search

gohugoio / hugo

The world’s fastest framework for building websites.
https://gohugo.io
Apache License 2.0
75k stars 7.47k forks source link

Security Directives in security.toml Not Recognized by Hugo When Placed in config/_default Folder #12752

Closed fmaida closed 1 month ago

fmaida commented 1 month ago

I have a blog that hosts its configuration not in a config.toml file, but inside a config/_default folder. I had to add directives to manage security, but if I add them as a security.toml file inside config/_default, they don't seem to be recognized by Hugo. However, if I insert them into the config/_default/config.toml file, they do work.

What I did

I was in the terminal, inside my home directory. I tried to create a new post on my Hugo website and edit it with my editor of choice (Helix), so I wrote:

hugo new --source /Users/Cesco/Documents/Progetti/HTML-CSS/retroblog.it blog/gigetto/index.md --editor hx

Hugo gave me this error message, claiming that the command 'hx' is not whitelisted:

Content "/Users/Cesco/Documents/Progetti/HTML-CSS/retroblog.it/content/blog/gigetto/index.md" created
Editing "/Users/Cesco/Documents/Progetti/HTML-CSS/retroblog.it/content/blog/gigetto/index.md" with "hx" ...
Error: access denied: "hx" is not whitelisted in policy "security.exec.allow"; the current security configuration is:

[security]
  enableInlineShortcodes = false

  [security.exec]
    allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^git$', '^npx$', '^postcss$', '^tailwindcss$']
    osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$']

  [security.funcs]
    getenv = ['^HUGO_', '^CI$']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']

So as prompted I wrote a small portion of code to tackle the security problem:

[security]
    enableInlineShortcodes = false

    [security.exec]
        allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^git$', '^npx$', ' postcss$', '^tailwindcss$', '^hx$']
        osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG|SYSTEMDRIVE)$']

Here my problems begins...

My Hugo blog does not have a config.toml file in the root. Instead, I opted for a "Config directory approach", because it seems more clear to me. So my project root looks like this:

config
archetypes
resources
content
public
layouts
static
assets
themes

Inside the config directory I have a subfolder named "_default":

config
└── _default
    ├── config.toml
    ├── languages.it.toml
    ├── markup.toml
    ├── menus.it.toml
    ├── module.toml
    ├── params.toml
    └── taxonomies.toml

I tried to create a security.toml file inside config/_default, but Hugo seems to ignore it. In order to get it working I had to add the security configuration part to config.toml

I'm not sure if this is a bug or not

What version of Hugo are you using (hugo version)?

hugo v0.131.0+extended darwin/amd64 BuildDate=2024-08-02T09:03:48Z VendorInfo=brew

Does this issue reproduce with the latest release?

Yes

jmooring commented 1 month ago

I suspect you are including the root key within your security.toml file.

See docs: https://gohugo.io/getting-started/configuration/#omit-the-root-key

fmaida commented 1 month ago

I suspect you are including the root key within your security.toml file.

I already tried to include and exclude the "[security]" header from the security.toml file but it doesn't seems to make any difference on my computer.

jmooring commented 1 month ago

This is a support issue, not a bug. Please create a topic in the forum and we'll handle it from there. Thanks.

https://discourse.gohugo.io/

fmaida commented 1 month ago

Sorry, I am an idiot. I correctly removed the [security] header but forgot to rename [security.exec] to [exec]. You can close this, sorry again.

github-actions[bot] commented 3 weeks ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.