diff options
author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2019-07-25 00:12:40 +0200 |
---|---|---|
committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2019-07-25 11:27:25 +0200 |
commit | e5f229974166402f51e4ee0695ffb4d1e09fa174 (patch) | |
tree | 44dc7adc4fd02cb563583afaff6ddaa781821e2f /hugolib/hugo_modules_test.go | |
parent | 87a07282a2f01779e098cde0aaee1bae34dc32e6 (diff) |
Block symlink dir traversal for /static
This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules,
but that could create hard-to-detect loops.
Diffstat (limited to 'hugolib/hugo_modules_test.go')
-rw-r--r-- | hugolib/hugo_modules_test.go | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/hugolib/hugo_modules_test.go b/hugolib/hugo_modules_test.go index dc0da2e1c..171bbb347 100644 --- a/hugolib/hugo_modules_test.go +++ b/hugolib/hugo_modules_test.go @@ -443,6 +443,7 @@ weight = 2 ` b := newTestSitesBuilder(t).WithNothingAdded().WithWorkingDir(workDir) + b.WithLogger(loggers.NewErrorLogger()) b.Fs = fs b.WithConfigFile("toml", config) @@ -457,35 +458,46 @@ weight = 2 bfs := b.H.BaseFs - for _, componentFs := range []afero.Fs{ + for i, componentFs := range []afero.Fs{ + bfs.Static[""].Fs, bfs.Archetypes.Fs, bfs.Content.Fs, bfs.Data.Fs, bfs.Assets.Fs, - bfs.Static[""].Fs, bfs.I18n.Fs} { - for i, id := range []string{"mod", "project"} { + if i != 0 { + continue + } + + for j, id := range []string{"mod", "project"} { + + statCheck := func(fs afero.Fs, filename string, isDir bool) { + shouldFail := j == 0 + if !shouldFail && i == 0 { + // Static dirs only supports symlinks for files + shouldFail = isDir + } - statCheck := func(fs afero.Fs, filename string) { - shouldFail := i == 0 _, err := fs.Stat(filepath.FromSlash(filename)) + if err != nil { - if strings.HasSuffix(filename, "toml") && strings.Contains(err.Error(), "files not supported") { + if i > 0 && strings.HasSuffix(filename, "toml") && strings.Contains(err.Error(), "files not supported") { // OK return } } + if shouldFail { assert.Error(err) - assert.Equal(hugofs.ErrPermissionSymlink, err) + assert.Equal(hugofs.ErrPermissionSymlink, err, filename) } else { - assert.NoError(err) + assert.NoError(err, filename) } } - statCheck(componentFs, fmt.Sprintf("realsym%s", id)) - statCheck(componentFs, fmt.Sprintf("real/datasym%s.toml", id)) + statCheck(componentFs, fmt.Sprintf("realsym%s", id), true) + statCheck(componentFs, fmt.Sprintf("real/datasym%s.toml", id), false) } } |