Commit Graph

209 Commits

Author SHA1 Message Date
Simon Michael
611bd1534f dev: web: fix build with ghc <9.2 2024-09-30 15:42:41 -10:00
Simon Michael
69d311a9b7 dev: support ghc 9.10 2024-09-30 10:30:07 -10:00
Simon Michael
c079725836 ;pkg: bump version to 1.40.99 2024-09-09 14:06:06 -07:00
Simon Michael
aec28842c7 ;pkg: bump version to 1.34.99 2024-06-01 13:30:20 -10:00
Simon Michael
d17b32c7eb imp: cli,ui,web: support ghc-debug for analysing memory/profile info
When built with the ghcdebug flag and started with --debug=-1 (or -2
to pause at startup, or -3 to pause before exit), hledger can be
controlled by ghc-debug clients like ghc-debug-brick or a custom
ghc-debug query script.

Also, refactor version string code.
2024-05-01 13:43:04 -10:00
Simon Michael
23d13c9a9f imp: web: support base64 >=1.0 2024-04-25 06:51:34 -10:00
Simon Michael
f5c4d99291 ;pkg: bump version to 1.33.99 2024-04-18 13:33:42 -10:00
Simon Michael
d755699c9b imp:stats: also show RTS memory usage stats 2024-02-29 01:07:04 -10:00
Simon Michael
3798a3baef pkg: require safe >=0.3.20, for ghc 9.8 head/tail helpers 2024-02-28 14:39:53 -10:00
Simon Michael
17817650da ;fix:pkg:web: set upper bound to exclude base64 1.0 [#2166] 2024-02-18 14:57:46 -10:00
Simon Michael
2a99b3d456 imp: stack: build with ghc 9.8, latest stackage nightly 2024-01-04 08:24:50 -10:00
Simon Michael
a3290bfaeb pkg: allow megaparsec 9.6* 2023-12-14 08:57:42 -10:00
Simon Michael
80d1da2db9 ;pkg: bump version to 1.32.99 2023-12-02 09:09:07 -10:00
Simon Michael
e2cc2d7e24 feat:print: add a basic beancount output format
This prints journal output more likely (but not guaranteed) to
be readable by Beancount.

All packages now require text 1.2.4.1 or greater.
2023-11-22 22:57:36 -10:00
Simon Michael
fef3413c51 pkg:web: clean up some apparently redundant declarations and deps 2023-11-07 09:06:58 -08:00
Simon Michael
95d33f20f6 imp:web: access control UX cleanups (fix #834)
Changes:

1. rename the sandstorm "manage" permission to "edit"
(old permission names: view, add, manage;
 new permission names: view, add, edit).

Rationale: "edit" best describes this permission's current powers, to users and to operators.
If we ever added more manager-type features we'd want that to be a new permission,
not a rename of the existing one (which would change the powers of existing users).

2. rename the sandstorm roles for consistency with permissions
(old role names: viewer, editor, manager;
 new role names: viewer, adder, editor)

Rationale: it's needed to avoid confusion.

3. add a new option: --allow=view|add|edit|sandstorm (default: add).
'sandstorm' sets permissions according to the X-Sandstorm-Permissions header.
Drop the --capabilities and --capabilities-header options.

Rationale: it's simpler and more intuitive.

4. replace "capability" with "permission" in ui/docs/code.

