Add support for a flag to disable symlink checking / no-symlink enforcement

[lewish]

Current version of hugo checks for symlinks in a number of folders and throws an error: Unsupported symlink found when it does so.

This was done for security reasons, AIUI - #6225 for context.

This makes hugo practically impossible to use with Bazel, which we and it seems some others would like to do so.

I would like to propose a command line flag to disable the symlink checking, that a user may use at their own risk, e.g:

hugo --allowSymlinks

I have this working on my own fork with Bazel, and as a proof of concept this all appears to work fine. Would the team be open to this CLI option?

[bep]

This was done for security reasons

There are currently two areas which currently does not support

1. The static file system, as the library used to sync those folders does not support symlinks.
2. Themes/theme components -- for security reasons.

I suspect that we could improve the first one (as in, remove the NewNoSymlinkFs wrapper that throws these errors).

This makes hugo practically impossible to use with Bazel.

It is not clear why this is, but Bazel is an open source project, have you reached out to that project and asked them to make adjustments?

[trygvis]

@lewish I just ran into the same issue. I ended up making a temporary directory, copying everything over while resolving symlinks and ran hugo on the result. Cumbersome but my site is quite small so it's ok.

@bep I doubt that Bazel will change, they use the symlinks to create restricted environments for builds. The environments only include what has been explicitly declared as files/targets that they consume as a technique to make as reproducible builds as possible.

[autumnull]

I am also running into this problem while trying to set up a site on a server with divisions of the site managed by different users.

I was hoping (given #1857) that a partial workaround would be to use the staticDir to set a few of the top-level static directories to be symlinks (but not contain any), but it turns out this also throws an error:

Error: add site dependencies: create deps: create PathSpec: build filesystems: create main fs: symlinks not allowed in this filesystem

Is there a way that a temporary fix could be made to expand the "resolving symlinks when they're the top-level folder" feature to include multiple staticDirs?

[viperML]

I just ran into this problem when using Hugo in nix which (ab)uses symlinks. I have no idea why this is a security concern, if you can get around it easily

[yuraic]

Agree as well that having such an option would be very valuable. I need symlinks in the static subfolder and want to avoid manually copying files into it every time anything changes to rebuild the website.

[jmooring]

@yuraic The idiomatic way to handle this is with mounts, but perhaps your situation is different.

[[module.mounts]]
source = 'static'
target = 'static'

[[module.mounts]]
source = '/home/user/foo'
target = 'static'

[yuraic]

@yuraic The idiomatic way to handle this is with mounts, but perhaps your situation is different.

[[module.mounts]]
source = 'static'
target = 'static'

[[module.mounts]]
source = '/home/user/foo'
target = 'static'

This works, indeed! And it solves my problem. Thank you, @jmooring :)

[jmooring]

This is no longer relevant. We removed symlink support in v0.123.0. Use mounts instead.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.