GOROOT should be in the default security config

[i-am-david-fernandez]

It appears that, since v0.91.1, the change made here v0.90.1...v0.91.0#diff-f05a06652ef1b9e80126ab646b8d1e1231b91c8baf067e5755398cd622adbd86R95

causes hugo to no longer honour/use GOROOT, if it is defined, meaning that, for me at least, in Windows with Go installed to a location other than the hardcoded default of "C:\go", hugo fails to perform operations such as "serve" that tries to call go under the hood.

(I should stress that I think that's the root cause; it looks like it would be, as it appears to set/create the environment from scratch rather than build on the existing environment, but I have not tested this in a coding sense).

In v0.90.1-extended, things seem to work, but from 0.91.0 onwards (I have tried 0.91.1, 0.92.0, 0.93.0, 0.95.0 and 0.105.0, all "extended" variants), the problem occurs.

The error appears as follows:

❯ hugo-v0.91.0extended.exe serve
go: cannot find GOROOT directory: c:\go
Error: failed to download modules: failed to execute 'go [mod download]': failed to execute binary "go" with args [mod download]: go: cannot find GOROOT directory: c:\go
 *errors.errorString

while go env shows this (redacted and truncated):

**❯ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=C:\Anaconda\x86_64\envs\dev-go\gobin
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Anaconda\x86_64\envs\dev-go\gopath\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Anaconda\x86_64\envs\dev-go\gopath
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Anaconda\x86_64\envs\dev-go\go

which clearly indicates that GOROOT is set to something very different to "c:\go"

I am using go version 1.19.1:

❯ go version
go version go1.19.1 windows/amd64

It's a bit old, and I cannot find the related info on the official Golang documentation pages, but this post (https://stackoverflow.com/a/31101257) suggests that, when Go is installed in Windows via the archive, GOROOT must be set correctly.

[bep]

Thanks for the detailed report. We added a security configuration. The default setup has worked great for me on most MacOS/Linux setups, but I'll admit that I don't use Windows that much (we have passing tests, though, so it's not failing everywhere).

Could you test by adding something like this to your config.toml (note the extra GO*)?

[security]
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO*)$']

You could also set this as an OS env on your PC:

HUGO_SECURITY_EXEC_OSENV=(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM|GO*)$

[i-am-david-fernandez]

Hi @bep ,

Thanks for the (very) rapid response!

I can confirm that, with a minor tweak (missing . between GO and * in the regexp, i.e., GO.*), what you've suggested works, both via config and the env variable.

Is there (currently) a way to get Hugo to simply print its working environment, similar to what go env does? This would have been quite useful here, though perhaps such functionality is too specific to be of broader use and warrant inclusion.

For future readers, the relevant part of the Hugo documentation on this stuff is here: Hugo's Security Model | Hugo

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.