalse) }) c.Run("One", func(c *qt.C) { - w := NewWhitelist("^foo.*") + w := MustNewWhitelist("^foo.*") c.Assert(w.Accept("foo"), qt.IsTrue) c.Assert(w.Accept("mfoo"), qt.IsFalse) }) c.Run("Multiple", func(c *qt.C) { - w := NewWhitelist("^foo.*", "^bar.*") + w := MustNewWhitelist("^foo.*", "^bar.*") c.Assert(w.Accept("foo"), qt.IsTrue) c.Assert(w.Accept("bar"), qt.IsTrue) c.Assert(w.Accept("mbar"), qt.IsFalse) |