diff options
author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2023-06-15 16:34:16 +0200 |
---|---|---|
committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2023-06-15 23:04:33 +0200 |
commit | ee359df172ece11989e9b1bf35c2d376f2608ac6 (patch) | |
tree | 98513578d0ad8c2ced1c6aacf2ca5ba40a703b6a /config | |
parent | 0f989d5e21b200d848b45a4e305958636fd00779 (diff) |
Fix upstream Go templates bug with reversed key/value assignment
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added.
This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).
This will throw an error saying "... appears in a JS template literal".
If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:
```toml
[security]
[security.gotemplates]
allowActionJSTmpl = true
```
See https://github.com/golang/go/issues/59234
Fixes #11112
Diffstat (limited to 'config')
-rw-r--r-- | config/allconfig/load.go | 4 | ||||
-rw-r--r-- | config/security/securityConfig.go | 12 | ||||
-rw-r--r-- | config/security/securityConfig_test.go | 2 |
3 files changed, 17 insertions, 1 deletions
diff --git a/config/allconfig/load.go b/config/allconfig/load.go index ad090d60d..eca9d06df 100644 --- a/config/allconfig/load.go +++ b/config/allconfig/load.go @@ -34,6 +34,7 @@ import ( hglob "github.com/gohugoio/hugo/hugofs/glob" "github.com/gohugoio/hugo/modules" "github.com/gohugoio/hugo/parser/metadecoders" + "github.com/gohugoio/hugo/tpl" "github.com/spf13/afero" ) @@ -89,6 +90,9 @@ func LoadConfig(d ConfigSourceDescriptor) (*Configs, error) { return nil, fmt.Errorf("failed to init config: %w", err) } + // This is unfortunate, but this is a global setting. + tpl.SetSecurityAllowActionJSTmpl(configs.Base.Security.GoTemplates.AllowActionJSTmpl) + return configs, nil } diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go index 8bd12af4b..5d0db2fb9 100644 --- a/config/security/securityConfig.go +++ b/config/security/securityConfig.go @@ -68,6 +68,9 @@ type Config struct { // Allow inline shortcodes EnableInlineShortcodes bool `json:"enableInlineShortcodes"` + + // Go templates related security config. + GoTemplates GoTemplates `json:"goTemplates"` } // Exec holds os/exec policies. @@ -93,6 +96,15 @@ type HTTP struct { MediaTypes Whitelist `json:"mediaTypes"` } +type GoTemplates struct { + + // Enable to allow template actions inside bakcticks in ES6 template literals. + // This was blocked in Hugo 0.114.0 for security reasons and you now get errors on the form + // "... appears in a JS template literal" if you have this in your templates. + // See https://github.com/golang/go/issues/59234 + AllowActionJSTmpl bool +} + // ToTOML converts c to TOML with [security] as the root. func (c Config) ToTOML() string { sec := c.ToSecurityMap() diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go index 3bfd59ce3..12ce3aae4 100644 --- a/config/security/securityConfig_test.go +++ b/config/security/securityConfig_test.go @@ -140,7 +140,7 @@ func TestToTOML(t *testing.T) { got := DefaultConfig.ToTOML() c.Assert(got, qt.Equals, - "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", + "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.goTemplates]\n AllowActionJSTmpl = false\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", ) } |