hledger/hledger-web/hledger-web.cabal

250 lines
7.2 KiB
Plaintext
Raw Normal View History

cabal-version: 1.12
-- This file has been generated from package.yaml by hpack version 0.34.4.
--
-- see: https://github.com/sol/hpack
name: hledger-web
2021-12-02 06:16:28 +03:00
version: 1.24
2020-03-22 20:49:49 +03:00
synopsis: Web-based user interface for the hledger accounting system
description: A simple web-based user interface for the hledger accounting system,
providing a more modern UI than the command-line or terminal interfaces.
It can be used as a local single-user UI, or as a multi-user UI for
viewing\/adding\/editing on the web.
.
2020-03-22 20:49:49 +03:00
hledger is a robust, cross-platform set of tools for tracking money,
time, or any other commodity, using double-entry accounting and a
simple, editable file format, with command-line, terminal and web
interfaces. It is a Haskell rewrite of Ledger, and one of the leading
implementations of Plain Text Accounting. Read more at:
<https://hledger.org>
category: Finance
stability: stable
homepage: http://hledger.org
2015-10-30 23:08:03 +03:00
bug-reports: http://bugs.hledger.org
author: Simon Michael <simon@joyful.com>
maintainer: Simon Michael <simon@joyful.com>
license: GPL-3
license-file: LICENSE
build-type: Simple
tested-with:
2021-08-04 10:05:29 +03:00
GHC==8.8.4, GHC==8.10.4, GHC==9.0.1
extra-source-files:
2019-01-26 05:33:26 +03:00
CHANGES.md
2020-03-22 19:08:29 +03:00
README.md
config/favicon.ico
config/keter.yaml
config/robots.txt
config/routes
config/settings.yml
static/css/bootstrap-datepicker.standalone.min.css
static/css/bootstrap-theme.css
static/css/bootstrap-theme.min.css
static/css/bootstrap.css
static/css/bootstrap.min.css
static/css/bootstrap-theme.css.map
static/css/bootstrap.css.map
static/fonts/glyphicons-halflings-regular.eot
static/fonts/glyphicons-halflings-regular.svg
static/fonts/glyphicons-halflings-regular.ttf
static/fonts/glyphicons-halflings-regular.woff
static/hledger.css
static/hledger.js
static/js/bootstrap-datepicker.min.js
static/js/bootstrap.js
static/js/bootstrap.min.js
static/js/excanvas.js
static/js/excanvas.min.js
static/js/jquery.cookie.js
static/js/jquery.flot.canvas.js
static/js/jquery.flot.canvas.min.js
static/js/jquery.flot.categories.js
static/js/jquery.flot.categories.min.js
static/js/jquery.flot.crosshair.js
static/js/jquery.flot.crosshair.min.js
static/js/jquery.flot.errorbars.js
static/js/jquery.flot.errorbars.min.js
static/js/jquery.flot.fillbetween.js
static/js/jquery.flot.fillbetween.min.js
static/js/jquery.flot.image.js
static/js/jquery.flot.image.min.js
static/js/jquery.flot.js
static/js/jquery.flot.min.js
static/js/jquery.flot.navigate.js
static/js/jquery.flot.navigate.min.js
static/js/jquery.flot.pie.js
static/js/jquery.flot.pie.min.js
static/js/jquery.flot.resize.js
static/js/jquery.flot.resize.min.js
static/js/jquery.flot.selection.js
static/js/jquery.flot.selection.min.js
static/js/jquery.flot.stack.js
static/js/jquery.flot.stack.min.js
static/js/jquery.flot.symbol.js
static/js/jquery.flot.symbol.min.js
static/js/jquery.flot.threshold.js
static/js/jquery.flot.threshold.min.js
static/js/jquery.flot.time.js
static/js/jquery.flot.time.min.js
static/js/jquery.flot.tooltip.js
static/js/jquery.flot.tooltip.min.js
static/js/jquery.hotkeys.js
static/js/jquery.js
static/js/jquery.min.js
static/js/jquery.url.js
static/js/typeahead.bundle.js
static/js/typeahead.bundle.min.js
templates/add-form.hamlet
templates/balance-report.hamlet
templates/chart.hamlet
templates/default-layout-wrapper.hamlet
templates/default-layout.hamlet
templates/edit-form.hamlet
templates/journal.hamlet
templates/manage.hamlet
templates/register.hamlet
templates/upload-form.hamlet
hledger-web.1
hledger-web.txt
hledger-web.info
source-repository head
type: git
location: https://github.com/simonmichael/hledger
flag dev
description: Turn on development settings, like auto-reload templates.
manual: False
default: False
flag library-only
description: Build for use with "yesod devel"
manual: False
default: False
flag threaded
description: Build with support for multithreaded execution.
