Add some basic security policies with sensible defaults

This ommmit contains some security hardening measures for the Hugo build runtime. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers". For `asciidoctor` and some others we use Go's `os/exec` package to start a new process. These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off. You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do. The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all. ```toml [security] enableInlineShortcodes = false [security.exec] allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$'] osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$'] [security.funcs] getenv = ['^HUGO_'] [security.http] methods = ['(?i)GET|POST'] urls = ['.*'] ```
author: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> 2021-12-12 12:11:11 +0100
committer: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> 2021-12-16 09:40:22 +0100
commit: f4389e48ce0a70807362772d66c12ab5cd9e15f8 (patch)
tree: 1334516a199dcdf4133758e3664348287e73e88b /config
parent: 803f572e66c5e22213ddcc994c41b3e80e9c1f35 (diff)
6 files changed, 570 insertions, 0 deletions
diff --git a/config/defaultConfigProvider.go b/config/defaultConfigProvider.go
index 0a10d5cc6..7701e765a 100644
--- a/config/defaultConfigProvider.go
+++ b/config/defaultConfigProvider.go
@@ -44,6 +44,8 @@ var (
 		"permalinks":    true,
 		"related":       true,
 		"sitemap":       true,
+		"privacy":       true,
+		"security":      true,
 		"taxonomies":    true,
 	}
 
diff --git a/config/security/docshelper.go b/config/security/docshelper.go
new file mode 100644
index 000000000..ade03560e
--- /dev/null
+++ b/config/security/docshelper.go
@@ -0,0 +1,26 @@
+// Copyright 2021 The Hugo Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package security
+
+import (
+	"github.com/gohugoio/hugo/docshelper"
+)
+
+func init() {
+	docsProvider := func() docshelper.DocProvider {
+
+		return docshelper.DocProvider{"config": DefaultConfig.ToSecurityMap()}
+	}
+	docshelper.AddDocProviderFunc(docsProvider)
+}
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go
new file mode 100644
index 000000000..09c5cb625
--- /dev/null
+++ b/config/security/securityConfig.go
@@ -0,0 +1,227 @@
+// Copyright 2018 The Hugo Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package security
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/gohugoio/hugo/common/herrors"
+	"github.com/gohugoio/hugo/common/types"
+	"github.com/gohugoio/hugo/config"
+	"github.com/gohugoio/hugo/parser"
+	"github.com/gohugoio/hugo/parser/metadecoders"
+	"github.com/mitchellh/mapstructure"
+)
+
+const securityConfigKey = "security"
+
+// DefaultConfig holds the default security policy.
+var DefaultConfig = Config{
+	Exec: Exec{
+		Allow: NewWhitelist(
+			"^dart-sass-embedded$",
+			"^go$",  // for Go Modules
+			"^npx$", // used by all Node tools (Babel, PostCSS).
+			"^postcss$",
+		),
+		// These have been tested to work with Hugo's external programs
+		// on Windows, Linux and MacOS.
+		OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"),
+	},
+	Funcs: Funcs{
+		Getenv: NewWhitelist("^HUGO_"),
+	},
+	HTTP: HTTP{
+		URLs:    NewWhitelist(".*"),
+		Methods: NewWhitelist("(?i)GET|POST"),
+	},
+}
+
+// Config is the top level security config.
+type Config struct {
+	// Restricts access to os.Exec.
+	Exec Exec `json:"exec"`
+
+	// Restricts access to certain template funcs.
+	Funcs Funcs `json:"funcs"`
+
+	// Restricts access to resources.Get, getJSON, getCSV.
+	HTTP HTTP `json:"http"`
+
+	// Allow inline shortcodes
+	EnableInlineShortcodes bool `json:"enableInlineShortcodes"`
+}
+
+// Exec holds os/exec policies.
+type Exec struct {
+	Allow Whitelist `json:"allow"`
+	OsEnv Whitelist `json:"osEnv"`
+}
+
+// Funcs holds template funcs policies.
+type Funcs struct {
+	// OS env keys allowed to query in os.Getenv.
+	Getenv Whitelist `json:"getenv"`
+}
+
+type HTTP struct {
+	// URLs to allow in remote HTTP (resources.Get, getJSON, getCSV).
+	URLs Whitelist `json:"urls"`
+
+	// HTTP methods to allow.
