From 2637b4ef4dbb3f8d3e537f900bdd072b4078c87e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Erik=20Pedersen?= Date: Sat, 20 May 2023 17:37:04 +0200 Subject: Allow whitelisting mediaTypes used in resources.GetRemote Fixes #10286 --- hugolib/securitypolicies_test.go | 28 +++++++++++++++++++++++++--- hugolib/testdata/fakejson.json | Bin 0 -> 42 bytes 2 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 hugolib/testdata/fakejson.json (limited to 'hugolib') diff --git a/hugolib/securitypolicies_test.go b/hugolib/securitypolicies_test.go index aa062bb1f..5b9267b59 100644 --- a/hugolib/securitypolicies_test.go +++ b/hugolib/securitypolicies_test.go @@ -138,9 +138,9 @@ func TestSecurityPolicies(t *testing.T) { } cb := func(b *sitesBuilder) { b.WithConfigFile("toml", ` - [security] - [security.exec] - allow="none" +[security] +[security.exec] +allow="none" `) b.WithTemplatesAdded("index.html", `{{ $scss := "body { color: #333; }" | resources.FromString "foo.scss" | resources.ToCSS (dict "transpiler" "dartsass") }}`) @@ -166,6 +166,28 @@ func TestSecurityPolicies(t *testing.T) { [security] [security.http] urls="none" +`) + }) + }) + + c.Run("resources.GetRemote, fake JSON", func(c *qt.C) { + c.Parallel() + httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, `(?s).*failed to resolve media type.*`, + func(b *sitesBuilder) { + b.WithConfigFile("toml", ` +`) + }) + }) + + c.Run("resources.GetRemote, fake JSON whitelisted", func(c *qt.C) { + c.Parallel() + httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, ``, + func(b *sitesBuilder) { + b.WithConfigFile("toml", ` +[security] +[security.http] +mediaTypes=["application/json"] + `) }) }) diff --git a/hugolib/testdata/fakejson.json b/hugolib/testdata/fakejson.json new file mode 100644 index 000000000..f191b280c Binary files /dev/null and b/hugolib/testdata/fakejson.json differ -- cgit v1.2.3