Commit Graph

377 Commits

Author SHA1 Message Date
Simon Michael
f4508e73d3 ;cabal: update cabal files 2023-06-16 12:11:53 -10:00
Simon Michael
286ee105da ;cabal: update cabal files 2023-06-01 16:34:52 -10:00
Simon Michael
cb011c0c77 ;cabal: update cabal files (#2011) 2023-03-15 20:44:01 -10:00
Simon Michael
f75110f49c ;cabal: update cabal files 2023-03-11 13:27:25 -10:00
Simon Michael
0f2fe39e43 cabal: update cabal files 2022-12-22 20:32:03 -10:00
Simon Michael
3b91a8475a cabal: update cabal files 2022-12-22 19:26:16 -10:00
Simon Michael
8da21f1195 ;cabal: update cabal files 2022-12-01 12:23:10 -08:00
Felix Yan
66b51472f2 Allow megaparsec 9.3
Builds fine and all tests pass.
2022-11-30 05:12:04 -05:00
Simon Michael
5283c280bf ;cabal: update cabal files 2022-11-26 00:13:02 -05:00
Simon Michael
130604a2e0 ;cabal: update cabal files; migrate to hpack 0.35/stack 2.9 2022-09-19 18:23:26 -10:00
Simon Michael
427005037e cabal: update cabal files 2022-09-01 18:37:57 -07:00
Simon Michael
e5578e5c4e ;cabal: update cabal files 2022-08-23 02:02:19 +01:00
Simon Michael
f2db4c3840 ;cabal: update cabal files 2022-06-05 00:32:18 +01:00
Simon Michael
db1818ac4a imp: consistent ghc warnings 2022-03-26 08:27:29 -10:00
Simon Michael
d9ecd1eb9d imp: update to modern warning flags 2022-03-25 20:28:34 -10:00
Simon Michael
af7a5f98e3 ;cabal: update cabal files 2022-03-05 13:24:48 -10:00
Simon Michael
35c1c9b6a2 pkg: progress towards supporting GHC 9.2 and newer libs (#1774)
hledger-lib builds, hledger's deps don't (shakespeare).
2021-12-06 12:32:50 -10:00
Simon Michael
ce3ec28e3d ;cabal: update cabal files 2021-12-01 22:16:37 -10:00
Simon Michael
0c4b820111 ;cabal: update cabal files 2021-12-01 17:16:28 -10:00
Simon Michael
7af2e79465 ;cabal: update cabal files 2021-10-03 22:56:02 -10:00
Simon Michael
b857307f64 ;cabal: update cabal files 2021-09-24 12:22:15 -10:00
Simon Michael
1b020e004b ;cabal: update cabal files 2021-09-21 15:34:23 -10:00
Arsen Arsenović
9ce55146c8 fix: web: b64 encode user controlled input (#1525)
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
Simon Michael
6afc5ce6b2 ;cabal: update cabal files 2021-08-03 21:05:29 -10:00
Simon Michael
95de5a878a ;cabal: update cabal files 2021-08-03 08:00:22 -10:00
Simon Michael
9aac520edd deps: allow megaparsec 9.1 2021-07-20 20:38:39 -10:00
Simon Michael
26bc5e6df3 ;update cabal files 2021-06-28 22:38:12 -10:00
Simon Michael
b681cde62d ;update cabal files 2021-06-03 14:08:47 -10:00
Simon Michael
d3b20675d0 tools: really regenerate the cabal files with stack's hpack
hpack has dropped the hash at last, this should help a lot to reduce
edit conflicts and commit noise.
2021-05-14 16:14:06 -10:00
Felix Yan
684af10643 Allow yesod-form 1.7
Builds fine and all tests pass here.
2021-04-23 10:15:27 -10:00
Simon Michael
eb2da22f63 ;update cabal files 2021-04-04 08:03:57 -10:00
Simon Michael
d0940bf8ce ;update cabal files 2021-03-29 08:19:54 -07:00
Simon Michael
ae57e76cb3 ;update cabal files 2021-03-12 06:59:30 -08:00
Simon Michael
5573538fdc ;update cabal files 2021-03-10 13:50:50 -08:00
Simon Michael
00beaf1423 ;update cabal files 2021-03-10 08:24:59 -08:00
Simon Michael
f7bbb39a77 ;regenerate cabal files with the hpack version in current stack
To minimise warnings. They got regenerated by a commit for #1471.
2021-02-18 13:42:40 -08:00
Arnout Engelen
ad2ab3c823 Make sure to round up for the 'to' date 2021-02-17 09:05:13 -08:00
Simon Michael
9afccde16f ;update cabal files 2020-12-14 12:31:01 -08:00
Simon Michael
1856ca5312 web: bump to 1.20.1; update manuals' dates 2020-12-06 18:20:56 -08:00
Simon Michael
5507cb07ef ;update cabal files 2020-11-30 15:19:21 -08:00
Simon Michael
ee73a6aabf web: --test [-- HSPECARGS] runs the test suite 2020-11-16 14:02:16 -08:00
Simon Michael
3651a5f5f4 ;web: tests: refactor, add a test for --forecast (#1390) 2020-11-13 16:40:33 -08:00
Simon Michael
c7e267e314 ;web: begin work on a forecasting test (#1390) 2020-11-13 09:42:06 -08:00
Simon Michael
290428f9d4 web: re-enable the test suite; add a test for /journal (#1390) 2020-11-13 09:37:56 -08:00
TANIGUCHI Kohei
906da6e6bd Fix hledger-web description
Slashes need to be escaped or they introduce unexpected italic style
due to Haddock markup.
2020-10-22 00:33:47 -07:00
Simon Michael
1affcb727c ;update cabal files 2020-09-11 16:59:53 -07:00
Simon Michael
bc2670204f ;update missed hledger-web cabal file 2020-09-07 15:40:43 -07:00
Felix Yan
c6f33cc824 Remove redundant semigroups dependency 2020-09-07 12:12:46 -07:00
Simon Michael
3170cc7cbd bump version to 1.19 2020-09-01 20:27:17 -07:00
Simon Michael
e090e0f949 add lower bound needed for aeson, to help cabal (#1268) 2020-06-23 14:55:42 -07:00