manual: False
default: True
library
exposed-modules:
Hledger.Web
Hledger.Web.Application
Hledger.Web.Foundation
Hledger.Web.Handler.AddR
Hledger.Web.Handler.EditR
Hledger.Web.Handler.JournalR
Hledger.Web.Handler.MiscR
Hledger.Web.Handler.RegisterR
Hledger.Web.Handler.UploadR
Hledger.Web.Import
Hledger.Web.Main
Hledger.Web.Settings
Hledger.Web.Settings.StaticFiles
Hledger.Web.Test
Hledger.Web.WebOptions
Hledger.Web.Widget.AddForm
Hledger.Web.Widget.Common
other-modules:
Paths_hledger_web
hs-source-dirs:
./
ghc-options: -Wall -fwarn-tabs -Wcompat -Wincomplete-uni-patterns -Wincomplete-record-updates -Wredundant-constraints
2021-12-02 06:16:28 +03:00
cpp-options: -DVERSION="1.24"
build-depends:
Decimal >=0.5.1
, aeson >=1
2021-08-04 10:05:29 +03:00
, base >=4.11 && <4.16
fix: web: b64 encode user controlled input (#1525) This fixes a reported Stored XSS vulnerability in toBloodhoundJson by encoding the user-controlled values in this payload into base64 and parsing them with atob. In my exploration of the vulnerability with various payloads I and others crafted, it would appear that this is the only available XSS in hledger-web in relation to stored accounts and transaction details. If there is other parts of the UI which may contain user-controlled data, they should be examined for similar things. In this instance, protections provided by yesod and other libraries worked fine, but in a bit of code that hledger-web was generating, the user could insert a </Script> tag (which is valid HTML and equivalent to </script> but not caught by the T.Replace that existed in toBloodhoundJson) in order to switch out of a script context, allowing the parser to be reset, and for arbitrary JavaScript to run. The real fix is a bit more involved, but produces much better results: Content-Security-Policy headers should be introduced, and using sha256-<hash of script> or a different algorithm, they should be marked as trusted in the header. This way, if the (in-browser) parser and hledger-web generator disagree on the source code of the script, the script won't run. Note that this would still be susceptible to attacks that involve changing the script by escaping from the string inside it or something similar to that, which can be avoided additionally by using either the method used in this commit, or a proper JSON encoder. The second approach has the advantage of preventing further XSS, to the extent specified above, in practice, a combination of both should be used, b64 for embedded data and the CSP sha256-hash script-src over everything else, which will eliminate all injected or malformed script blocks (via CSP), in combination with eliminating any HTML closing tags which might occur in stored data (via b64). This vulnerability appears to have been first introduced when autocompletion was added in hledger-web, git tag hledger-0.24, commit hash: ec51d28839b2910eea360b1b8c72904b51cf7821 Test payload: </Script><svg onload=alert(1)//> Closes #1525
2021-08-22 14:58:46 +03:00
, base64
, blaze-html
, blaze-markup
, bytestring
, case-insensitive
, clientsession
2017-12-31 21:03:50 +03:00
, cmdargs >=0.10
, conduit
, conduit-extra >=1.1
2021-03-29 18:19:54 +03:00
, containers >=0.5.9
, data-default
2020-09-12 02:59:53 +03:00
, directory >=1.2.3.0
2020-01-04 09:09:01 +03:00
, extra >=1.6.3
, filepath
, hjsmin
2021-12-02 06:16:28 +03:00
, hledger ==1.24.*
, hledger-lib ==1.24.*
, hspec
, http-client
, http-conduit
, http-types
2021-10-04 11:56:02 +03:00
, megaparsec >=7.0.0 && <9.3
, mtl >=2.2.1
, network
2017-12-31 21:03:50 +03:00
, shakespeare >=2.0.2.2
, template-haskell
2017-12-31 21:03:50 +03:00
, text >=1.2
, time >=1.5
, transformers
, unix-compat
, unordered-containers
, utf8-string
, wai
, wai-cors
, wai-extra
, wai-handler-launch >=3.0.3
, warp
, yaml
, yesod >=1.4 && <1.7
, yesod-core >=1.4 && <1.7
, yesod-form >=1.4 && <1.8
, yesod-static >=1.4 && <1.7
, yesod-test
if (flag(dev)) || (flag(library-only))
cpp-options: -DDEVELOPMENT
if flag(dev)
ghc-options: -O0
default-language: Haskell2010
executable hledger-web
main-is: main.hs
other-modules:
Paths_hledger_web
hs-source-dirs:
app
ghc-options: -Wall -fwarn-tabs -Wcompat -Wincomplete-uni-patterns -Wincomplete-record-updates -Wredundant-constraints
2021-12-02 06:16:28 +03:00
cpp-options: -DVERSION="1.24"
build-depends:
base
, hledger-web
if (flag(dev)) || (flag(library-only))
cpp-options: -DDEVELOPMENT
if flag(dev)
ghc-options: -O0
if flag(library-only)
buildable: False
if flag(threaded)
ghc-options: -threaded
default-language: Haskell2010
test-suite test
type: exitcode-stdio-1.0
main-is: test.hs
hs-source-dirs:
test
ghc-options: -Wall -fwarn-tabs -Wcompat -Wincomplete-uni-patterns -Wincomplete-record-updates -Wredundant-constraints
2021-12-02 06:16:28 +03:00
cpp-options: -DVERSION="1.24"
build-depends:
base
, hledger
, hledger-lib
, hledger-web
, hspec
, text
, yesod
, yesod-test
if (flag(dev)) || (flag(library-only))
cpp-options: -DDEVELOPMENT
if flag(dev)
ghc-options: -O0
default-language: Haskell2010