Task titles, UIDs, descriptions, categories, organizer usernames, alarm
descriptions, relation UIDs, and the calendar name were concatenated raw
into the VCALENDAR text. A task title containing CR/LF could plant new
iCalendar properties (ATTACH, X-INJECTED, VALARM, etc.) that CalDAV
clients would parse as legitimate calendar data.
Introduce escapeICalText, which escapes backslash, CR/LF, semicolon, and
comma per RFC 5545 §3.3.11, and apply it at every sink in ParseTodos,
ParseAlarms, and ParseRelations. Each Category is escaped individually;
the comma that joins categories is the literal list delimiter and stays
unescaped. The now-redundant regexp-based LF handling in the DESCRIPTION
branch is removed.
getCaldavColor is hardened at the same output boundary: non-hex
characters are stripped before interpolation so CR/LF in a crafted color
string cannot inject new iCal property lines, closing a gap where
upstream HexColor validation only bounds length and does not reject
control characters.
Fixes GHSA-2g7h-7rqr-9p4r.
As I mentioned [here](https://kolaente.dev/vikunja/api/pulls/1442#issuecomment-55215), this is mainly a cleanup of @zewaren 's original [PR](https://kolaente.dev/vikunja/api/pulls/1442).
It adds support for the `RELATED-TO` property in CalDAV's `VTODO` and the `RELTYPE=PARENT` and `RELTYPE=CHILD` relationships. In other words, it allows for `ParentTask->SubTask` relations to be handled supported through CalDAV.
In addition to the included tests, this has been tested by both @zewaren & myself with DAVx5 & Tasks (Android) and it's been working great.
Resolves https://kolaente.dev/vikunja/api/issues/1345
Co-authored-by: Miguel A. Arroyo <miguel@codeheads.dev>
Co-authored-by: Erwan Martin <public@fzwte.net>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1634
Reviewed-by: konrad <k@knt.li>
Co-authored-by: Miguel Arroyo <mayanez@noreply.kolaente.de>
Co-committed-by: Miguel Arroyo <mayanez@noreply.kolaente.de>
Dates from tasks.org may be formatted like DUE;TZID=Europe/Berlin:20230402T150000
After this fix the parameter TZID is no longer ignored and the Vikunja task gets a DueDate of 13:00 UTC, which corresponds to 15:00 in Europe/Berlin. Before this fix, the time was parsed to 15:00 UTC.
Resolves https://kolaente.dev/vikunja/api/issues/1453
Co-authored-by: ce72 <christoph.ernst72@googlemail.com>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1455
Reviewed-by: konrad <k@knt.li>
Co-authored-by: cernst <ce72@noreply.kolaente.de>
Co-committed-by: cernst <ce72@noreply.kolaente.de>
Add colors for caldav
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/738
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
Add tests for multiline descriptions and completed state
Fix caldav descriptions
Fix caldav task complete status for OpenTasks
Co-authored-by: Martin Giger <martin@humanoids.be>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/697
Co-Authored-By: freaktechnik <martin@humanoids.be>
Co-Committed-By: freaktechnik <martin@humanoids.be>
no need to export from there I think
parse absolute ical timestamps
Co-authored-by: konrad <konrad@kola-entertainments.de>
Co-authored-by: Martin Giger <martin@humanoids.be>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/691
Co-Authored-By: freaktechnik <martin@humanoids.be>
Co-Committed-By: freaktechnik <martin@humanoids.be>
Increase golangci timeout
Fix installing golangci-lint in ci
Remove mage targets replaced by golangci
Run golint in ci
Add goheader linter
Enable & fix more linters
Fix lint issues
Add mage target to automagically fix issues found by golangci
golangci-lint run --fix
Add golangci config
Add golangci mage target
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/676
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
Fix query param name
Add option to include null results when filtering
Always set db time to gmt
Fix null filter
Fix timezone setting for todoist parsing
Fix timezone setting for wunderlist parsing
Fix import
Fix caldav reminder parsing
Use timezone from config
Add error and test for invalid filter values
Fix integration tests
Remove task collection date hack
Fix task filter
Fix lint
Fix tests and fixtures for date timezone stuff
Properly set timezone
Change fixtures time zone to gmt
Set db timezone
Set created and updated timestamps for all fixtures
Fix lint
Fix test fixtures
Fix misspell
Fix test fixtures
Partially fix tests
Remove timeutil package
Remove adding _unix suffix hack
Remove _unix suffix
Move all timeutil.TimeStamp to time.Time
Remove all Unix suffixes in field names
Add better error messages when running migrations
Make sure to not migrate 0 unix timestamps to 1970 iso dates
Add migration script for sqlite
Add converting sqlite values
Convert 0 unix timestamps to null in postgres
Convert 0 to null in timestamps
Automatically rename _unix suffix
Add all tables and columns for migration
Fix sql migration query for mysql
Fail with an error if trying to use an unsupported dbms
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/594
Remove traces of unix timestamp
Revert renaming reminder table column
Fix staticcheck
Remove unused table call
Add migration for renaming reminders table
Fix issues with using TimeStamp
Fix lint
Updated all created / updated fields to use TimeStamps
Add comments
Convert all created / updated fields to datetime
Add time util package
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/130
fix copyright date
Add more user tests
More user tests
More user tests
Start refactoring user tests
Docs
Fix lint
Fix db fixtures init in tests
Fix models test
Fix loading fixtures
Fix ineffasign
Fix lint
Fix integration tests
Fix init of test engine creation
Fix user related tests
Better handling of creating test enging
Moved all fixtures to db package
Moved all fixtures to db package
Moved user related stuff to seperate package
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/123