From e5f229974166402f51e4ee0695ffb4d1e09fa174 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Erik=20Pedersen?=
 <bjorn.erik.pedersen@gmail.com>
Date: Thu, 25 Jul 2019 00:12:40 +0200
Subject: Block symlink dir traversal for /static

This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules,
but that could create hard-to-detect loops.
---
 hugolib/hugo_modules_test.go | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

(limited to 'hugolib/hugo_modules_test.go')

diff --git a/hugolib/hugo_modules_test.go b/hugolib/hugo_modules_test.go
index dc0da2e1c..171bbb347 100644
--- a/hugolib/hugo_modules_test.go
+++ b/hugolib/hugo_modules_test.go
@@ -443,6 +443,7 @@ weight = 2
 `
 
 	b := newTestSitesBuilder(t).WithNothingAdded().WithWorkingDir(workDir)
+	b.WithLogger(loggers.NewErrorLogger())
 	b.Fs = fs
 
 	b.WithConfigFile("toml", config)
@@ -457,35 +458,46 @@ weight = 2
 
 	bfs := b.H.BaseFs
 
-	for _, componentFs := range []afero.Fs{
+	for i, componentFs := range []afero.Fs{
+		bfs.Static[""].Fs,
 		bfs.Archetypes.Fs,
 		bfs.Content.Fs,
 		bfs.Data.Fs,
 		bfs.Assets.Fs,
-		bfs.Static[""].Fs,
 		bfs.I18n.Fs} {
 
-		for i, id := range []string{"mod", "project"} {
+		if i != 0 {
+			continue
+		}
+
+		for j, id := range []string{"mod", "project"} {
+
+			statCheck := func(fs afero.Fs, filename string, isDir bool) {
+				shouldFail := j == 0
+				if !shouldFail && i == 0 {
+					// Static dirs only supports symlinks for files
+					shouldFail = isDir
+				}
 
-			statCheck := func(fs afero.Fs, filename string) {
-				shouldFail := i == 0
 				_, err := fs.Stat(filepath.FromSlash(filename))
+
 				if err != nil {
-					if strings.HasSuffix(filename, "toml") && strings.Contains(err.Error(), "files not supported") {
+					if i > 0 && strings.HasSuffix(filename, "toml") && strings.Contains(err.Error(), "files not supported") {
 						// OK
 						return
 					}
 				}
+
 				if shouldFail {
 					assert.Error(err)
-					assert.Equal(hugofs.ErrPermissionSymlink, err)
+					assert.Equal(hugofs.ErrPermissionSymlink, err, filename)
 				} else {
-					assert.NoError(err)
+					assert.NoError(err, filename)
 				}
 			}
 
-			statCheck(componentFs, fmt.Sprintf("realsym%s", id))
-			statCheck(componentFs, fmt.Sprintf("real/datasym%s.toml", id))
+			statCheck(componentFs, fmt.Sprintf("realsym%s", id), true)
+			statCheck(componentFs, fmt.Sprintf("real/datasym%s.toml", id), false)
 
 		}
 	}
-- 
cgit v1.2.3