[QGIS-Developer] Existing plugin versions should not be marked with "security issues"
Raymond Nijssen
r.nijssen at terglobo.nl
Wed Jun 17 10:47:02 PDT 2026
Thanks for the suggestion Even. But there's really no danger for SQL
injections. The plugin simply reads and writes values to a local
geopackage. There's no user input or user form involved. And even if
there was, a user would simply destroy it's own gpkg, which can easier
be done by simply deleting it in the file browser.
I fixed it by using the `# nosec` comment behind all the lines with SQL
strings. Feels a bit strange though to "fix" things that are not bad or
broken at all.
Kind regards,
Raymond
On 6/17/26 18:48, Even Rouault wrote:
>
> Le 17/06/2026 à 18:40, Raymond Nijssen via QGIS-Developer a écrit :
>> Hi, I'm having this security issue with Bandit and cannot publish my
>> plugin. But the executeSql() does not take separate parameters. What
>> would be the proper solution here?
>>
>>
>> Possible SQL injection vector through string-based query construction.
>> 104 q = f'DELETE FROM imaer_metadata WHERE key = \'{key}\';'
>> 105 self.conn.executeSql(q)
>
>
> Maybe instead of key, use escaped_key = key.replace("'", "''") (ie
> replacing single quote by single quote repeated twice)
>
> That should be enough to avoid SQL injection, but no idea if Bandit will
> be smart enough to recognize this
>
> Some DB backends might have different escaping rules than the above
> standard SQL92 one, so it might be tricky to do that safely against an
> arbitrary backend.
>
More information about the QGIS-Developer
mailing list