Rationale: consistent with the above, more familiar.
2023-10-24 13:37:36 +01:00
Simon Michael
2e06c8dc27 ;doc: package description cleanups 2023-10-04 10:03:35 +01:00
Simon Michael
40037afaf1 lib!: export less from cli and web packages, and more from ui 2023-10-04 10:03:35 +01:00
Simon Michael
6f7c331ace ;pkg: bump version to 1.31.99 2023-09-11 09:56:34 +01:00
Simon Michael
9c4235bf88 pkg: allow megaparsec 9.5 2023-09-03 08:23:43 +01:00
Simon Michael
1a0b745c28 pkg: add support for aeson 2.2, add upper bound 2023-07-01 08:14:23 -10:00
Simon Michael
1bd1c55bd6 ;pkg: update tested-with 2023-07-01 07:34:46 -10:00
Simon Michael
110861ee83 ;pkg: allow megaparsec 9.4 2023-06-16 12:11:08 -10:00
Simon Michael
9ae87a73fa ;pkg: bump version to 1.30.99 2023-06-01 16:34:52 -10:00
Simon Michael
44805f96ef ;dev: ui, web: fixes for ghc 9.6; cleanup (#2011) 2023-03-15 20:43:51 -10:00
Simon Michael
a0ca339c46 ;pkg: bump version to 1.29.99 2023-03-11 13:27:25 -10:00
Simon Michael
d0eaa8cf5a dev: force megaparsec 9.3 in stack build plans where supported
For the useful dbg tool.
2022-12-22 20:31:47 -10:00
Simon Michael
e9e8f350f2 dev: require megaparsec 9.3+ in dev build, for its useful dbg tool
The 9.3 version works with our parsers.
2022-12-22 19:25:57 -10:00
Simon Michael
740ea50e4c ;pkg: bump version to 1.28.99 2022-12-01 12:23:10 -08:00
Simon Michael
fa8f6ae302 lib: Debug: breakpoint doesn't support windows yet, drop for now 2022-12-01 12:20:29 -08:00
Felix Yan
66b51472f2 Allow megaparsec 9.3
Builds fine and all tests pass.
2022-11-30 05:12:04 -05:00
Simon Michael
3a6955d3e2 dev: add stack9.4.yaml for building with latest nightly/ghc 9.4.3 2022-11-25 23:45:17 -05:00
Simon Michael
e5bb4f0b66 ;pkg: bump version to 1.27.99 2022-09-01 18:37:40 -07:00
Simon Michael
0c8582dbc7 pkg: web: start a common deps list, add breakpoint to other components 2022-08-23 02:02:19 +01:00
Simon Michael
9584ebb439 imp: lib: Hledger.Utils.Debug: re-export Debug.Breakpoint
And add breakpoint as a dependency and enable its GHC plugin in all
the hledger packages, so that breakpoint's helpers can be used easily.
2022-08-23 02:02:19 +01:00
Simon Michael
6a4680d561 imp: pkg: drop support for GHC 8.6 and 8.8
Slightly motivated by a desire to depend on the new breakpoint
library, which requires GHC 8.10+. With GHC 9.0 in Debian,
it seems time to drop these.
2022-08-23 02:02:19 +01:00
Simon Michael
3e728b1d36 ;pkg: bump version to 1.26.99 2022-06-05 00:32:18 +01:00
Simon Michael
db1818ac4a imp: consistent ghc warnings 2022-03-26 08:27:29 -10:00
Simon Michael
d9ecd1eb9d imp: update to modern warning flags 2022-03-25 20:28:34 -10:00
Simon Michael
5aab2cbf40 ;pkg: bump version to 1.25.99 2022-03-05 13:24:48 -10:00
Simon Michael
35c1c9b6a2 pkg: progress towards supporting GHC 9.2 and newer libs (#1774)
hledger-lib builds, hledger's deps don't (shakespeare).
2021-12-06 12:32:50 -10:00
Simon Michael
66619803b7 ;pkg: bump version to 1.24.99 2021-12-01 22:16:37 -10:00
Simon Michael
387325b59e ;pkg: bump version to 1.24 2021-12-01 17:16:28 -10:00
Simon Michael
69905dbc25 ;pkg: allow megaparsec 9.2 2021-10-03 22:55:10 -10:00
Simon Michael
8934c115bd ;pkg: bump version to 1.23.99 2021-09-24 12:22:15 -10:00
Simon Michael
19950df745 ;pkg: bump version to 1.23 2021-09-21 15:34:23 -10:00
Arsen Arsenović
9ce55146c8 fix: web: b64 encode user controlled input (#1525)
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
Simon Michael
f51ea92cfc deps: require base >=4.11, prevent red squares on hackage matrix
We officially support GHC 8.6+ (and 8.8+ for hledger-web) now.
Hackage matrix builder shows all packages building successfully
with GHC 8.4+, somehow, so we'll adjust the base bound to
allow that but prevent any attempts to build with older GHCs,
2021-08-03 21:05:02 -10:00
Simon Michael
2a39497e21 pkg: add tested-with GHC 9.0.1 2021-08-03 20:52:05 -10:00
Simon Michael
6665ddfb9b ;pkg: bump version to 1.22.99 2021-08-03 00:24:20 -10:00