From c6b3887696162335d806ff25e9b9db27d73611de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Erik=20Pedersen?=
 <bjorn.erik.pedersen@gmail.com>
Date: Tue, 17 Jan 2023 10:52:51 +0100
Subject: [PATCH] config/security: Add O\w+ (e.g. GOROOT) to the default
 allowed list

Fixes #10429
---
 config/security/securityConfig.go      | 2 +-
 config/security/securityConfig_test.go | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go
index 979c40125..4b0e07086 100644
--- a/config/security/securityConfig.go
+++ b/config/security/securityConfig.go
@@ -42,7 +42,7 @@ var DefaultConfig = Config{
 		),
 		// These have been tested to work with Hugo's external programs
 		// on Windows, Linux and MacOS.
-		OsEnv: NewWhitelist("(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM)$"),
+		OsEnv: NewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$`),
 	},
 	Funcs: Funcs{
 		Getenv: NewWhitelist("^HUGO_", "^CI$"),
diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go
index c34af9efa..55409e318 100644
--- a/config/security/securityConfig_test.go
+++ b/config/security/securityConfig_test.go
@@ -140,7 +140,7 @@ func TestToTOML(t *testing.T) {
 	got := DefaultConfig.ToTOML()
 
 	c.Assert(got, qt.Equals,
-		"[security]\n  enableInlineShortcodes = false\n\n  [security.exec]\n    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n    osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM)$']\n\n  [security.funcs]\n    getenv = ['^HUGO_', '^CI$']\n\n  [security.http]\n    methods = ['(?i)GET|POST']\n    urls = ['.*']",
+		"[security]\n  enableInlineShortcodes = false\n\n  [security.exec]\n    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n    osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n  [security.funcs]\n    getenv = ['^HUGO_', '^CI$']\n\n  [security.http]\n    methods = ['(?i)GET|POST']\n    urls = ['.*']",
 	)
 }
 
@@ -163,4 +163,8 @@ func TestDecodeConfigDefault(t *testing.T) {
 	c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue)
 	c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue)
 	c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse)
+
+	c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
+	c.Assert(pc.Exec.OsEnv.Accept("GOROOT"), qt.IsTrue)
+	c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse)
 }