From ee359df172ece11989e9b1bf35c2d376f2608ac6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Erik=20Pedersen?= Date: Thu, 15 Jun 2023 16:34:16 +0200 Subject: Fix upstream Go templates bug with reversed key/value assignment The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added. This also includes a security fix that now disallows Go template actions in JS literals (inside backticks). This will throw an error saying "... appears in a JS template literal". If you're really sure this isn't a security risk in your case, you can revert to the old behaviour: ```toml [security] [security.gotemplates] allowActionJSTmpl = true ``` See https://github.com/golang/go/issues/59234 Fixes #11112 --- config/allconfig/load.go | 4 ++++ config/security/securityConfig.go | 12 ++++++++++++ config/security/securityConfig_test.go | 2 +- 3 files changed, 17 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/allconfig/load.go b/config/allconfig/load.go index ad090d60d..eca9d06df 100644 --- a/config/allconfig/load.go +++ b/config/allconfig/load.go @@ -34,6 +34,7 @@ import ( hglob "github.com/gohugoio/hugo/hugofs/glob" "github.com/gohugoio/hugo/modules" "github.com/gohugoio/hugo/parser/metadecoders" + "github.com/gohugoio/hugo/tpl" "github.com/spf13/afero" ) @@ -89,6 +90,9 @@ func LoadConfig(d ConfigSourceDescriptor) (*Configs, error) { return nil, fmt.Errorf("failed to init config: %w", err) } + // This is unfortunate, but this is a global setting. + tpl.SetSecurityAllowActionJSTmpl(configs.Base.Security.GoTemplates.AllowActionJSTmpl) + return configs, nil } diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go index 8bd12af4b..5d0db2fb9 100644 --- a/config/security/securityConfig.go +++ b/config/security/securityConfig.go @@ -68,6 +68,9 @@ type Config struct { // Allow inline shortcodes EnableInlineShortcodes bool `json:"enableInlineShortcodes"` + + // Go templates related security config. + GoTemplates GoTemplates `json:"goTemplates"` } // Exec holds os/exec policies. @@ -93,6 +96,15 @@ type HTTP struct { MediaTypes Whitelist `json:"mediaTypes"` } +type GoTemplates struct { + + // Enable to allow template actions inside bakcticks in ES6 template literals. + // This was blocked in Hugo 0.114.0 for security reasons and you now get errors on the form + // "... appears in a JS template literal" if you have this in your templates. + // See https://github.com/golang/go/issues/59234 + AllowActionJSTmpl bool +} + // ToTOML converts c to TOML with [security] as the root. func (c Config) ToTOML() string { sec := c.ToSecurityMap() diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go index 3bfd59ce3..12ce3aae4 100644 --- a/config/security/securityConfig_test.go +++ b/config/security/securityConfig_test.go @@ -140,7 +140,7 @@ func TestToTOML(t *testing.T) { got := DefaultConfig.ToTOML() c.Assert(got, qt.Equals, - "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", + "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.goTemplates]\n AllowActionJSTmpl = false\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", ) } -- cgit v1.2.3