CREATIVE CHAOS   ▋ blog

Hugo Security Policy

PUBLISHED ON 19/12/2021 — EDITED ON 23/05/2024 — SYSOPS

In version 91.0, Hugo gained some new security related things, that broke my vim editing.

You can read more about it in the official documentation, where you can also find the defaults if you use yaml or json for configuration. I use toml.

When creating a new page, Hugo would break when trying to open vim:

$ hugo new blog/Article.md
Content "/home/b4d/data/site/content/blog/Article.md" created
Editing "/home/b4d/data/site/content/blog/Article.md" with "vim" ...
Error: access denied: "vim" is not whitelisted in policy "security.exec.allow"; the current security configuration is:

[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']

Copy the default policy, add '^vim$' to allow array and add it all to your config.toml:

[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$', '^vim$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']