config/security: Add HOME to default exec env var whitelist

author Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>

Wed, 22 Dec 2021 09:55:44 +0000 (10:55 +0100)

committer Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>

Wed, 22 Dec 2021 10:33:59 +0000 (11:33 +0100)
author Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
Wed, 22 Dec 2021 09:55:44 +0000 (10:55 +0100)
committer Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
Wed, 22 Dec 2021 10:33:59 +0000 (11:33 +0100)
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go

index 09c5cb62573e8ad10f4f7f1ac0c6dfb6b38d30f5..8b0a526984103528fd40912cb7433c4d0f71b6a1 100644 (file)
--- a/config/security/securityConfig.go
+++ b/config/security/securityConfig.go
@@ -42,7 +42,7 @@ var DefaultConfig = Config{
                 ),
                 // These have been tested to work with Hugo's external programs
                 // on Windows, Linux and MacOS.
-               OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"),
+               OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"),
         },
         Funcs: Funcs{
                 Getenv: NewWhitelist("^HUGO_"),
@@ -110,7 +110,6 @@ func (c Config) CheckAllowedExec(name string) error {
                 }
         }
         return nil
-
  }
  
  func (c Config) CheckAllowedGetEnv(name string) error {
@@ -159,7 +158,6 @@ func (c Config) ToSecurityMap() map[string]interface{} {
                 "security": m,
         }
         return sec
-
  }
  
  // DecodeConfig creates a privacy Config from a given Hugo configuration.
@@ -189,7 +187,6 @@ func DecodeConfig(cfg config.Provider) (Config, error) {
         }
  
         return sc, nil
-
  }
  
  func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
@@ -205,7 +202,6 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
                 wl := types.ToStringSlicePreserveString(data)
  
                 return NewWhitelist(wl...), nil
-
         }
  }
  
diff --git a/config/security/securityonfig_test.go b/config/security/securityonfig_test.go

index d0416a20df320a8c83917e2ce98d290e3c1bed80..bafb4e766d9dba6a69c21a0cea587a76c05acc66 100644 (file)
--- a/config/security/securityonfig_test.go
+++ b/config/security/securityonfig_test.go
@@ -53,7 +53,6 @@ getEnv=["a", "b"]
                 c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
                 c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue)
                 c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse)
-
         })
  
         c.Run("String whitelist", func(c *qt.C) {
@@ -80,7 +79,6 @@ osEnv="b"
                 c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
                 c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue)
                 c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
-
         })
  
         c.Run("Default exec.osEnv", func(c *qt.C) {
@@ -105,7 +103,6 @@ allow="a"
                 c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
                 c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
                 c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
-
         })
  
         c.Run("Enable inline shortcodes, legacy", func(c *qt.C) {
@@ -129,9 +126,7 @@ osEnv="b"
                 pc, err := DecodeConfig(cfg)
                 c.Assert(err, qt.IsNil)
                 c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
-
         })
-
  }
  
  func TestToTOML(t *testing.T) {
@@ -140,7 +135,7 @@ func TestToTOML(t *testing.T) {
         got := DefaultConfig.ToTOML()
  
         c.Assert(got, qt.Equals,
-               "[security]\n  enableInlineShortcodes = false\n  [security.exec]\n    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']\n\n  [security.funcs]\n    getenv = ['^HUGO_']\n\n  [security.http]\n    methods = ['(?i)GET|POST']\n    urls = ['.*']",
+               "[security]\n  enableInlineShortcodes = false\n  [security.exec]\n    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$']\n\n  [security.funcs]\n    getenv = ['^HUGO_']\n\n  [security.http]\n    methods = ['(?i)GET|POST']\n    urls = ['.*']",
         )
  }
  
diff --git a/docs/data/docs.json b/docs/data/docs.json

index b270b2c9b5361eb145d5282b0e25c5286207e879..78f0640fa7024dcc4569976202c21c0c1f5efde5 100644 (file)
--- a/docs/data/docs.json
+++ b/docs/data/docs.json
@@ -1839,7 +1839,7 @@
            "^postcss$"
          ],
          "osEnv": [
-          "(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"
+          "(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"
          ]
        },
        "funcs": {
author	Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
	Wed, 22 Dec 2021 09:55:44 +0000 (10:55 +0100)
committer	Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
	Wed, 22 Dec 2021 10:33:59 +0000 (11:33 +0100)
config/security/securityConfig.go		patch \| blob \| history
config/security/securityonfig_test.go		patch \| blob \| history
docs/data/docs.json		patch \| blob \| history