slaesvuo/hledger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,022 Commits 1 Branch 0 Tags 88 MiB
Haskell 60.4%
JavaScript 15.9%
Roff 15.2%
Shell 4.6%
Makefile 2.1%
Other 1.7%
9ce55146c8
Go to file
Arsen Arsenović 9ce55146c8 fix: web: b64 encode user controlled input (#1525) 
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
.github ci: tweak 2021-08-19 08:55:44 -10:00
.sandstorm Add --capabilities-header to launcher.sh 2018-06-24 17:44:22 +02:00
bin ci: commitlint: ignore boring commits: github merge commit (#1606) 2021-07-13 12:35:48 -10:00
checks update dev setup tests 2015-03-16 17:59:06 -07:00
doc ;doc: 1.22 announcement 2021-07-03 13:03:51 -10:00
docker package: added helper scripts in docker/ 2019-01-31 12:44:12 -08:00
docker-static-arm32v7 Static builds for Linux on x64 (amd64) and arm32v7 architectures (#1571) 2021-06-30 18:05:27 -10:00
examples ;examples: sample.timedot cleanup 2021-08-04 19:21:27 -10:00
hledger ;doc: multiple files -> directives & multiple files 2021-08-24 02:45:12 -10:00
hledger-install install: 1.22.2 2021-08-08 07:49:17 -10:00
hledger-lib fix!: register: Tighten up spacing around the date in register reports. (#1655) 2021-08-22 08:15:22 -10:00
hledger-ui fix: ui: Make sure RegisterScreen (and consequently TransactionScreen) 2021-08-23 22:22:53 -10:00
hledger-web fix: web: b64 encode user controlled input (#1525) 2021-08-24 05:04:12 -10:00
tools tools: rename tools/doctest -> tools/docshelltest, update 2021-07-20 20:38:39 -10:00
.ci ;api: another round of hledger-api purging; fix the build 2019-09-11 14:49:22 -07:00
.ctags cli, lib: move functional tests into hledger/test/ 2020-11-16 08:47:41 -08:00
.dockerignore package: added Dockerfile 2019-01-29 16:14:03 -08:00
.editorconfig fix datepicker not closing, linting 2017-12-30 13:44:40 -05:00
.ghci tools: use pretty-simple for ghci output 2020-11-03 08:19:01 -10:00
.gitignore web: --test [-- HSPECARGS] runs the test suite 2020-11-16 14:02:16 -08:00
.hlint.yaml ;dev: configure hlint, silence all current warnings 2021-08-11 14:51:46 -10:00
.mailmap doc: use consistent spelling of Mykola Orliuk 2017-03-27 05:47:15 -07:00
.version ;pkg: bump version to 1.22.99 2021-08-03 00:24:20 -10:00
azure-pipelines.yml ;api: another round of hledger-api purging; fix the build 2019-09-11 14:49:22 -07:00
bench.sh ;tools: update instructions for installing quickbench 2021-06-15 15:19:38 -10:00
cabal.project ;cabal: fix cabal.project error with cabal 3.4 2021-03-12 07:01:48 -08:00
CHANGES.md ;doc: update changelogs 2021-08-19 18:36:34 -10:00
CONTRIBUTING.md ;doc: contrib: issue conventions 2021-07-28 10:37:07 -10:00
CREDITS.md ;doc: CREDITS cleanup 2020-03-21 18:37:49 -07:00
dev.hs collect some langage pragmas in dev.hs 2019-02-20 18:08:33 -08:00
dir ;dev: doc: update manuals 2021-07-12 18:50:06 -10:00
Dockerfile ;api: another round of hledger-api purging; fix the build 2019-09-11 14:49:22 -07:00
hie.yaml ;tools: silence hls errors for Shake.hs 2020-12-07 12:27:03 -08:00
LICENSE add LICENSE 2008-10-01 07:52:07 +00:00
Makefile ;make: list-commits, showauthors 2021-08-20 09:53:12 -10:00
Makefile.helpsys make: rename sub-makefiles; start moving site script to make/shake 2019-03-05 18:43:04 -08:00
README.md ;doc: readme: drop badges header 2020-08-21 08:18:26 -07:00
RELEASING.md ;doc: RELEASING: mention hledger-install 2021-08-08 07:49:17 -10:00
ROADMAP.md ;doc: contributing, roadmap: toc placement 2021-07-23 19:07:09 -10:00
Shake.hs shake: changelogs: don't get confused by an all-digit commit hash 2021-08-03 09:51:38 -10:00
stack8.6.yaml fix: web: b64 encode user controlled input (#1525) 2021-08-24 05:04:12 -10:00
stack8.8.yaml fix: web: b64 encode user controlled input (#1525) 2021-08-24 05:04:12 -10:00
stack8.10.yaml test: doctest cleanups, use latest 2021-07-20 20:38:39 -10:00
stack.yaml stack: 9.0: rename yaml file, making 9.0 the default 2021-07-20 20:38:39 -10:00

README.md

hledger project README

lightweight, portable, dependable accounting tools

hledger is a computer program for easily tracking money, time, or other commodities, on unix, mac and windows (and web-capable mobile devices, to some extent).

It is first a command-line tool, but there are also terminal and web interfaces, and a Haskell library for building your own programs and scripts (hledger is written in Haskell). hledger was inspired by and is largely compatible with Ledger. hledger is free software available under the GNU General Public License v3+.

hledger aims to help both computer experts and regular folks to gain clarity and control in their finances and time management, but currently it is a bit more suited to techies. I use it every day to:

  • track spending and income
  • see time reports by day/week/month/project
  • get accurate numbers for client billing and tax filing
  • track invoices

Though limited in features, hledger is lightweight, usable and reliable. For some, it is a simpler, less distracting, more future-proof alternative to Quicken or GnuCash.

For more, see the home page: https://hledger.org

Sponsorship

Your support, large or small, helps keep this project strong!
See also https://hledger.org#sponsorship.

Sponsor Simon (project leader): github liberapay paypal

Sponsor the hledger project as an organisation: OpenCollective

Sponsor the hledger project as an individual: OpenCollective

Bounties for specific tasks: all bounties bountysource bounties




license hledger CI on hackage github issues