Hugo mod vendor: not working on Windows (v0.116.0)

deining · July 31, 2023, 3:26pm

How to reproduce

git clone https://github.com/gohugoio/hugoDocs.git
cd hugoDocs
hugo mod vendor

This works fine under Linux with latest released hugo version v0.116.0.

However if I run hugo mod vendor under Windows, I’m getting an error:

C:\Users\adeininger\GitHub\hugoDocs>hugo mod vendor --logLevel info
go: github.com/gohugoio/gohugoioTheme@v0.0.0-20230630055807-9874cd863bc5: invalid version: git ls-remote -q origin in C:\Users\xx\AppData\Local\hugo_cache\modules\filecache\modules\pkg\mod\cache\vcs\9e5a73dca9c7e2dc2c7fb3229c58019935bb92360e5180ff8183a1a74535baf5: exec: "git": executable file not found in %PATH%
hugo: collected modules in 688 ms
Error: failed to load modules: failed to download modules: failed to execute 'go [mod download]': failed to execute binary "go" with args [mod download]: go: github.com/gohugoio/gohugoioTheme@v0.0.0-20230630055807-9874cd863bc5: invalid version: git ls-remote -q origin in C:\Users\xx\AppData\Local\hugo_cache\modules\filecache\modules\pkg\mod\cache\vcs\9e5a73dca9c7e2dc2c7fb3229c58019935bb92360e5180ff8183a1a74535baf5: exec: "git": executable file not found in %PATH%
 *errors.errorString

It complains about git not in the path, but git actually is inside my %PATH%:

git version
git version 2.41.0.windows.1

On Windows, I can reproduce this with Powershell, cmd DOS box and Git bash. WIth Git bash, the error message is different (and more obscure):

$ hugo mod vendor
go: open C:\Windows\go-codehost-4078174350: Access is denied.
hugo: collected modules in 722 ms
Error: failed to load modules: failed to download modules: failed to execute 'go [mod download]': failed to execute binary "go" with args [mod download]: go: open C:\Windows\go-codehost-4078174350: Access is denied.
 *errors.errorString

With hugo version v101.0, I can run the command successfully on Windows, too.

Is this a regression?

jmooring · July 31, 2023, 8:12pm

It started to fail with v0.110.0 (v0.109.0 works as expected).

  [exec]
    allow = ['^go$']
    osEnv = ['^PATH|GO\w+$']

And let me know what you find.

deining · August 1, 2023, 7:44am

jmooring:

@deining In your clone of the docs repo, please edit config\_default\security.toml:
  [exec]
    allow = ['^go
And let me know what you find.]
osEnv = ['^PATH|GO\w+
And let me know what you find.]
And let me know what you find.

I put the provided settings in place and it didn’t immediately solve the problem.

Out of curiosity, I put these permissive settings in place:

  [exec]
    allow = ['.*']
    osEnv = ['.*']

WIth these settings, I could run hugo mod vendor without errors for the first time, so yes, my problems where/are definitely security related.

Now the strange thing: I reverted to the original repo settings, and I still can run the command without errors. This is weird. Are these settings are stored/cached anywhere? My problem is essentially solved, but it’s unclear to me what happened behind the scenes.

bep · August 1, 2023, 7:51am

I’m guessing here, but to me it sounds like a caching thing:

You adjusted the security settings, then it worked, and now the modules in question is in cache
You reverted the setting, reran the command, it’s in cache, so Git is not needed.

deining · August 1, 2023, 10:04am

You were totally right here, thanks for guiding me in the right direction.

I was able to track it down: Windows systems need access to the TMP env variable. So with this setting, everything works fine, both on Linux and on Windows systems:

 [exec]
   allow = ['^go$']
   osEnv = ['^PATH|TMP$']

bep · August 1, 2023, 10:21am

Hmm… But the above should be covered by the default settings:

github.com

gohugoio/hugo/blob/239f2e2c99b387a632cc4e9534c2ac726a7831fa/config/security/securityConfig.go#L45


      
          var DefaultConfig = Config{
          	Exec: Exec{
          		Allow: MustNewWhitelist(
          			"^(dart-)?sass(-embedded)?$", // sass, dart-sass, dart-sass-embedded.
          			"^go$",                       // for Go Modules
          			"^npx$",                      // used by all Node tools (Babel, PostCSS).
          			"^postcss$",
          		),
          		// These have been tested to work with Hugo's external programs
          		// on Windows, Linux and MacOS.
          		OsEnv: MustNewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$`),
          	},
          	Funcs: Funcs{
          		Getenv: MustNewWhitelist("^HUGO_", "^CI$"),
          	},
          	HTTP: HTTP{
          		URLs:    MustNewWhitelist(".*"),
          		Methods: MustNewWhitelist("(?i)GET|POST"),
          	},
          }

deining · August 1, 2023, 11:30am

Yes, that’s true, but in the scenario I dealt with, those default settings were overwritten by much more restrictive project settings:

 [exec]
   allow = ['^go$']
   osEnv = ['^PATH$']

system · August 3, 2023, 11:31am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to run server using win-64 binary - go executable not found support	2	562	March 9, 2022
Error: failed to load modules support modules	24	3803	August 3, 2023
Hugo mod failing in v0.91.1 but works in v0.91.0 support security	7	3066	December 23, 2021
Issue in deploying the theme "theme-academic-cv-main" locally support	1	210	April 5, 2024
Windows Terminal Not Working support	2	2349	July 14, 2016

Hugo mod vendor: not working on Windows (v0.116.0)

How to reproduce

Related topics