Commit Graph

193 Commits

Author SHA1 Message Date
Simon Michael
2e06c8dc27 ;doc: package description cleanups 2023-10-04 10:03:35 +01:00
Simon Michael
40037afaf1 lib!: export less from cli and web packages, and more from ui 2023-10-04 10:03:35 +01:00
Simon Michael
6f7c331ace ;pkg: bump version to 1.31.99 2023-09-11 09:56:34 +01:00
Simon Michael
9c4235bf88 pkg: allow megaparsec 9.5 2023-09-03 08:23:43 +01:00
Simon Michael
1a0b745c28 pkg: add support for aeson 2.2, add upper bound 2023-07-01 08:14:23 -10:00
Simon Michael
1bd1c55bd6 ;pkg: update tested-with 2023-07-01 07:34:46 -10:00
Simon Michael
110861ee83 ;pkg: allow megaparsec 9.4 2023-06-16 12:11:08 -10:00
Simon Michael
9ae87a73fa ;pkg: bump version to 1.30.99 2023-06-01 16:34:52 -10:00
Simon Michael
44805f96ef ;dev: ui, web: fixes for ghc 9.6; cleanup (#2011) 2023-03-15 20:43:51 -10:00
Simon Michael
a0ca339c46 ;pkg: bump version to 1.29.99 2023-03-11 13:27:25 -10:00
Simon Michael
d0eaa8cf5a dev: force megaparsec 9.3 in stack build plans where supported
For the useful dbg tool.
2022-12-22 20:31:47 -10:00
Simon Michael
e9e8f350f2 dev: require megaparsec 9.3+ in dev build, for its useful dbg tool
The 9.3 version works with our parsers.
2022-12-22 19:25:57 -10:00
Simon Michael
740ea50e4c ;pkg: bump version to 1.28.99 2022-12-01 12:23:10 -08:00
Simon Michael
fa8f6ae302 lib: Debug: breakpoint doesn't support windows yet, drop for now 2022-12-01 12:20:29 -08:00
Felix Yan
66b51472f2 Allow megaparsec 9.3
Builds fine and all tests pass.
2022-11-30 05:12:04 -05:00
Simon Michael
3a6955d3e2 dev: add stack9.4.yaml for building with latest nightly/ghc 9.4.3 2022-11-25 23:45:17 -05:00
Simon Michael
e5bb4f0b66 ;pkg: bump version to 1.27.99 2022-09-01 18:37:40 -07:00
Simon Michael
0c8582dbc7 pkg: web: start a common deps list, add breakpoint to other components 2022-08-23 02:02:19 +01:00
Simon Michael
9584ebb439 imp: lib: Hledger.Utils.Debug: re-export Debug.Breakpoint
And add breakpoint as a dependency and enable its GHC plugin in all
the hledger packages, so that breakpoint's helpers can be used easily.
2022-08-23 02:02:19 +01:00
Simon Michael
6a4680d561 imp: pkg: drop support for GHC 8.6 and 8.8
Slightly motivated by a desire to depend on the new breakpoint
library, which requires GHC 8.10+. With GHC 9.0 in Debian,
it seems time to drop these.
2022-08-23 02:02:19 +01:00
Simon Michael
3e728b1d36 ;pkg: bump version to 1.26.99 2022-06-05 00:32:18 +01:00
Simon Michael
db1818ac4a imp: consistent ghc warnings 2022-03-26 08:27:29 -10:00
Simon Michael
d9ecd1eb9d imp: update to modern warning flags 2022-03-25 20:28:34 -10:00
Simon Michael
5aab2cbf40 ;pkg: bump version to 1.25.99 2022-03-05 13:24:48 -10:00
Simon Michael
35c1c9b6a2 pkg: progress towards supporting GHC 9.2 and newer libs (#1774)
hledger-lib builds, hledger's deps don't (shakespeare).
2021-12-06 12:32:50 -10:00
Simon Michael
66619803b7 ;pkg: bump version to 1.24.99 2021-12-01 22:16:37 -10:00
Simon Michael
387325b59e ;pkg: bump version to 1.24 2021-12-01 17:16:28 -10:00
Simon Michael
69905dbc25 ;pkg: allow megaparsec 9.2 2021-10-03 22:55:10 -10:00
Simon Michael
8934c115bd ;pkg: bump version to 1.23.99 2021-09-24 12:22:15 -10:00
Simon Michael
19950df745 ;pkg: bump version to 1.23 2021-09-21 15:34:23 -10:00
Arsen Arsenović
9ce55146c8 fix: web: b64 encode user controlled input (#1525)
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
Simon Michael
f51ea92cfc deps: require base >=4.11, prevent red squares on hackage matrix
We officially support GHC 8.6+ (and 8.8+ for hledger-web) now.
Hackage matrix builder shows all packages building successfully
with GHC 8.4+, somehow, so we'll adjust the base bound to
allow that but prevent any attempts to build with older GHCs,
2021-08-03 21:05:02 -10:00
Simon Michael
2a39497e21 pkg: add tested-with GHC 9.0.1 2021-08-03 20:52:05 -10:00
Simon Michael
6665ddfb9b ;pkg: bump version to 1.22.99 2021-08-03 00:24:20 -10:00
Simon Michael
9aac520edd deps: allow megaparsec 9.1 2021-07-20 20:38:39 -10:00
Simon Michael
544450f557 ;bump version to 1.22 2021-06-28 22:37:47 -10:00
Simon Michael
58b481ca5b stack: updated tested-with to 8.6+ 2021-06-03 14:07:39 -10:00
Felix Yan
684af10643 Allow yesod-form 1.7
Builds fine and all tests pass here.
2021-04-23 10:15:27 -10:00
Simon Michael
ba1e91c302 drop support for GHC 8.0
Prior to this commit,
- hledger still builds with GHC 8.0
- hledger-ui does if you use the build plan specified by stack8.0.yaml,
  but you are likely to hit problems if you let cabal pick one
  (https://github.com/jtdaugherty/vty/issues/198 and others)
- hledger-web might, if you could find the right build plan

