mirror of
https://github.com/simonmichael/hledger.git
synced 2024-12-27 12:24:43 +03:00
9ce55146c8
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.
In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.
The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.
The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).
This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839
Test payload: </Script><svg onload=alert(1)//>
Closes #1525
178 lines
4.1 KiB
YAML
178 lines
4.1 KiB
YAML
name: hledger-web
|
|
version: 1.22.99
|
|
synopsis: Web-based user interface for the hledger accounting system
|
|
description: |
|
|
A simple web-based user interface for the hledger accounting system,
|
|
providing a more modern UI than the command-line or terminal interfaces.
|
|
It can be used as a local single-user UI, or as a multi-user UI for
|
|
viewing\/adding\/editing on the web.
|
|
|
|
hledger is a robust, cross-platform set of tools for tracking money,
|
|
time, or any other commodity, using double-entry accounting and a
|
|
simple, editable file format, with command-line, terminal and web
|
|
interfaces. It is a Haskell rewrite of Ledger, and one of the leading
|
|
implementations of Plain Text Accounting. Read more at:
|
|
<https://hledger.org>
|
|
|
|
category: Finance
|
|
license: GPL-3
|
|
author: Simon Michael <simon@joyful.com>
|
|
maintainer: Simon Michael <simon@joyful.com>
|
|
github: simonmichael/hledger
|
|
homepage: http://hledger.org
|
|
bug-reports: http://bugs.hledger.org
|
|
stability: stable
|
|
tested-with: GHC==8.8.4, GHC==8.10.4, GHC==9.0.1
|
|
|
|
extra-source-files:
|
|
- CHANGES.md
|
|
- README.md
|
|
- config/favicon.ico
|
|
- config/keter.yaml
|
|
- config/robots.txt
|
|
- config/routes
|
|
- config/settings.yml
|
|
- static/css/*.css
|
|
- static/css/*.map
|
|
- static/fonts/*.eot
|
|
- static/fonts/*.svg
|
|
- static/fonts/*.ttf
|
|
- static/fonts/*.woff
|
|
- static/hledger.css
|
|
- static/hledger.js
|
|
- static/js/*.js
|
|
- templates/*.hamlet
|
|
- hledger-web.1
|
|
- hledger-web.txt
|
|
- hledger-web.info
|
|
|
|
flags:
|
|
library-only:
|
|
description: Build for use with "yesod devel"
|
|
manual: false
|
|
default: false
|
|
dev:
|
|
description: Turn on development settings, like auto-reload templates.
|
|
manual: false
|
|
default: false
|
|
threaded:
|
|
description: Build with support for multithreaded execution.
|
|
manual: false
|
|
default: true
|
|
|
|
ghc-options:
|
|
- -Wall
|
|
- -fwarn-tabs
|
|
- -Wcompat
|
|
- -Wincomplete-uni-patterns
|
|
- -Wincomplete-record-updates
|
|
- -Wredundant-constraints
|
|
|
|
when:
|
|
- condition: (flag(dev)) || (flag(library-only))
|
|
cpp-options: -DDEVELOPMENT
|
|
# This causes a warning when uploading to hackage:
|
|
#Package check reported the following warnings:
|
|
# 'ghc-options: -O0' is not needed. Use the --disable-optimization configure flag.
|
|
- condition: flag(dev)
|
|
ghc-options: -O0
|
|
|
|
library:
|
|
source-dirs: .
|
|
cpp-options: -DVERSION="1.22.99"
|
|
exposed-modules:
|
|
- Hledger.Web
|
|
- Hledger.Web.Application
|
|
- Hledger.Web.Foundation
|
|
- Hledger.Web.Handler.AddR
|
|
- Hledger.Web.Handler.EditR
|
|
- Hledger.Web.Handler.JournalR
|
|
- Hledger.Web.Handler.MiscR
|
|
- Hledger.Web.Handler.RegisterR
|
|
- Hledger.Web.Handler.UploadR
|
|
- Hledger.Web.Import
|
|
- Hledger.Web.Main
|
|
- Hledger.Web.Settings
|
|
- Hledger.Web.Settings.StaticFiles
|
|
- Hledger.Web.Test
|
|
- Hledger.Web.WebOptions
|
|
- Hledger.Web.Widget.AddForm
|
|
- Hledger.Web.Widget.Common
|
|
dependencies:
|
|
- hledger-lib >=1.22.99 && <1.23
|
|
- hledger >=1.22.99 && <1.23
|
|
- aeson >=1
|
|
- base >=4.11 && <4.16
|
|
- base64
|
|
- blaze-html
|
|
- blaze-markup
|
|
- bytestring
|
|
- case-insensitive
|
|
- clientsession
|
|
- cmdargs >=0.10
|
|
- conduit
|
|
- conduit-extra >=1.1
|
|
- containers >=0.5.9
|
|
- data-default
|
|
- Decimal >=0.5.1
|
|
- directory >=1.2.3.0
|
|
- extra >=1.6.3
|
|
- filepath
|
|
- hjsmin
|
|
- http-conduit
|
|
- http-client
|
|
- http-types
|
|
- megaparsec >=7.0.0 && <9.2
|
|
- mtl >=2.2.1
|
|
- network
|
|
- shakespeare >=2.0.2.2
|
|
- template-haskell
|
|
- text >=1.2
|
|
- time >=1.5
|
|
- transformers
|
|
- unix-compat
|
|
- unordered-containers
|
|
- utf8-string
|
|
- wai
|
|
- wai-extra
|
|
- wai-handler-launch >=3.0.3
|
|
- wai-cors
|
|
- warp
|
|
- yaml
|
|
- yesod >=1.4 && < 1.7
|
|
- yesod-core >=1.4 && < 1.7
|
|
- yesod-form >=1.4 && < 1.8
|
|
- yesod-static >=1.4 && < 1.7
|
|
- hspec
|
|
- yesod-test
|
|
|
|
executables:
|
|
hledger-web:
|
|
source-dirs: app
|
|
main: main.hs
|
|
cpp-options: -DVERSION="1.22.99"
|
|
dependencies:
|
|
- base
|
|
- hledger-web
|
|
when:
|
|
- condition: flag(library-only)
|
|
buildable: false
|
|
- condition: flag(threaded)
|
|
ghc-options: -threaded
|
|
|
|
tests:
|
|
test:
|
|
source-dirs: test
|
|
main: test.hs
|
|
other-modules: [] # prevent double compilation, https://github.com/sol/hpack/issues/188
|
|
cpp-options: -DVERSION="1.22.99"
|
|
dependencies:
|
|
- base
|
|
- hledger-lib
|
|
- hledger
|
|
- hledger-web
|
|
- hspec
|
|
- text
|
|
- yesod
|
|
- yesod-test
|