diff options
| author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2021-12-22 12:55:44 +0300 |
|---|---|---|
| committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2021-12-22 13:33:59 +0300 |
| commit | fca266ebbb81af3d4479873a7a79759033c7ce25 (patch) | |
| tree | 8a7a9542a1bc9d2ae0e80c5a5f10004211adfbbc /config | |
| parent | 0016e21cd6b3cc267a9b0d99adb9ba13bde48e4c (diff) | |
config/security: Add HOME to default exec env var whitelist
See #9309
Diffstat (limited to 'config')
| -rw-r--r-- | config/security/securityConfig.go | 6 | ||||
| -rw-r--r-- | config/security/securityonfig_test.go | 7 |
2 files changed, 2 insertions, 11 deletions
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go index 09c5cb625..8b0a52698 100644 --- a/config/security/securityConfig.go +++ b/config/security/securityConfig.go @@ -42,7 +42,7 @@ var DefaultConfig = Config{ ), // These have been tested to work with Hugo's external programs // on Windows, Linux and MacOS. - OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"), + OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"), }, Funcs: Funcs{ Getenv: NewWhitelist("^HUGO_"), @@ -110,7 +110,6 @@ func (c Config) CheckAllowedExec(name string) error { } } return nil - } func (c Config) CheckAllowedGetEnv(name string) error { @@ -159,7 +158,6 @@ func (c Config) ToSecurityMap() map[string]interface{} { "security": m, } return sec - } // DecodeConfig creates a privacy Config from a given Hugo configuration. @@ -189,7 +187,6 @@ func DecodeConfig(cfg config.Provider) (Config, error) { } return sc, nil - } func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType { @@ -205,7 +202,6 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType { wl := types.ToStringSlicePreserveString(data) return NewWhitelist(wl...), nil - } } diff --git a/config/security/securityonfig_test.go b/config/security/securityonfig_test.go index d0416a20d..bafb4e766 100644 --- a/config/security/securityonfig_test.go +++ b/config/security/securityonfig_test.go @@ -53,7 +53,6 @@ getEnv=["a", "b"] c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue) c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse) - }) c.Run("String whitelist", func(c *qt.C) { @@ -80,7 +79,6 @@ osEnv="b" c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse) c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) - }) c.Run("Default exec.osEnv", func(c *qt.C) { @@ -105,7 +103,6 @@ allow="a" c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) - }) c.Run("Enable inline shortcodes, legacy", func(c *qt.C) { @@ -129,9 +126,7 @@ osEnv="b" pc, err := DecodeConfig(cfg) c.Assert(err, qt.IsNil) c.Assert(pc.EnableInlineShortcodes, qt.IsTrue) - }) - } func TestToTOML(t *testing.T) { @@ -140,7 +135,7 @@ func TestToTOML(t *testing.T) { got := DefaultConfig.ToTOML() c.Assert(got, qt.Equals, - "[security]\n enableInlineShortcodes = false\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", + "[security]\n enableInlineShortcodes = false\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", ) } |