+	Methods Whitelist `json:"methods"`
+}
+
+// ToTOML converts c to TOML with [security] as the root.
+func (c Config) ToTOML() string {
+	sec := c.ToSecurityMap()
+
+	var b bytes.Buffer
+
+	if err := parser.InterfaceToConfig(sec, metadecoders.TOML, &b); err != nil {
+		panic(err)
+	}
+
+	return strings.TrimSpace(b.String())
+}
+
+func (c Config) CheckAllowedExec(name string) error {
+	if !c.Exec.Allow.Accept(name) {
+		return &AccessDeniedError{
+			name:     name,
+			path:     "security.exec.allow",
+			policies: c.ToTOML(),
+		}
+	}
+	return nil
+
+}
+
+func (c Config) CheckAllowedGetEnv(name string) error {
+	if !c.Funcs.Getenv.Accept(name) {
+		return &AccessDeniedError{
+			name:     name,
+			path:     "security.funcs.getenv",
+			policies: c.ToTOML(),
+		}
+	}
+	return nil
+}
+
+func (c Config) CheckAllowedHTTPURL(url string) error {
+	if !c.HTTP.URLs.Accept(url) {
+		return &AccessDeniedError{
+			name:     url,
+			path:     "security.http.urls",
+			policies: c.ToTOML(),
+		}
+	}
+	return nil
+}
+
+func (c Config) CheckAllowedHTTPMethod(method string) error {
+	if !c.HTTP.Methods.Accept(method) {
+		return &AccessDeniedError{
+			name:     method,
+			path:     "security.http.method",
+			policies: c.ToTOML(),
+		}
+	}
+	return nil
+}
+
+// ToSecurityMap converts c to a map with 'security' as the root key.
+func (c Config) ToSecurityMap() map[string]interface{} {
+	// Take it to JSON and back to get proper casing etc.
+	asJson, err := json.Marshal(c)
+	herrors.Must(err)
+	m := make(map[string]interface{})
+	herrors.Must(json.Unmarshal(asJson, &m))
+
+	// Add the root
+	sec := map[string]interface{}{
+		"security": m,
+	}
+	return sec
+
+}
+
+// DecodeConfig creates a privacy Config from a given Hugo configuration.
+func DecodeConfig(cfg config.Provider) (Config, error) {
+	sc := DefaultConfig
+	if cfg.IsSet(securityConfigKey) {
+		m := cfg.GetStringMap(securityConfigKey)
+		dec, err := mapstructure.NewDecoder(
+			&mapstructure.DecoderConfig{
+				WeaklyTypedInput: true,
+				Result:           &sc,
+				DecodeHook:       stringSliceToWhitelistHook(),
+			},
+		)
+		if err != nil {
+			return sc, err
+		}
+
+		if err = dec.Decode(m); err != nil {
+			return sc, err
+		}
+	}
+
+	if !sc.EnableInlineShortcodes {
+		// Legacy
+		sc.EnableInlineShortcodes = cfg.GetBool("enableInlineShortcodes")
+	}
+
+	return sc, nil
+
+}
+
+func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
+	return func(
+		f reflect.Type,
+		t reflect.Type,
+		data interface{}) (interface{}, error) {
+
+		if t != reflect.TypeOf(Whitelist{}) {
+			return data, nil
+		}
+
+		wl := types.ToStringSlicePreserveString(data)
+
+		return NewWhitelist(wl...), nil
+
+	}
+}
+
+// AccessDeniedError represents a security policy conflict.
