aboutsummaryrefslogtreecommitdiffhomepage
path: root/config/security/securityConfig.go
AgeCommit message (Collapse)Author
2022-09-19config/security: Allow proxy variables in subcommandsMathieu Parent
In particular for go get
2022-03-17all: gofmt -w -r 'interface{} -> any' .Bjørn Erik Pedersen
Updates #9687
2021-12-23Revert "config/security: Add HOME to default exec env var whitelist"Bjørn Erik Pedersen
There have been one report in the wild suggesting that this needs to be tested better before doing: https://discourse.gohugo.io/t/hugo-mod-failing-in-v0-91-1-but-works-in-v0-91-0/36180/5 This reverts commit fca266ebbb81af3d4479873a7a79759033c7ce25.
2021-12-22config/security: Add HOME to default exec env var whitelistBjørn Erik Pedersen
See #9309
2021-12-16Add some basic security policies with sensible defaultsBjørn Erik Pedersen
This ommmit contains some security hardening measures for the Hugo build runtime. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers". For `asciidoctor` and some others we use Go's `os/exec` package to start a new process. These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off. You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do. The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all. ```toml [security] enableInlineShortcodes = false [security.exec] allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$'] osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$'] [security.funcs] getenv = ['^HUGO_'] [security.http] methods = ['(?i)GET|POST'] urls = ['.*'] ```