github.com/kovansky/hugo@v0.92.3-0.20220224232819-63076e4ff19f/config/security/securityonfig_test.go (about)

     1  // Copyright 2018 The Hugo Authors. All rights reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  // http://www.apache.org/licenses/LICENSE-2.0
     7  //
     8  // Unless required by applicable law or agreed to in writing, software
     9  // distributed under the License is distributed on an "AS IS" BASIS,
    10  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11  // See the License for the specific language governing permissions and
    12  // limitations under the License.
    13  
    14  package security
    15  
    16  import (
    17  	"testing"
    18  
    19  	qt "github.com/frankban/quicktest"
    20  	"github.com/gohugoio/hugo/config"
    21  )
    22  
    23  func TestDecodeConfigFromTOML(t *testing.T) {
    24  	c := qt.New(t)
    25  
    26  	c.Run("Slice whitelist", func(c *qt.C) {
    27  		c.Parallel()
    28  		tomlConfig := `
    29  
    30  
    31  someOtherValue = "bar"
    32  
    33  [security]
    34  enableInlineShortcodes=true
    35  [security.exec]
    36  allow=["a", "b"]
    37  osEnv=["a", "b", "c"]
    38  [security.funcs]
    39  getEnv=["a", "b"]
    40  
    41  `
    42  
    43  		cfg, err := config.FromConfigString(tomlConfig, "toml")
    44  		c.Assert(err, qt.IsNil)
    45  
    46  		pc, err := DecodeConfig(cfg)
    47  		c.Assert(err, qt.IsNil)
    48  		c.Assert(pc, qt.Not(qt.IsNil))
    49  		c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
    50  		c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
    51  		c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
    52  		c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsTrue)
    53  		c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
    54  		c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue)
    55  		c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse)
    56  
    57  	})
    58  
    59  	c.Run("String whitelist", func(c *qt.C) {
    60  		c.Parallel()
    61  		tomlConfig := `
    62  
    63  
    64  someOtherValue = "bar"
    65  
    66  [security]
    67  [security.exec]
    68  allow="a"
    69  osEnv="b"
    70  
    71  `
    72  
    73  		cfg, err := config.FromConfigString(tomlConfig, "toml")
    74  		c.Assert(err, qt.IsNil)
    75  
    76  		pc, err := DecodeConfig(cfg)
    77  		c.Assert(err, qt.IsNil)
    78  		c.Assert(pc, qt.Not(qt.IsNil))
    79  		c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
    80  		c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
    81  		c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue)
    82  		c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
    83  
    84  	})
    85  
    86  	c.Run("Default exec.osEnv", func(c *qt.C) {
    87  		c.Parallel()
    88  		tomlConfig := `
    89  
    90  
    91  someOtherValue = "bar"
    92  
    93  [security]
    94  [security.exec]
    95  allow="a"
    96  
    97  `
    98  
    99  		cfg, err := config.FromConfigString(tomlConfig, "toml")
   100  		c.Assert(err, qt.IsNil)
   101  
   102  		pc, err := DecodeConfig(cfg)
   103  		c.Assert(err, qt.IsNil)
   104  		c.Assert(pc, qt.Not(qt.IsNil))
   105  		c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
   106  		c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
   107  		c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
   108  
   109  	})
   110  
   111  	c.Run("Enable inline shortcodes, legacy", func(c *qt.C) {
   112  		c.Parallel()
   113  		tomlConfig := `
   114  
   115  
   116  someOtherValue = "bar"
   117  enableInlineShortcodes=true
   118  
   119  [security]
   120  [security.exec]
   121  allow="a"
   122  osEnv="b"
   123  
   124  `
   125  
   126  		cfg, err := config.FromConfigString(tomlConfig, "toml")
   127  		c.Assert(err, qt.IsNil)
   128  
   129  		pc, err := DecodeConfig(cfg)
   130  		c.Assert(err, qt.IsNil)
   131  		c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
   132  
   133  	})
   134  
   135  }
   136  
   137  func TestToTOML(t *testing.T) {
   138  	c := qt.New(t)
   139  
   140  	got := DefaultConfig.ToTOML()
   141  
   142  	c.Assert(got, qt.Equals,
   143  		"[security]\n  enableInlineShortcodes = false\n  [security.exec]\n    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']\n\n  [security.funcs]\n    getenv = ['^HUGO_']\n\n  [security.http]\n    methods = ['(?i)GET|POST']\n    urls = ['.*']",
   144  	)
   145  }
   146  
   147  func TestDecodeConfigDefault(t *testing.T) {
   148  	t.Parallel()
   149  	c := qt.New(t)
   150  
   151  	pc, err := DecodeConfig(config.New())
   152  	c.Assert(err, qt.IsNil)
   153  	c.Assert(pc, qt.Not(qt.IsNil))
   154  	c.Assert(pc.Exec.Allow.Accept("a"), qt.IsFalse)
   155  	c.Assert(pc.Exec.Allow.Accept("npx"), qt.IsTrue)
   156  	c.Assert(pc.Exec.Allow.Accept("Npx"), qt.IsFalse)
   157  	c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsFalse)
   158  	c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
   159  	c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
   160  
   161  	c.Assert(pc.HTTP.URLs.Accept("https://example.org"), qt.IsTrue)
   162  	c.Assert(pc.HTTP.Methods.Accept("POST"), qt.IsTrue)
   163  	c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue)
   164  	c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue)
   165  	c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse)
   166  }