security

package
v0.114.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 19, 2023 License: Apache-2.0 Imports: 14 Imported by: 10

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DefaultConfig = Config{
	Exec: Exec{
		Allow: NewWhitelist(
			"^(dart-)?sass(-embedded)?$",
			"^go$",
			"^npx$",
			"^postcss$",
		),

		OsEnv: NewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$`),
	},
	Funcs: Funcs{
		Getenv: NewWhitelist("^HUGO_", "^CI$"),
	},
	HTTP: HTTP{
		URLs:    NewWhitelist(".*"),
		Methods: NewWhitelist("(?i)GET|POST"),
	},
}

DefaultConfig holds the default security policy.

Functions

func IsAccessDenied

func IsAccessDenied(err error) bool

IsAccessDenied reports whether err is an AccessDeniedError

Types

type AccessDeniedError

type AccessDeniedError struct {
	// contains filtered or unexported fields
}

AccessDeniedError represents a security policy conflict.

func (*AccessDeniedError) Error

func (e *AccessDeniedError) Error() string

type Config

type Config struct {
	// Restricts access to os.Exec....
	// <docsmeta>{ "newIn": "0.91.0" }</docsmeta>
	Exec Exec `json:"exec"`

	// Restricts access to certain template funcs.
	Funcs Funcs `json:"funcs"`

	// Restricts access to resources.GetRemote, getJSON, getCSV.
	HTTP HTTP `json:"http"`

	// Allow inline shortcodes
	EnableInlineShortcodes bool `json:"enableInlineShortcodes"`

	// Go templates related security config.
	GoTemplates GoTemplates `json:"goTemplates"`
}

Config is the top level security config. <docsmeta>{"name": "security", "description": "This section holds the top level security config.", "newIn": "0.91.0" }</docsmeta>

func DecodeConfig

func DecodeConfig(cfg config.Provider) (Config, error)

DecodeConfig creates a privacy Config from a given Hugo configuration.

func (Config) CheckAllowedExec

func (c Config) CheckAllowedExec(name string) error

func (Config) CheckAllowedGetEnv

func (c Config) CheckAllowedGetEnv(name string) error

func (Config) CheckAllowedHTTPMethod

func (c Config) CheckAllowedHTTPMethod(method string) error

func (Config) CheckAllowedHTTPURL

func (c Config) CheckAllowedHTTPURL(url string) error

func (Config) ToSecurityMap

func (c Config) ToSecurityMap() map[string]any

ToSecurityMap converts c to a map with 'security' as the root key.

func (Config) ToTOML

func (c Config) ToTOML() string

ToTOML converts c to TOML with security as the root.

type Exec

type Exec struct {
	Allow Whitelist `json:"allow"`
	OsEnv Whitelist `json:"osEnv"`
}

Exec holds os/exec policies.

type Funcs

type Funcs struct {
	// OS env keys allowed to query in os.Getenv.
	Getenv Whitelist `json:"getenv"`
}

Funcs holds template funcs policies.

type GoTemplates added in v0.114.0

type GoTemplates struct {

	// Enable to allow template actions inside bakcticks in ES6 template literals.
	// This was blocked in Hugo 0.114.0 for security reasons and you now get errors on the form
	// "... appears in a JS template literal" if you have this in your templates.
	// See https://github.com/golang/go/issues/59234
	AllowActionJSTmpl bool
}

type HTTP

type HTTP struct {
	// URLs to allow in remote HTTP (resources.Get, getJSON, getCSV).
	URLs Whitelist `json:"urls"`

	// HTTP methods to allow.
	Methods Whitelist `json:"methods"`

	// Media types where the Content-Type in the response is used instead of resolving from the file content.
	MediaTypes Whitelist `json:"mediaTypes"`
}

type Whitelist

type Whitelist struct {
	// contains filtered or unexported fields
}

Whitelist holds a whitelist.

func NewWhitelist

func NewWhitelist(patterns ...string) Whitelist

NewWhitelist creates a new Whitelist from zero or more patterns. An empty patterns list or a pattern with the value 'none' will create a whitelist that will Accept none.

func (Whitelist) Accept

func (w Whitelist) Accept(name string) bool

Accept reports whether name is whitelisted.

func (Whitelist) MarshalJSON

func (w Whitelist) MarshalJSON() ([]byte, error)

MarshalJSON is for internal use only.

func (Whitelist) String

func (w Whitelist) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL