[QGIS-Developer] Existing plugin versions should not be marked with "security issues"
Julien Moura (Oslandia)
julien.moura at oslandia.com
Wed Jun 17 10:47:51 PDT 2026
Hi Raymond,
Sure, it's one of the irrelevant security warnings which have been
blindly applied as blocking. Good news: it's already identified and also
improved by the fantastic work of Lova! See:
https://github.com/qgis/QGIS-Plugins-Website/pull/316#discussion_r3342025056
Julien
Le 17/06/2026 à 18:48, Even Rouault via QGIS-Developer a écrit :
>
> Le 17/06/2026 à 18:40, Raymond Nijssen via QGIS-Developer a écrit :
>> Hi, I'm having this security issue with Bandit and cannot publish my
>> plugin. But the executeSql() does not take separate parameters. What
>> would be the proper solution here?
>>
>>
>> Possible SQL injection vector through string-based query construction.
>> 104 q = f'DELETE FROM imaer_metadata WHERE key = \'{key}\';'
>> 105 self.conn.executeSql(q)
>
>
> Maybe instead of key, use escaped_key = key.replace("'", "''") (ie
> replacing single quote by single quote repeated twice)
>
> That should be enough to avoid SQL injection, but no idea if Bandit
> will be smart enough to recognize this
>
> Some DB backends might have different escaping rules than the above
> standard SQL92 one, so it might be tricky to do that safely against an
> arbitrary backend.
>
--
Oslandia
<https://oslandia.com/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>
- Livre blanc pour migrer/hybrider son SIG
<https://oslandia.com/livre-blanc-migration-sig-opensource/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>
More information about the QGIS-Developer
mailing list