Commit Graph

10146 Commits

Author SHA1 Message Date
Stephen Morgan
65e10aebd2 dev: test: Convert forecast.test to shelltestrunner format 3
We'll soon implement some tests that have the same input, so this will
reduce duplication.
2021-08-26 20:32:30 -10:00
Simon Michael
092e9479f0 ;ui: update forecast example journal and hledger-ui forecast tests
Related to #1667.
2021-08-26 19:51:01 -10:00
Simon Michael
76a6c5fe4f ;ui: test: cleanup, remove non-working test attempts 2021-08-26 19:50:57 -10:00
Stephen Morgan
aa7a99a437 cln: hlint: Fix hlint warnings in Query.hs. 2021-08-26 07:23:11 -10:00
Stephen Morgan
d13ce0e134 cln: hlint: Remove Unused LANGUAGE pragma ignore. 2021-08-26 07:23:11 -10:00
Stephen Morgan
7edcbe4be8 cln: hlint: Remove rendundant guard warnings. 2021-08-26 07:23:11 -10:00
Stephen Morgan
e666bbcaf0 cln: hlint: Fix newtype warning. 2021-08-26 07:23:11 -10:00
Stephen Morgan
1e69fd81ea cln: hlint: Remove if warnings. 2021-08-26 07:23:11 -10:00
Stephen Morgan
d2beb89eba cln: hlint: Remove exitSuccess warning. 2021-08-26 07:23:11 -10:00
Stephen Morgan
119e20aa36 cln: hlint: Remove guards warning. 2021-08-26 07:23:11 -10:00
Stephen Morgan
5906959882 cln: hlint: Remove redundant case warnings. 2021-08-26 07:23:11 -10:00
Stephen Morgan
fed75c58e9 cln: hlint: Clean up hlint warnings not already ignored in hlint.yaml. 2021-08-25 20:44:36 -10:00
Stephen Morgan
063aaf35b5 cln: hlint: Rename pattern variables to avoid hlint parsing errors. 2021-08-25 20:44:36 -10:00
Simon Michael
03db46cc81 ;doc: close: mention another cause of non-zero bse 2021-08-24 11:15:26 -10:00
Simon Michael
312097d6a5 ;doc: close: clarify and fix retained earnings example 2021-08-24 11:07:37 -10:00
Simon Michael
aba4a5d37f ;make: site-watch: update 2021-08-24 10:46:57 -10:00
Simon Michael
95d38ed796 ;make: site: fix, mention make hledgerorg 2021-08-24 10:22:38 -10:00
Simon Michael
b957018536 ;doc: close: simpler clopen: tag 2021-08-24 10:05:18 -10:00
Simon Michael
b51daf4b05 ;doc: close: tweak 2021-08-24 09:58:45 -10:00
Simon Michael
acde291632 ;doc: close: clarify close dates 2021-08-24 09:55:27 -10:00
Simon Michael
093c304834 ;doc: ui, web: changelogs tweak 2021-08-24 05:31:27 -10:00
Simon Michael
bffeab45c8 ;doc: update changelogs 2021-08-24 05:14:24 -10:00
Simon Michael
53d9455bdc ;doc: update changelogs 2021-08-24 05:05:50 -10:00
Arsen Arsenović
3504a91b42 ref: web: refactor toBloodhoundJson for Data.Text
This has the advantage of there being no extra unpacking/packing of
Data.Text to/from strings where it isn't necessary.
2021-08-24 05:04:12 -10:00
Arsen Arsenović
9ce55146c8 fix: web: b64 encode user controlled input (#1525)
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
Simon Michael
0ce518f12d ;doc: multiple files -> directives & multiple files 2021-08-24 02:45:12 -10:00
Stephen Morgan
a3cacca71d fix: ui: Make sure RegisterScreen (and consequently TransactionScreen)
only display forecast transactions when the appropriate flag is set.
2021-08-23 22:22:53 -10:00
Stephen Morgan
90fd2a9aaf cln: register: Remove unused knot-tying code.
The conclusion is that trying to tie that knot will inevitably lead to
linear memory consumption; any solution which avoids this, if it exists,
will need significantly different code.

cf. https://stackoverflow.com/questions/66563595/can-i-exploit-lazy-evaluation-to-reference-future-values-without-space-leaks
2021-08-22 18:55:37 -10:00
Stephen Morgan
59b89947eb fix: aregister: Make multicommodity amounts are properly aligned in
aregister. (#1656)

