[QGIS-Developer] Existing plugin versions should not be marked with "security issues"
Julien Cabieces
julien.cabieces at oslandia.com
Mon Jun 22 00:20:52 PDT 2026
Hi,
> How is this different from telling the scanner to ignore it? It seems
> like laundering input via steps the scanner doesn't follow.
It's not that much different I agree, but I least you have to spend a
few minutes to think how you could fix (if possible) this security
issue. If you just have to write #noseq, I'm afraid it would be the easy
way to solve any security issues and the scanner would become completely
useless.
I think we could:
- accept the #noseq for now
- think and document appropriate ways to fix every type of issue nicely (adding parameters for
executeSql for instance)
- Point plugin developers to this documentation when there are security
issues (or code contains #noseq)
- disable #noseq for each issue type individually when there is an
alternative (and after a long enough periode of time)
Regards,
Julien
> Etienne Trimaille via QGIS-Developer <qgis-developer at lists.osgeo.org>
> writes:
>
>> As Julien said, It seems that just a call to "format" with a Python
>> dictionary might be enough for now :
>>
>> sql = "SELECT * FROM {schema}.foo"params = {
>> "schema": "test",
>> }sql = sql.format(**params)
>
> (That code is hard to read given likely bad HTML formatting, but I get
> the point.)
>
> How is this different from telling the scanner to ignore it? It seems
> like laundering input via steps the scanner doesn't follow.
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
--
Julien Cabieces
Senior Developer at Oslandia
julien.cabieces at oslandia.com
More information about the QGIS-Developer
mailing list