security

package
v0.140.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 30, 2024 License: Apache-2.0 Imports: 13 Imported by: 10

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DefaultConfig = Config{
	Exec: Exec{
		Allow: MustNewWhitelist(
			"^(dart-)?sass(-embedded)?$",
			"^go$",
			"^git$",
			"^npx$",
			"^postcss$",
			"^tailwindcss$",
		),

		OsEnv: MustNewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$`),
	},
	Funcs: Funcs{
		Getenv: MustNewWhitelist("^HUGO_", "^CI$"),
	},
	HTTP: HTTP{
		URLs:    MustNewWhitelist(".*"),
		Methods: MustNewWhitelist("(?i)GET|POST"),
	},
}

DefaultConfig holds the default security policy.

Functions

func IsAccessDenied

func IsAccessDenied(err error) bool

IsAccessDenied reports whether err is an AccessDeniedError

Types

type AccessDeniedError

type AccessDeniedError struct {
	// contains filtered or unexported fields
}

AccessDeniedError represents a security policy conflict.

func (*AccessDeniedError) Error

func (e *AccessDeniedError) Error() string

type Config

type Config struct {
	// Restricts access to os.Exec....
	// <docsmeta>{ "newIn": "0.91.0" }</docsmeta>
	Exec Exec `json:"exec"`

	// Restricts access to certain template funcs.
	Funcs Funcs `json:"funcs"`

	// Restricts access to resources.GetRemote, getJSON, getCSV.
	HTTP HTTP `json:"http"`

	// Allow inline shortcodes
	EnableInlineShortcodes bool `json:"enableInlineShortcodes"`
}

Config is the top level security config. <docsmeta>{"name": "security", "description": "This section holds the top level security config.", "newIn": "0.91.0" }</docsmeta>

func DecodeConfig

func DecodeConfig(cfg config.Provider) (Config, error)

DecodeConfig creates a privacy Config from a given Hugo configuration.

func (Config) CheckAllowedExec

func (c Config) CheckAllowedExec(name string) error

func (Config) CheckAllowedGetEnv

func (c Config) CheckAllowedGetEnv(name string) error

func (Config) CheckAllowedHTTPMethod

func (c Config) CheckAllowedHTTPMethod(method string) error

func (Config) CheckAllowedHTTPURL

func (c Config) CheckAllowedHTTPURL(url string) error

func (Config) ToSecurityMap

func (c Config) ToSecurityMap() map[string]any

ToSecurityMap converts c to a map with 'security' as the root key.

func (Config) ToTOML

func (c Config) ToTOML() string

ToTOML converts c to TOML with security as the root.

type Exec

type Exec struct {
	Allow Whitelist `json:"allow"`
	OsEnv Whitelist `json:"osEnv"`
}

Exec holds os/exec policies.

type Funcs

type Funcs struct {
	// OS env keys allowed to query in os.Getenv.
	Getenv Whitelist `json:"getenv"`
}

Funcs holds template funcs policies.

type HTTP

type HTTP struct {
	// URLs to allow in remote HTTP (resources.Get, getJSON, getCSV).
	URLs Whitelist `json:"urls"`

	// HTTP methods to allow.
	Methods Whitelist `json:"methods"`

	// Media types where the Content-Type in the response is used instead of resolving from the file content.
	MediaTypes Whitelist `json:"mediaTypes"`
}

type Whitelist

type Whitelist struct {
	// contains filtered or unexported fields
}

Whitelist holds a whitelist.

func MustNewWhitelist added in v0.115.0

func MustNewWhitelist(patterns ...string) Whitelist

MustNewWhitelist creates a new Whitelist from zero or more patterns and panics on error.

func NewWhitelist

func NewWhitelist(patterns ...string) (Whitelist, error)

NewWhitelist creates a new Whitelist from zero or more patterns. An empty patterns list or a pattern with the value 'none' will create a whitelist that will Accept none.

func (Whitelist) Accept

func (w Whitelist) Accept(name string) bool

Accept reports whether name is whitelisted.

func (Whitelist) MarshalJSON

func (w Whitelist) MarshalJSON() ([]byte, error)

MarshalJSON is for internal use only.

func (Whitelist) String

func (w Whitelist) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL