mirror of
https://github.com/gohugoio/hugo.git
synced 2025-09-01 22:42:45 +02:00
Pull in the latest code from Go's template packages (#11771)
Fixes #10707 Fixes #11507
This commit is contained in:
Bjørn Erik Pedersen
committed by
GitHub
GitHub
parent
14d85ec136
commit
9f978d387f
@@ -34,7 +34,6 @@ import (
|
||||
hglob "github.com/gohugoio/hugo/hugofs/glob"
|
||||
"github.com/gohugoio/hugo/modules"
|
||||
"github.com/gohugoio/hugo/parser/metadecoders"
|
||||
"github.com/gohugoio/hugo/tpl"
|
||||
"github.com/spf13/afero"
|
||||
)
|
||||
|
||||
@@ -91,9 +90,6 @@ func LoadConfig(d ConfigSourceDescriptor) (*Configs, error) {
|
||||
return nil, fmt.Errorf("failed to init config: %w", err)
|
||||
}
|
||||
|
||||
// This is unfortunate, but these are global settings.
|
||||
tpl.SetSecurityAllowActionJSTmpl(configs.Base.Security.GoTemplates.AllowActionJSTmpl)
|
||||
|
||||
loggers.InitGlobalLogger(d.Logger.Level(), configs.Base.PanicOnWarning)
|
||||
|
||||
return configs, nil
|
||||
|
||||
@@ -68,9 +68,6 @@ type Config struct {
|
||||
|
||||
// Allow inline shortcodes
|
||||
EnableInlineShortcodes bool `json:"enableInlineShortcodes"`
|
||||
|
||||
// Go templates related security config.
|
||||
GoTemplates GoTemplates `json:"goTemplates"`
|
||||
}
|
||||
|
||||
// Exec holds os/exec policies.
|
||||
@@ -96,15 +93,6 @@ type HTTP struct {
|
||||
MediaTypes Whitelist `json:"mediaTypes"`
|
||||
}
|
||||
|
||||
type GoTemplates struct {
|
||||
|
||||
// Enable to allow template actions inside bakcticks in ES6 template literals.
|
||||
// This was blocked in Hugo 0.114.0 for security reasons and you now get errors on the form
|
||||
// "... appears in a JS template literal" if you have this in your templates.
|
||||
// See https://github.com/golang/go/issues/59234
|
||||
AllowActionJSTmpl bool
|
||||
}
|
||||
|
||||
// ToTOML converts c to TOML with [security] as the root.
|
||||
func (c Config) ToTOML() string {
|
||||
sec := c.ToSecurityMap()
|
||||
@@ -127,7 +115,6 @@ func (c Config) CheckAllowedExec(name string) error {
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
||||
}
|
||||
|
||||
func (c Config) CheckAllowedGetEnv(name string) error {
|
||||
@@ -176,7 +163,6 @@ func (c Config) ToSecurityMap() map[string]any {
|
||||
"security": m,
|
||||
}
|
||||
return sec
|
||||
|
||||
}
|
||||
|
||||
// DecodeConfig creates a privacy Config from a given Hugo configuration.
|
||||
@@ -206,15 +192,14 @@ func DecodeConfig(cfg config.Provider) (Config, error) {
|
||||
}
|
||||
|
||||
return sc, nil
|
||||
|
||||
}
|
||||
|
||||
func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
|
||||
return func(
|
||||
f reflect.Type,
|
||||
t reflect.Type,
|
||||
data any) (any, error) {
|
||||
|
||||
data any,
|
||||
) (any, error) {
|
||||
if t != reflect.TypeOf(Whitelist{}) {
|
||||
return data, nil
|
||||
}
|
||||
@@ -222,7 +207,6 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
|
||||
wl := types.ToStringSlicePreserveString(data)
|
||||
|
||||
return NewWhitelist(wl...)
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -53,7 +53,6 @@ getEnv=["a", "b"]
|
||||
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
|
||||
c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue)
|
||||
c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse)
|
||||
|
||||
})
|
||||
|
||||
c.Run("String whitelist", func(c *qt.C) {
|
||||
@@ -80,7 +79,6 @@ osEnv="b"
|
||||
c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
|
||||
c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue)
|
||||
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
|
||||
|
||||
})
|
||||
|
||||
c.Run("Default exec.osEnv", func(c *qt.C) {
|
||||
@@ -105,7 +103,6 @@ allow="a"
|
||||
c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
|
||||
c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
|
||||
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
|
||||
|
||||
})
|
||||
|
||||
c.Run("Enable inline shortcodes, legacy", func(c *qt.C) {
|
||||
@@ -129,9 +126,7 @@ osEnv="b"
|
||||
pc, err := DecodeConfig(cfg)
|
||||
c.Assert(err, qt.IsNil)
|
||||
c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
|
||||
|
||||
})
|
||||
|
||||
}
|
||||
|
||||
func TestToTOML(t *testing.T) {
|
||||
@@ -140,7 +135,7 @@ func TestToTOML(t *testing.T) {
|
||||
got := DefaultConfig.ToTOML()
|
||||
|
||||
c.Assert(got, qt.Equals,
|
||||
"[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.goTemplates]\n AllowActionJSTmpl = false\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
|
||||
"[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
|
||||
)
|
||||
}
|
||||
|
||||
@@ -169,5 +164,4 @@ func TestDecodeConfigDefault(t *testing.T) {
|
||||
c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsFalse)
|
||||
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
|
||||
c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse)
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user