Commit Graph

10069 Commits

Author SHA1 Message Date
Stephen Morgan
32dad455fd cln: hlint: Clean up section related warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
1a534e485c cln: hlint: Use fewer imports. 2021-08-27 06:13:56 -10:00
Stephen Morgan
761e00caa4 cln: hlint: Clean up lambda related warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
8bf7c95697 cln: hlint: Clean up Functor related hlint warnings, and NOINLINE warning. 2021-08-27 06:13:56 -10:00
Stephen Morgan
21e62ffcbd cln: hlint: Remove unless and $> warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
beecb3c9ac cln: hlint: Clean up list related hlint warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
22db5c4a3f cln: hlint: Remove warnings to use library list functions. 2021-08-27 06:13:56 -10:00
Stephen Morgan
330c21659f cln: hlint: Clean up Maybe related hlint warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
e13239386f cln: hlint: Clean up == and elem related hlint warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
82872d261a cln: hlint: Remove miscellaneous hlint warnings which are no longer tripped. 2021-08-26 21:00:35 -10:00
Stephen Morgan
3431b1b0d9 cln: hlint: Clean up map-fusion related hlint warnings. 2021-08-26 21:00:35 -10:00
Stephen Morgan
eb6047e81b cln: hlint: Remove redundant where and lambda warnings. 2021-08-26 21:00:35 -10:00
Stephen Morgan
71032c637e cln: hlint: Remove cons warnings. 2021-08-26 21:00:35 -10:00
Stephen Morgan
435fbf001e cln: hlint: Remove <|> and bimap warnings. 2021-08-26 21:00:35 -10:00
Stephen Morgan
46b0745412 cln: hlint: Remove Either and Bifunctor related warnings. 2021-08-26 21:00:35 -10:00
Stephen Morgan
69502c44fe cln: hlint: Fix record patterns warnings. 2021-08-26 21:00:35 -10:00
Stephen Morgan
1c211f8ab8 cln: hlint: Fix redundant return warning. 2021-08-26 21:00:35 -10:00
Simon Michael
8bf7cd30ae ;doc: update changelogs 2021-08-26 20:59:45 -10:00
Simon Michael
405fdf7afe ;doc: forecasting: tweak, report-intervals 2021-08-26 20:41:30 -10:00
Simon Michael
05603ee28f ;doc: forecasting: tweak, mdbook/commonmark eats the required double space 2021-08-26 20:39:14 -10:00
Simon Michael
5a6098b7cd ;doc: rewrite forecasting doc, sync with #1667 2021-08-26 20:33:08 -10:00
Stephen Morgan
16b4702dce fix: ui: Ensure that forecast_ argument gets restored to the startup
opts when toggling.
2021-08-26 20:32:30 -10:00
Stephen Morgan
c07ad29a87 imp!: forecast: Implements more intuitive logic for the forecast interval. (#1648)
The forecast period begins on:
- the start date supplied to the `--forecast` argument, if present
- otherwise, the later of
  - the report start date if specified with -b/-p/date:
  - the day after the latest normal (non-periodic) transaction in the journal, if any
- otherwise today.
It ends on:
- the end date supplied to the `--forecast` argument, if present
- otherwise the report end date if specified with -e/-p/date:
- otherwise 180 days (6 months) from today.

Note that the previous behaviour did not quite match the documentation,
so this also acts as a bug fix for #1665.
2021-08-26 20:32:30 -10:00
Stephen Morgan
65e10aebd2 dev: test: Convert forecast.test to shelltestrunner format 3
We'll soon implement some tests that have the same input, so this will
reduce duplication.
2021-08-26 20:32:30 -10:00
Simon Michael
092e9479f0 ;ui: update forecast example journal and hledger-ui forecast tests
Related to #1667.
2021-08-26 19:51:01 -10:00
Simon Michael
76a6c5fe4f ;ui: test: cleanup, remove non-working test attempts 2021-08-26 19:50:57 -10:00
Stephen Morgan
aa7a99a437 cln: hlint: Fix hlint warnings in Query.hs. 2021-08-26 07:23:11 -10:00
Stephen Morgan
d13ce0e134 cln: hlint: Remove Unused LANGUAGE pragma ignore. 2021-08-26 07:23:11 -10:00
Stephen Morgan
7edcbe4be8 cln: hlint: Remove rendundant guard warnings. 2021-08-26 07:23:11 -10:00
Stephen Morgan
e666bbcaf0 cln: hlint: Fix newtype warning. 2021-08-26 07:23:11 -10:00
Stephen Morgan
1e69fd81ea cln: hlint: Remove if warnings. 2021-08-26 07:23:11 -10:00
Stephen Morgan
d2beb89eba cln: hlint: Remove exitSuccess warning. 2021-08-26 07:23:11 -10:00
Stephen Morgan
119e20aa36 cln: hlint: Remove guards warning. 2021-08-26 07:23:11 -10:00
Stephen Morgan
5906959882 cln: hlint: Remove redundant case warnings. 2021-08-26 07:23:11 -10:00
Stephen Morgan
fed75c58e9 cln: hlint: Clean up hlint warnings not already ignored in hlint.yaml. 2021-08-25 20:44:36 -10:00
Stephen Morgan
063aaf35b5 cln: hlint: Rename pattern variables to avoid hlint parsing errors. 2021-08-25 20:44:36 -10:00
Simon Michael
03db46cc81 ;doc: close: mention another cause of non-zero bse 2021-08-24 11:15:26 -10:00
Simon Michael
312097d6a5 ;doc: close: clarify and fix retained earnings example 2021-08-24 11:07:37 -10:00
Simon Michael
aba4a5d37f ;make: site-watch: update 2021-08-24 10:46:57 -10:00
Simon Michael
95d38ed796 ;make: site: fix, mention make hledgerorg 2021-08-24 10:22:38 -10:00
Simon Michael
b957018536 ;doc: close: simpler clopen: tag 2021-08-24 10:05:18 -10:00
Simon Michael
b51daf4b05 ;doc: close: tweak 2021-08-24 09:58:45 -10:00
Simon Michael
acde291632 ;doc: close: clarify close dates 2021-08-24 09:55:27 -10:00
Simon Michael
093c304834 ;doc: ui, web: changelogs tweak 2021-08-24 05:31:27 -10:00
Simon Michael
bffeab45c8 ;doc: update changelogs 2021-08-24 05:14:24 -10:00
Simon Michael
53d9455bdc ;doc: update changelogs 2021-08-24 05:05:50 -10:00
Arsen Arsenović
3504a91b42 ref: web: refactor toBloodhoundJson for Data.Text
This has the advantage of there being no extra unpacking/packing of
Data.Text to/from strings where it isn't necessary.
2021-08-24 05:04:12 -10:00
Arsen Arsenović
9ce55146c8 fix: web: b64 encode user controlled input (#1525)
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
Simon Michael
0ce518f12d ;doc: multiple files -> directives & multiple files 2021-08-24 02:45:12 -10:00
Stephen Morgan
a3cacca71d fix: ui: Make sure RegisterScreen (and consequently TransactionScreen)
only display forecast transactions when the appropriate flag is set.
2021-08-23 22:22:53 -10:00