Runtime security 运行时安全 #
Hugo produces static output, so once built, the runtime is the browser (assuming the output is HTML) and any server (API) that you integrate with. Hugo 产生静态输出,因此一旦构建,运行时就是浏览器(假设输出是 HTML)和您集成的任何服务器(API)。
But when developing and building your site, the runtime is the hugo executable. Securing a runtime can be
a real challenge.
但在开发和构建网站时,运行时是hugo可执行文件。确保运行时的安全可能是一项真正的挑战。
Hugo’s main approach is that of sandboxing and a security policy with strict defaults:
Hugo 的主要方法是沙盒和具有严格默认值的安全策略:
- Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root. Hugo 有一个虚拟文件系统,只有主项目(而不是第三方组件)才允许挂载项目根目录之外的目录或文件。
- User-defined components have read-only access to the filesystem. 用户定义的组件对文件系统具有只读访问权限。
- We shell out to some external binaries to support Asciidoctor and similar, but those binaries and their flags are predefined and disabled by default (see Security Policy). General functions to run arbitrary external OS commands have been discussed, but not implemented because of security concerns. 我们使用一些外部二进制文件来支持Asciidoctor和类似文件,但这些二进制文件及其标志是预定义的,默认情况下是禁用的(请参阅安全策略)。运行任意外部操作系统命令的一般功能已经讨论过,但由于安全问题而未实现。
Security policy 安全策略 #
Hugo has a built-in security policy that restricts access to os/exec, remote communication and similar.
Hugo 具有内置的安全策略,可以限制对os/exec、远程通信等的访问。
The default configuration is listed below. Any build using features not in the allow list of the security policy will fail with a detailed message about what needs to be done. Most of these settings are allow lists (string or slice,
Regular Expressions or none which matches nothing). 默认配置如下所示。任何使用安全策略允许列表中未包含的功能的构建都将失败,并显示有关需要执行的操作的详细信息。大多数这些设置都是允许列表(字符串或切片、正则表达式或none不匹配任何内容)。
By default, Hugo permits the [resources.GetRemote] function to download files with media types corresponding to an internal allow list. To add media types to the allow list:
默认情况下,Hugo 允许该resources.GetRemote函数下载具有与内部允许列表相对应的媒体类型的文件。要将媒体类型添加到允许列表:
Note that these and other configuration settings in Hugo can be overridden by the OS environment. For example, if you want to block all remote HTTP fetching of data:
请注意,Hugo 中的这些和其他配置设置可能会被操作系统环境覆盖。例如,如果你想阻止所有远程 HTTP 数据获取:
HUGO_SECURITY_HTTP_URLS=none hugo
Dependency security 依赖项安全性 #
Hugo is built as a static binary using
Go Modules to manage its dependencies. Go Modules have several safeguards, one of them being the go.sum file. This is a database of the expected cryptographic checksums of all of your dependencies, including transitive dependencies. Hugo 是使用Go Modules构建的静态二进制文件,用于管理其依赖项。Go Modules 有多种保护措施,其中之一就是go.sum文件。这是一个包含所有依赖项(包括传递依赖项)的预期加密校验和的数据库。
Hugo Modules is a feature built on top of the functionality of Go Modules. Like Go Modules, a Hugo project using Hugo Modules will have a go.sum file. We recommend that you commit this file to your version control system. The Hugo build will fail if there is a checksum mismatch, which would be an indication of
dependency tampering. Hugo Modules是基于 Go Modules 功能构建的功能。与 Go Modules 一样,使用 Hugo Modules 的 Hugo 项目将有一个go.sum文件。我们建议您将此文件提交到您的版本控制系统。如果校验和不匹配,Hugo 构建将失败,这表明依赖项被篡改。
Web application security Web 应用程序安全 #
These are the security threats as defined by OWASP. 这些是OWASP定义的安全威胁。
For HTML output, this is the core security model:
https://pkg.go.dev/html/template#hdr-Security_Model
In short: 简而言之:
Template and configuration authors (you) are trusted, but the data you send in is not.
This is why you sometimes need to use the safe functions, such as safeHTML, to avoid escaping of data you know is safe.
There is one exception to the above, as noted in the documentation: If you enable inline shortcodes, you also say that the shortcodes and data handling in content files are trusted, as those macros are treated as pure text.
It may be worth adding that Hugo is a static site generator with no concept of dynamic user input.
模板和配置作者(您)是可信的,但您发送的数据不是。这就是为什么您有时需要使用安全函数(例如safeHTML)来避免转义您知道是安全的数据。上述情况有一个例外,如文档中所述:如果您启用内联短代码,您还会说内容文件中的短代码和数据处理是可信的,因为这些宏被视为纯文本。可能值得补充的是,Hugo 是一个静态站点生成器,没有动态用户输入的概念。
For content, the default Markdown renderer is configured to remove or escape potentially unsafe content. This behavior can be reconfigured if you trust your content. 对于内容,默认的 Markdown 渲染器配置为删除或转义潜在的不安全内容。如果您信任您的内容,可以重新配置此行为。