diff options
| author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2023-12-04 12:07:54 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-04 12:07:54 +0100 |
| commit | 9f978d387f8b7cb6bc03fe6b4dd52bb16862a784 (patch) | |
| tree | dc53e021fbf8a89e7ff0d3e86bbe9416ce5d7ecb /config | |
| parent | 14d85ec136413dcfc96ad8e4d31633f8f9cbf410 (diff) | |
Pull in the latest code from Go's template packages (#11771)
Fixes #10707
Fixes #11507
Diffstat (limited to 'config')
| -rw-r--r-- | config/allconfig/load.go | 4 | ||||
| -rw-r--r-- | config/security/securityConfig.go | 20 | ||||
| -rw-r--r-- | config/security/securityConfig_test.go | 8 |
3 files changed, 3 insertions, 29 deletions
diff --git a/config/allconfig/load.go b/config/allconfig/load.go index e7dae1806..7d706c7e3 100644 --- a/config/allconfig/load.go +++ b/config/allconfig/load.go @@ -34,7 +34,6 @@ import ( hglob "github.com/gohugoio/hugo/hugofs/glob" "github.com/gohugoio/hugo/modules" "github.com/gohugoio/hugo/parser/metadecoders" - "github.com/gohugoio/hugo/tpl" "github.com/spf13/afero" ) @@ -91,9 +90,6 @@ func LoadConfig(d ConfigSourceDescriptor) (*Configs, error) { return nil, fmt.Errorf("failed to init config: %w", err) } - // This is unfortunate, but these are global settings. - tpl.SetSecurityAllowActionJSTmpl(configs.Base.Security.GoTemplates.AllowActionJSTmpl) - loggers.InitGlobalLogger(d.Logger.Level(), configs.Base.PanicOnWarning) return configs, nil diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go index 16f8c23d8..e3bffedca 100644 --- a/config/security/securityConfig.go +++ b/config/security/securityConfig.go @@ -68,9 +68,6 @@ type Config struct { // Allow inline shortcodes EnableInlineShortcodes bool `json:"enableInlineShortcodes"` - - // Go templates related security config. - GoTemplates GoTemplates `json:"goTemplates"` } // Exec holds os/exec policies. @@ -96,15 +93,6 @@ type HTTP struct { MediaTypes Whitelist `json:"mediaTypes"` } -type GoTemplates struct { - - // Enable to allow template actions inside bakcticks in ES6 template literals. - // This was blocked in Hugo 0.114.0 for security reasons and you now get errors on the form - // "... appears in a JS template literal" if you have this in your templates. - // See https://github.com/golang/go/issues/59234 - AllowActionJSTmpl bool -} - // ToTOML converts c to TOML with [security] as the root. func (c Config) ToTOML() string { sec := c.ToSecurityMap() @@ -127,7 +115,6 @@ func (c Config) CheckAllowedExec(name string) error { } } return nil - } func (c Config) CheckAllowedGetEnv(name string) error { @@ -176,7 +163,6 @@ func (c Config) ToSecurityMap() map[string]any { "security": m, } return sec - } // DecodeConfig creates a privacy Config from a given Hugo configuration. @@ -206,15 +192,14 @@ func DecodeConfig(cfg config.Provider) (Config, error) { } return sc, nil - } func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType { return func( f reflect.Type, t reflect.Type, - data any) (any, error) { - + data any, + ) (any, error) { if t != reflect.TypeOf(Whitelist{}) { return data, nil } @@ -222,7 +207,6 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType { wl := types.ToStringSlicePreserveString(data) return NewWhitelist(wl...) - } } diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go index cdfbe6341..3d58288c9 100644 --- a/config/security/securityConfig_test.go +++ b/config/security/securityConfig_test.go @@ -53,7 +53,6 @@ getEnv=["a", "b"] c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue) c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse) - }) c.Run("String whitelist", func(c *qt.C) { @@ -80,7 +79,6 @@ osEnv="b" c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse) c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) - }) c.Run("Default exec.osEnv", func(c *qt.C) { @@ -105,7 +103,6 @@ allow="a" c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) - }) c.Run("Enable inline shortcodes, legacy", func(c *qt.C) { @@ -129,9 +126,7 @@ osEnv="b" pc, err := DecodeConfig(cfg) c.Assert(err, qt.IsNil) c.Assert(pc.EnableInlineShortcodes, qt.IsTrue) - }) - } func TestToTOML(t *testing.T) { @@ -140,7 +135,7 @@ func TestToTOML(t *testing.T) { got := DefaultConfig.ToTOML() c.Assert(got, qt.Equals, - "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.goTemplates]\n AllowActionJSTmpl = false\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", + "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", ) } @@ -169,5 +164,4 @@ func TestDecodeConfigDefault(t *testing.T) { c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsFalse) c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse) - } |