Allow whitelisting mediaTypes used in resources.GetRemote

Fixes #10286
gohugoio · May 20, 2023 · 2637b4e · 2637b4e
1 parent 7c7baa6
commit 2637b4e
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 7 deletions.
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go
@@ -88,6 +88,9 @@ type HTTP struct {
 
 	// HTTP methods to allow.
 	Methods Whitelist `json:"methods"`
+
+	// Media types where the Content-Type in the response is used instead of resolving from the file content.
+	MediaTypes Whitelist `json:"mediaTypes"`
 }
 
 // ToTOML converts c to TOML with [security] as the root.

diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go
@@ -163,8 +163,10 @@ func TestDecodeConfigDefault(t *testing.T) {
 	c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue)
 	c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue)
 	c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse)
+	c.Assert(pc.HTTP.MediaTypes.Accept("application/msword"), qt.IsFalse)
 
 	c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
 	c.Assert(pc.Exec.OsEnv.Accept("GOROOT"), qt.IsTrue)
 	c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse)
+
 }
diff --git a/hugolib/securitypolicies_test.go b/hugolib/securitypolicies_test.go
@@ -138,9 +138,9 @@ func TestSecurityPolicies(t *testing.T) {
 		}
 		cb := func(b *sitesBuilder) {
 			b.WithConfigFile("toml", `
-			[security]
-			[security.exec]
-			allow="none"	
+[security]
+[security.exec]
+allow="none"	
 		
 			`)
 			b.WithTemplatesAdded("index.html", `{{ $scss := "body { color: #333; }" | resources.FromString "foo.scss"  | resources.ToCSS (dict "transpiler" "dartsass") }}`)
@@ -166,6 +166,28 @@ func TestSecurityPolicies(t *testing.T) {
 [security]		
 [security.http]
 urls="none"
+`)
+			})
+	})
+
+	c.Run("resources.GetRemote, fake JSON", func(c *qt.C) {
+		c.Parallel()
+		httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, `(?s).*failed to resolve media type.*`,
+			func(b *sitesBuilder) {
+				b.WithConfigFile("toml", `
+`)
+			})
+	})
+
+	c.Run("resources.GetRemote, fake JSON whitelisted", func(c *qt.C) {
+		c.Parallel()
+		httpTestVariant(c, `{{ $json := resources.GetRemote "%[1]s/fakejson.json" }}{{ $json.Content }}`, ``,
+			func(b *sitesBuilder) {
+				b.WithConfigFile("toml", `
+[security]		
+[security.http]
+mediaTypes=["application/json"]
+
 `)
 			})
 	})

diff --git a/hugolib/testdata/fakejson.json b/hugolib/testdata/fakejson.json
diff --git a/resources/resource_factories/create/remote.go b/resources/resource_factories/create/remote.go
@@ -171,10 +171,17 @@ func (c *Client) FromRemote(uri string, optionsm map[string]any) (resource.Resou
 
 	contentType := res.Header.Get("Content-Type")
 
-	if isHeadMethod {
-		// We have no body to work with, so we need to use the Content-Type header.
-		mediaType, _ = media.FromString(contentType)
-	} else {
+	// For HEAD requests we have no body to work with, so we need to use the Content-Type header.
+	if isHeadMethod || c.rs.ExecHelper.Sec().HTTP.MediaTypes.Accept(contentType) {
+		var found bool
+		mediaType, found = c.rs.MediaTypes().GetByType(contentType)
+		if !found {
+			// A media type not configured in Hugo, just create one from the content type string.
+			mediaType, _ = media.FromString(contentType)
+		}
+	}
+
+	if mediaType.IsZero() {
 
 		var extensionHints []string