aboutsummaryrefslogtreecommitdiffhomepage
path: root/markup/rst
diff options
context:
space:
mode:
authorBjørn Erik Pedersen <[email protected]>2021-12-12 12:11:11 +0100
committerBjørn Erik Pedersen <[email protected]>2021-12-16 09:40:22 +0100
commitf4389e48ce0a70807362772d66c12ab5cd9e15f8 (patch)
tree1334516a199dcdf4133758e3664348287e73e88b /markup/rst
parent803f572e66c5e22213ddcc994c41b3e80e9c1f35 (diff)
downloadhugo-f4389e48ce0a70807362772d66c12ab5cd9e15f8.tar.gz
hugo-f4389e48ce0a70807362772d66c12ab5cd9e15f8.zip
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers". For `asciidoctor` and some others we use Go's `os/exec` package to start a new process. These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off. You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do. The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all. ```toml [security] enableInlineShortcodes = false [security.exec] allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$'] osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$'] [security.funcs] getenv = ['^HUGO_'] [security.http] methods = ['(?i)GET|POST'] urls = ['.*'] ```
Diffstat (limited to 'markup/rst')
-rw-r--r--markup/rst/convert.go58
-rw-r--r--markup/rst/convert_test.go11
2 files changed, 47 insertions, 22 deletions
diff --git a/markup/rst/convert.go b/markup/rst/convert.go
index 4c11c4be8..b86b35f1b 100644
--- a/markup/rst/convert.go
+++ b/markup/rst/convert.go
@@ -18,7 +18,7 @@ import (
"bytes"
"runtime"
- "github.com/cli/safeexec"
+ "github.com/gohugoio/hugo/common/hexec"
"github.com/gohugoio/hugo/htesting"
"github.com/gohugoio/hugo/identity"
@@ -48,7 +48,11 @@ type rstConverter struct {
}
func (c *rstConverter) Convert(ctx converter.RenderContext) (converter.Result, error) {
- return converter.Bytes(c.getRstContent(ctx.Src, c.ctx)), nil
+ b, err := c.getRstContent(ctx.Src, c.ctx)
+ if err != nil {
+ return nil, err
+ }
+ return converter.Bytes(b), nil
}
func (c *rstConverter) Supports(feature identity.Identity) bool {
@@ -57,31 +61,38 @@ func (c *rstConverter) Supports(feature identity.Identity) bool {
// getRstContent calls the Python script rst2html as an external helper
// to convert reStructuredText content to HTML.
-func (c *rstConverter) getRstContent(src []byte, ctx converter.DocumentContext) []byte {
+func (c *rstConverter) getRstContent(src []byte, ctx converter.DocumentContext) ([]byte, error) {
logger := c.cfg.Logger
- path := getRstExecPath()
+ binaryName, binaryPath := getRstBinaryNameAndPath()
- if path == "" {
+ if binaryName == "" {
logger.Println("rst2html / rst2html.py not found in $PATH: Please install.\n",
" Leaving reStructuredText content unrendered.")
- return src
+ return src, nil
}
- logger.Infoln("Rendering", ctx.DocumentName, "with", path, "...")
+ logger.Infoln("Rendering", ctx.DocumentName, "with", binaryName, "...")
var result []byte
+ var err error
+
// certain *nix based OSs wrap executables in scripted launchers
// invoking binaries on these OSs via python interpreter causes SyntaxError
// invoke directly so that shebangs work as expected
// handle Windows manually because it doesn't do shebangs
if runtime.GOOS == "windows" {
- python := internal.GetPythonExecPath()
- args := []string{path, "--leave-comments", "--initial-header-level=2"}
- result = internal.ExternallyRenderContent(c.cfg, ctx, src, python, args)
+ pythonBinary, _ := internal.GetPythonBinaryAndExecPath()
+ args := []string{binaryPath, "--leave-comments", "--initial-header-level=2"}
+ result, err = internal.ExternallyRenderContent(c.cfg, ctx, src, pythonBinary, args)
} else {
args := []string{"--leave-comments", "--initial-header-level=2"}
- result = internal.ExternallyRenderContent(c.cfg, ctx, src, path, args)
+ result, err = internal.ExternallyRenderContent(c.cfg, ctx, src, binaryName, args)
+ }
+
+ if err != nil {
+ return nil, err
}
+
// TODO(bep) check if rst2html has a body only option.
bodyStart := bytes.Index(result, []byte("<body>\n"))
if bodyStart < 0 {
@@ -96,24 +107,29 @@ func (c *rstConverter) getRstContent(src []byte, ctx converter.DocumentContext)
}
}
- return result[bodyStart+7 : bodyEnd]
+ return result[bodyStart+7 : bodyEnd], err
}
-func getRstExecPath() string {
- path, err := safeexec.LookPath("rst2html")
- if err != nil {
- path, err = safeexec.LookPath("rst2html.py")
- if err != nil {
- return ""
+var rst2Binaries = []string{"rst2html", "rst2html.py"}
+
+func getRstBinaryNameAndPath() (string, string) {
+ for _, candidate := range rst2Binaries {
+ if pth := hexec.LookPath(candidate); pth != "" {
+ return candidate, pth
}
}
- return path
+ return "", ""
}
-// Supports returns whether rst is installed on this computer.
+// Supports returns whether rst is (or should be) installed on this computer.
func Supports() bool {
+ name, _ := getRstBinaryNameAndPath()
+ hasBin := name != ""
if htesting.SupportsAll() {
+ if !hasBin {
+ panic("rst not installed")
+ }
return true
}
- return getRstExecPath() != ""
+ return hasBin
}
diff --git a/markup/rst/convert_test.go b/markup/rst/convert_test.go
index 269d92caa..5d2882de1 100644
--- a/markup/rst/convert_test.go
+++ b/markup/rst/convert_test.go
@@ -16,7 +16,9 @@ package rst
import (
"testing"
+ "github.com/gohugoio/hugo/common/hexec"
"github.com/gohugoio/hugo/common/loggers"
+ "github.com/gohugoio/hugo/config/security"
"github.com/gohugoio/hugo/markup/converter"
@@ -28,7 +30,14 @@ func TestConvert(t *testing.T) {
t.Skip("rst not installed")
}
c := qt.New(t)
- p, err := Provider.New(converter.ProviderConfig{Logger: loggers.NewErrorLogger()})
+ sc := security.DefaultConfig
+ sc.Exec.Allow = security.NewWhitelist("rst", "python")
+
+ p, err := Provider.New(
+ converter.ProviderConfig{
+ Logger: loggers.NewErrorLogger(),
+ Exec: hexec.New(sc),
+ })
c.Assert(err, qt.IsNil)
conv, err := p.New(converter.DocumentContext{})
c.Assert(err, qt.IsNil)