The hassles are enough and GHC 8.0 is old enough (first released in
2016) that I'm letting it go; 8.2 is the new minimum version for all
hledger packages.

This allows a bunch of cleanups to conditional imports, which I leave
for later.

Also, updated the tested-with minor versions.
2021-04-04 07:54:22 -10:00
Simon Michael
4e644840bc lib, etc: add now-required lower bound on containers (#1514) 2021-03-29 08:19:28 -07:00
Simon Michael
36cbc2b068 bump base upper bound to allow GHC 9.0 2021-03-12 06:58:46 -08:00
Simon Michael
e050790d4c ;bump version to 1.21.99 2021-03-10 13:50:49 -08:00
Simon Michael
eeddfc2509 ;bump version to 1.21 2021-03-10 08:24:58 -08:00
Simon Michael
9087532b62 ;bump version to 1.20.99 2020-12-14 11:28:07 -08:00
Simon Michael
1856ca5312 web: bump to 1.20.1; update manuals' dates 2020-12-06 18:20:56 -08:00
Simon Michael
2501329f3c ;bump version to 1.20 2020-11-30 15:18:24 -08:00
Simon Michael
ee73a6aabf web: --test [-- HSPECARGS] runs the test suite 2020-11-16 14:02:16 -08:00
Simon Michael
3651a5f5f4 ;web: tests: refactor, add a test for --forecast (#1390) 2020-11-13 16:40:33 -08:00
Simon Michael
c7e267e314 ;web: begin work on a forecasting test (#1390) 2020-11-13 09:42:06 -08:00
Simon Michael
290428f9d4 web: re-enable the test suite; add a test for /journal (#1390) 2020-11-13 09:37:56 -08:00