+type AccessDeniedError struct {
+	path     string
+	name     string
+	policies string
+}
+
+func (e *AccessDeniedError) Error() string {
+	return fmt.Sprintf("access denied: %q is not whitelisted in policy %q; the current security configuration is:\n\n%s\n\n", e.name, e.path, e.policies)
+}
+
+// IsAccessDenied reports whether err is an AccessDeniedError
+func IsAccessDenied(err error) bool {
+	var notFoundErr *AccessDeniedError
+	return errors.As(err, &notFoundErr)
+}
diff --git a/config/security/securityonfig_test.go b/config/security/securityonfig_test.go
new file mode 100644
index 000000000..d0416a20d
--- /dev/null
+++ b/config/security/securityonfig_test.go
@@ -0,0 +1,166 @@
+// Copyright 2018 The Hugo Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package security
+
+import (
+	"testing"
+
+	qt "github.com/frankban/quicktest"
+	"github.com/gohugoio/hugo/config"
+)
+
+func TestDecodeConfigFromTOML(t *testing.T) {
+	c := qt.New(t)
+
+	c.Run("Slice whitelist", func(c *qt.C) {
+		c.Parallel()
+		tomlConfig := `
+
+
+someOtherValue = "bar"
+
+[security]
+enableInlineShortcodes=true
+[security.exec]
+allow=["a", "b"]
+osEnv=["a", "b", "c"]
+[security.funcs]
+getEnv=["a", "b"]
+
+`
+
+		cfg, err := config.FromConfigString(tomlConfig, "toml")
+		c.Assert(err, qt.IsNil)
+
+		pc, err := DecodeConfig(cfg)
+		c.Assert(err, qt.IsNil)
+		c.Assert(pc, qt.Not(qt.IsNil))
+		c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
+		c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
+		c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
+		c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsTrue)
+		c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
+		c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue)
+		c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse)
+
+	})
+
+	c.Run("String whitelist", func(c *qt.C) {
+		c.Parallel()
+		tomlConfig := `
+
+
+someOtherValue = "bar"
+
+[security]
+[security.exec]
+allow="a"
+osEnv="b"
+
+`
+
+		cfg, err := config.FromConfigString(tomlConfig, "toml")
+		c.Assert(err, qt.IsNil)
+
+		pc, err := DecodeConfig(cfg)
+		c.Assert(err, qt.IsNil)
+		c.Assert(pc, qt.Not(qt.IsNil))
+		c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
+		c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
+		c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue)
+		c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
+
+	})
+
+	c.Run("Default exec.osEnv", func(c *qt.C) {
+		c.Parallel()
+		tomlConfig := `
+
+
+someOtherValue = "bar"
+
+[security]
+[security.exec]
+allow="a"
+
+`
+
+		cfg, err := config.FromConfigString(tomlConfig, "toml")
+		c.Assert(err, qt.IsNil)
+
+		pc, err := DecodeConfig(cfg)
+		c.Assert(err, qt.IsNil)
+		c.Assert(pc, qt.Not(qt.IsNil))
+		c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
+		c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
+		c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
+
+	})
+
+	c.Run("Enable inline shortcodes, legacy", func(c *qt.C) {
+		c.Parallel()
+		tomlConfig := `
+
+
+someOtherValue = "bar"
+enableInlineShortcodes=true
+
+[security]
+[security.exec]
+allow="a"
+osEnv="b"
+
+`
+
+		cfg, err := config.FromConfigString(tomlConfig, "toml")
+		c.Assert(err, qt.IsNil)
+
+		pc, err := DecodeConfig(cfg)
+		c.Assert(err, qt.IsNil)
+		c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
+
+	})
+
+}
+
+func TestToTOML(t *testing.T) {
+	c := qt.New(t)
+
+	got := DefaultConfig.ToTOML()
+
+	c.Assert(got, qt.Equals,
+		"[security]\n  enableInlineShortcodes = false\n  [security.exec]\n    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']\n\n  [security.funcs]\n    getenv = ['^HUGO_']\n\n  [security.http]\n    methods = ['(?i)GET|POST']\n    urls = ['.*']",
+	)
+}
+
+func TestDecodeConfigDefault(t *testing.T) {
+	t.Parallel()
+	c := qt.New(t)
+
+	pc, err := DecodeConfig(config.New())
+	c.Assert(err, qt.IsNil)
+	c.Assert(pc, qt.Not(qt.IsNil))
+	c.Assert(pc.Exec.Allow.Accept("a"), qt.IsFalse)
+	c.Assert(pc.Exec.Allow.Accept("npx"), qt.IsTrue)
+	c.Assert(pc.Exec.Allow.Accept("Npx"), qt.IsFalse)
+	c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsFalse)
+	c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
+	c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
+
+	c.Assert(pc.HTTP.URLs.Accept("https://example.org"), qt.IsTrue)
+	c.Assert(pc.HTTP.Methods.Accept("POST"), qt.IsTrue)
+	c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue)
+	c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue)
+	c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse)
+}
diff --git a/config/security/whitelist.go b/config/security/whitelist.go
new file mode 100644
index 000000000..0d2c187c6
--- /dev/null
+++ b/config/security/whitelist.go
@@ -0,0 +1,102 @@
+// Copyright 2021 The Hugo Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package security
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+const (
+	acceptNoneKeyword = "none"
+)
+
+// Whitelist holds a whitelist.