This also switches to the renderTable interface for laying out
aregister, just as in postingsReport.
2021-08-22 18:55:37 -10:00
Stephen Morgan
06312c353a fix!: register: Tighten up spacing around the date in register reports. (#1655)
As a side effect, this changes the Json representation of the
PostingsReport. The maybe report end date is now replaced with a maybe
period.
2021-08-22 08:15:22 -10:00
Daniel Gröber
4b654fff94 ;doc: Fix cmdline example typo, f- should be -f- 2021-08-22 08:12:08 -10:00
Simon Michael
e24b7ef90f fix: warning introduced by 993d0b5c 2021-08-22 06:58:08 -10:00
Stephen Morgan
34ab164b32 cln: Remove redundant bang patterns. 2021-08-21 17:50:21 -10:00
Stephen Morgan
912b5e6c23 cln: Derive more instances in Hledger.Data.Types to reduce orphans.
Also clean up some outdated or inaccurate comments.
2021-08-21 17:50:21 -10:00
Simon Michael
993d0b5c54 cli: --forecast now rejects instead of silently ignoring an interval
Something that confused me when testing #1632.
2021-08-20 17:55:59 -10:00
Simon Michael
d3d1b2cfc7 ;doc: clarify that --forecast ignores a report interval (#1632) 2021-08-20 17:34:23 -10:00
Simon Michael
780c50672c feat: periodexpr: support weekday, weekendday, multiple weekdays (#1632, Lawrence Wu)
Merge LW's branch '1517-every-weekday', with some added SM doc edits.
2021-08-20 17:02:58 -10:00
Simon Michael
566176c884 doc: try to clarify multi-weekday syntax more (#1632) 2021-08-20 17:02:34 -10:00
Lawrence
8a5addfb02 lib: implement periodic expressions for weekday et al
Implementation lifts DayOfWeek (renamed to DaysOfWeek) to a list of
days. This should match the previous behavior for single-element lists
2021-08-20 20:30:18 -05:00
Simon Michael
2c96e6f1ff ;make: list-commits, showauthors 2021-08-20 09:53:12 -10:00
Simon Michael
ddeeee6046 ;doc: update changelogs 2021-08-19 18:36:34 -10:00
Stephen Morgan
4576f8effd pkg!: Migrate the last of old-time over to time, changing ClockTime to
POSIXTime.

This eliminates old-time, which has been deprecated for a while, from
our dependencies.

This introduces a slight incompatibility, as a small number of functions
now take/return POSIXTime instead of ClockTime. Generally you will be
using the current time, in which case you should use getPOSIXTime from
Data.Time.Clock.POSIX instead of getClockTime.

utcTimeToClockTime has been removed, as it is now equivalent to
utcTimeToPOSIXSeconds from Data.Time.Clock.POSIX.
2021-08-19 17:47:19 -10:00
Simon Michael
c135c1a3fc ;cln: slight typos cleanup (#1654) 2021-08-19 17:43:45 -10:00
Lawrence
0982e3343a test: bal: add functests for transpose and compound commands (#1654) 2021-08-19 17:37:33 -10:00
Lawrence
d7a56a9830 test: give descriptions to commodity-column functests (#1654)
Also renames the file for consistent naming with the flag
2021-08-19 17:37:32 -10:00
Lawrence
710823e5d7 imp: bal: handle commodity-column flag in compound balance reports (#1654) 2021-08-19 17:37:30 -10:00
Lawrence
277227acf8 fix: budget: handle transpose flag with commodity-columns (#1654)
Budget formatting is quite complicated since we must determine widths
for each of the transposed columns
2021-08-19 17:37:29 -10:00
Lawrence
a3c0c0cade fix: bal: handle transpose flag with commodity-columns (#1654)
The textual output needs to be fully transposed instead of just the cell
values. The multi-period csv handling code already does the right thing
so just use those values.

The change in CompoundBalanceCommand.hs is just to match signatures
since commodity-column is not yet enabled there.
2021-08-19 17:37:27 -10:00
Lawrence
44e1ea10fa fix: bal: correctly handle empty commodity in commodity-column (#1654)
We can't filter out empty commodity strings since that is a legitimate
group. Simultaneously, we should only include the empty commodity if it
is explicitly used (part of a posting) and not generated as part of
`Amounts.amounts`
2021-08-19 17:37:19 -10:00
Simon Michael
07eb3a9086 ci: tweak 2021-08-19 08:55:44 -10:00