config/security: Add HOME to default exec env var whitelist - hugo - [fork] hugo port for 9front
(HTM) git clone git@git.drkhsh.at/hugo.git
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) Submodules
(DIR) README
(DIR) LICENSE
---
(DIR) commit fca266ebbb81af3d4479873a7a79759033c7ce25
(DIR) parent 0016e21cd6b3cc267a9b0d99adb9ba13bde48e4c
(HTM) Author: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
Date: Wed, 22 Dec 2021 10:55:44 +0100
config/security: Add HOME to default exec env var whitelist
See #9309
Diffstat:
M config/security/securityConfig.go | 6 +-----
M config/security/securityonfig_test… | 7 +------
M docs/data/docs.json | 2 +-
3 files changed, 3 insertions(+), 12 deletions(-)
---
(DIR) diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go
@@ -42,7 +42,7 @@ var DefaultConfig = Config{
),
// These have been tested to work with Hugo's external programs
// on Windows, Linux and MacOS.
- OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"),
+ OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"),
},
Funcs: Funcs{
Getenv: NewWhitelist("^HUGO_"),
@@ -110,7 +110,6 @@ func (c Config) CheckAllowedExec(name string) error {
}
}
return nil
-
}
func (c Config) CheckAllowedGetEnv(name string) error {
@@ -159,7 +158,6 @@ func (c Config) ToSecurityMap() map[string]interface{} {
"security": m,
}
return sec
-
}
// DecodeConfig creates a privacy Config from a given Hugo configuration.
@@ -189,7 +187,6 @@ func DecodeConfig(cfg config.Provider) (Config, error) {
}
return sc, nil
-
}
func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
@@ -205,7 +202,6 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
wl := types.ToStringSlicePreserveString(data)
return NewWhitelist(wl...), nil
-
}
}
(DIR) diff --git a/config/security/securityonfig_test.go b/config/security/securityonfig_test.go
@@ -53,7 +53,6 @@ getEnv=["a", "b"]
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue)
c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse)
-
})
c.Run("String whitelist", func(c *qt.C) {
@@ -80,7 +79,6 @@ osEnv="b"
c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
-
})
c.Run("Default exec.osEnv", func(c *qt.C) {
@@ -105,7 +103,6 @@ allow="a"
c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
-
})
c.Run("Enable inline shortcodes, legacy", func(c *qt.C) {
@@ -129,9 +126,7 @@ osEnv="b"
pc, err := DecodeConfig(cfg)
c.Assert(err, qt.IsNil)
c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
-
})
-
}
func TestToTOML(t *testing.T) {
@@ -140,7 +135,7 @@ func TestToTOML(t *testing.T) {
got := DefaultConfig.ToTOML()
c.Assert(got, qt.Equals,
- "[security]\n enableInlineShortcodes = false\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
+ "[security]\n enableInlineShortcodes = false\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
)
}
(DIR) diff --git a/docs/data/docs.json b/docs/data/docs.json
@@ -1839,7 +1839,7 @@
"^postcss$"
],
"osEnv": [
- "(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"
+ "(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"
]
},
"funcs": {