+type Whitelist struct {
+	acceptNone bool
+	patterns   []*regexp.Regexp
+
+	// Store this for debugging/error reporting
+	patternsStrings []string
+}
+
+func (w Whitelist) MarshalJSON() ([]byte, error) {
+	if w.acceptNone {
+		return json.Marshal(acceptNoneKeyword)
+	}
+
+	return json.Marshal(w.patternsStrings)
+}
+
+// NewWhitelist creates a new Whitelist from zero or more patterns.
+// An empty patterns list or a pattern with the value 'none' will create
+// a whitelist that will Accept noone.
+func NewWhitelist(patterns ...string) Whitelist {
+	if len(patterns) == 0 {
+		return Whitelist{acceptNone: true}
+	}
+
+	var acceptSome bool
+	var patternsStrings []string
+
+	for _, p := range patterns {
+		if p == acceptNoneKeyword {
+			acceptSome = false
+			break
+		}
+
+		if ps := strings.TrimSpace(p); ps != "" {
+			acceptSome = true
+			patternsStrings = append(patternsStrings, ps)
+		}
+	}
+
+	if !acceptSome {
+		return Whitelist{
+			acceptNone: true,
+		}
+	}
+
+	var patternsr []*regexp.Regexp
+
+	for i := 0; i < len(patterns); i++ {
+		p := strings.TrimSpace(patterns[i])
+		if p == "" {
+			continue
+		}
+		patternsr = append(patternsr, regexp.MustCompile(p))
+	}
+
+	return Whitelist{patterns: patternsr, patternsStrings: patternsStrings}
+}
+
+// Accepted reports whether name is whitelisted.
+func (w Whitelist) Accept(name string) bool {
+	if w.acceptNone {
+		return false
+	}
+
+	for _, p := range w.patterns {
+		if p.MatchString(name) {
+			return true
+		}
+	}
+	return false
+}
+
+func (w Whitelist) String() string {
+	return fmt.Sprint(w.patternsStrings)
+}
diff --git a/config/security/whitelist_test.go b/config/security/whitelist_test.go
new file mode 100644
index 000000000..5c4196dff
--- /dev/null
+++ b/config/security/whitelist_test.go
@@ -0,0 +1,47 @@
+// Copyright 2021 The Hugo Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package security
+
+import (
+	"testing"
+
+	qt "github.com/frankban/quicktest"
+)
+
+func TestWhitelist(t *testing.T) {
+	t.Parallel()
+	c := qt.New(t)
+
+	c.Run("none", func(c *qt.C) {
+		c.Assert(NewWhitelist("none", "foo").Accept("foo"), qt.IsFalse)
+		c.Assert(NewWhitelist().Accept("foo"), qt.IsFalse)
+		c.Assert(NewWhitelist("").Accept("foo"), qt.IsFalse)
+		c.Assert(NewWhitelist("  ", " ").Accept("foo"), qt.IsFalse)
+		c.Assert(Whitelist{}.Accept("foo"), qt.IsFalse)
+	})
+
+	c.Run("One", func(c *qt.C) {
+		w := NewWhitelist("^foo.*")
+		c.Assert(w.Accept("foo"), qt.IsTrue)
+		c.Assert(w.Accept("mfoo"), qt.IsFalse)
+	})
+
+	c.Run("Multiple", func(c *qt.C) {
+		w := NewWhitelist("^foo.*", "^bar.*")
+		c.Assert(w.Accept("foo"), qt.IsTrue)
+		c.Assert(w.Accept("bar"), qt.IsTrue)
+		c.Assert(w.Accept("mbar"), qt.IsFalse)
+	})
+
+}
author	Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>	2021-12-12 12:11:11 +0100
committer	Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>	2021-12-16 09:40:22 +0100
commit	f4389e48ce0a70807362772d66c12ab5cd9e15f8 (patch)
tree	1334516a199dcdf4133758e3664348287e73e88b /config
parent	803f572e66c5e22213ddcc994c41b3e80e9c1f35 (diff)