Add some basic security policies with sensible defaults

This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```

markup/pandoc/convert.go

@@ -15,7 +15,7 @@
 package pandoc
 
 import (
-	"github.com/cli/safeexec"
+	"github.com/gohugoio/hugo/common/hexec"
 	"github.com/gohugoio/hugo/htesting"
 	"github.com/gohugoio/hugo/identity"
 	"github.com/gohugoio/hugo/markup/internal"
@@ -44,7 +44,11 @@ type pandocConverter struct {
 }
 
 func (c *pandocConverter) Convert(ctx converter.RenderContext) (converter.Result, error) {
-	return converter.Bytes(c.getPandocContent(ctx.Src, c.ctx)), nil
+	b, err := c.getPandocContent(ctx.Src, c.ctx)
+	if err != nil {
+		return nil, err
+	}
+	return converter.Bytes(b), nil
 }
 
 func (c *pandocConverter) Supports(feature identity.Identity) bool {
@@ -52,31 +56,35 @@ func (c *pandocConverter) Supports(feature identity.Identity) bool {
 }
 
 // getPandocContent calls pandoc as an external helper to convert pandoc markdown to HTML.
-func (c *pandocConverter) getPandocContent(src []byte, ctx converter.DocumentContext) []byte {
+func (c *pandocConverter) getPandocContent(src []byte, ctx converter.DocumentContext) ([]byte, error) {
 	logger := c.cfg.Logger
-	path := getPandocExecPath()
-	if path == "" {
+	binaryName := getPandocBinaryName()
+	if binaryName == "" {
 		logger.Println("pandoc not found in $PATH: Please install.\n",
 			"                 Leaving pandoc content unrendered.")
-		return src
+		return src, nil
 	}
 	args := []string{"--mathjax"}
-	return internal.ExternallyRenderContent(c.cfg, ctx, src, path, args)
+	return internal.ExternallyRenderContent(c.cfg, ctx, src, binaryName, args)
 }
 
-func getPandocExecPath() string {
-	path, err := safeexec.LookPath("pandoc")
-	if err != nil {
-		return ""
-	}
+const pandocBinary = "pandoc"
 
-	return path
+func getPandocBinaryName() string {
+	if hexec.InPath(pandocBinary) {
+		return pandocBinary
+	}
+	return ""
 }
 
 // Supports returns whether Pandoc is installed on this computer.
 func Supports() bool {
+	hasBin := getPandocBinaryName() != ""
 	if htesting.SupportsAll() {
+		if !hasBin {
+			panic("pandoc not installed")
+		}
 		return true
 	}
-	return getPandocExecPath() != ""
+	return hasBin
 }

markup/pandoc/convert_test.go

@@ -16,7 +16,9 @@ package pandoc
 import (
 	"testing"
 
+	"github.com/gohugoio/hugo/common/hexec"
 	"github.com/gohugoio/hugo/common/loggers"
+	"github.com/gohugoio/hugo/config/security"
 
 	"github.com/gohugoio/hugo/markup/converter"
 
@@ -28,7 +30,9 @@ func TestConvert(t *testing.T) {
 		t.Skip("pandoc not installed")
 	}
 	c := qt.New(t)
-	p, err := Provider.New(converter.ProviderConfig{Logger: loggers.NewErrorLogger()})
+	sc := security.DefaultConfig
+	sc.Exec.Allow = security.NewWhitelist("pandoc")
+	p, err := Provider.New(converter.ProviderConfig{Exec: hexec.New(sc), Logger: loggers.NewErrorLogger()})
 	c.Assert(err, qt.IsNil)
 	conv, err := p.New(converter.DocumentContext{})
 	c.Assert(err, qt.IsNil)