[QGIS-Developer] Potential vulnerabilities

[Even Rouault]

> For example, is it possible to compromise QGIS Desktop via a
> opening/connecting to a compromised shapefile/Geopackage/web-service/CSV
> etc etc? I have no idea, but it'd definitely be a useful thing to
> investigate.

For file formats, part of the security/insecurity would fall on GDAL (and 
underlying libraries). GDAL has been integrated with oss-fuzz [1] since 3 
years and we have fixed a big number of issues raised by it (not all strictly 
security related).

That said, that doesn't test the pure QGIS side of things, since there could 
be issues in QGIS provider code, or in non-GDAL code paths (text delimited 
provider, web service providers). One technical issue with oss-fuzz is that it 
requires statically linked binaries, due to constraints how they deploy the 
binaries in their stress-testing cloud.

An alternative would be to use AFL ([2]) (which is one of the backends used by 
oss-fuzz), which doesn't have this statically linked binary requirement.

On the client side, testing the security of web service providers would be 
pretty challenging since you'd have to simulate potentially hostile servers 
and look at how the client reacts to those hostile responses.

For the server side, you could imagine having a ossfuzz/afl integration where 
what would be fuzzed would be the request sent to the server.

Even


[1] https://github.com/google/oss-fuzz
[2] https://github.com/google/AFL

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com