[QGIS-Developer] Security issues with plugins
Julien Cabieces
julien.cabieces at oslandia.com
Thu May 28 08:20:11 PDT 2026
Hi Pedro,
I don't think there is any checks yet about calling system command (using
subprocess) both used in your plugin and qpip.
I see nothing in the implemented security scan: https://github.com/qgis/QGIS-Plugins-Website/blob/18bf205e1c0733bc1f09f15430eff52c1a78a1a3/qgis-app/plugins/security_scanner.py#L67
I ran the security scan on your plugin and get those errors:
Detects suspicious file types, hidden files, or unexpected executables
- qaequilibrae-develop/.pre-commit-config.yaml': 'Hidden file detected'
- qaequilibrae-develop/docs/make.bat: 'Executable or binary file detected (.bat)'
So that should be easy to fix those so your plugin can pass the security scan.
Kind regards,
Julien
> Hi Julien,
>
> This is indeed a possibility. However, there is one thing I do not understand.
>
> As far as I understand, the way qpip installs dependencies is very
> similar to what we do in AequilibraE (command system call). So why is
> that qpip is still available through the plugin store? Is there an
> important difference I am missing there?
>
> Cheers,
> Pedro
>
>
> From: Julien Cabieces <julien.cabieces at oslandia.com>
> To: "Pedro Camargo via QGIS-Developer"<qgis-developer at lists.osgeo.org>
> Cc: "Pedro Camargo"<c at margo.co>
> Date: Wed, 27 May 2026 20:27:52 +1000
> Subject: Re: [QGIS-Developer] Security issues with plugins
>
> >
> > Hi all,
> >
> > I think qpip is the best way to solve this particular matter. IMHO, The only
> > drawback now is that you have to add qpip as a plugin dependencies to
> > then declare your dependencies. So the first time, QGIS would display
> > a popup-up to propose the user to install qpip, and then qpip would
> > propose the user to install the dependencies.
> >
> > This is maybe what people consider combersome for users, but when it's
> > already installed, I think it's the proper way to go: We warn user that
> > something need to be installed, he agrees or not (just one click!), then
> > we install it or not.
> >
> > Maybe, we should consider integrate it in the core so we skip the first
> > step. There is already a plugin dependencies management in QGIS core, so
> > that's maybe relevant to extend it to what qpip can do.
> >
> > Regards,
> > Julien
> >
> >
> >
> > > Hey Joona,
> > >
> > > I have looked into qpip, but it is not sufficient. Not only do most dependencies have binaries, but the process also creates a somewhat
> > > cumbersome installation workflow for non-technical users.
> > >
> > > In the end, the problem seems to be that the plugins I am talking about are not really GIS plugins, but rather bigger pieces of software with a
> > > very significant QGIS component, mostly for visualization purposes, so I must grant that as a large part of the problem.
> > >
> > > We will likely explore deploying custom plugin repositories and developing full installers. It's inconvenient for users, but there isn't another
> > > alternative I can see right now.
> > >
> > > Cheers,
> > > Pedro
> > >
> > > From: Joona Laine <joona.p.laine at gmail.com>
> > > To: "Pedro Camargo"<c at margo.co>
> > > Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
> > > Date: Mon, 25 May 2026 15:47:55 +1000
> > > Subject: Re: [QGIS-Developer] Security issues with plugins
> > >
> > > Hello Pedro,
> > >
> > > qgis-plugin-dev-tools (https://github.com/nlsfi/qgis-plugin-dev-tools#setup) solves the dependency issue by including the dependencies
> > > with the plugin package.
> > >
> > > It can easily handle most of (non-binary) requirements by automatically rewriting the imports of theses vendored dependencies in the
> > > build process.
> > > This way it is possible to have multiple plugins using different version of the same requirement without any conflicts.
> > > It is also possible to include binary dependencies but there is no operation system specific logic built yet at the moment.
> > >
> > > There is also a tool called qpip (https://github.com/opengisch/qpip) for dependency management, which might be worth checking out.
> > >
> > > Cheers,
> > > Joona
> > >
> > > ma 25.5.2026 klo 6.35 Pedro Camargo via QGIS-Developer (qgis-developer at lists.osgeo.org) kirjoitti:
> > >
> > > Hey Nyall,
> > >
> > > I hear you, but let me highlight two points of my original post.
> > >
> > > * The plugin asks the user whether they want to install the dependencies.
> > > * The dependencies are installed in the plugin folder and can therefore be removed without causing any lasting damage to the
> > > user's QGIS installation.
> > >
> > > Installing additional dependencies in QGIS remains a painful task for less technical users, adding another (somewhat unnecessary)
> > > hurdle to adoption.
> > >
> > > On that note, a fair question could be: Is there a recommended low-effort (for users) path to install extra dependencies for plugins?
> > >
> > > If not, is that something being considered for the near future?
> > >
> > > Cheers,
> > > Pedro
> > >
> > > From: Nyall Dawson <nyall.dawson at gmail.com>
> > > To: "Pedro Camargo"<c at margo.co>
> > > Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
> > > Date: Mon, 25 May 2026 11:12:20 +1000
> > > Subject: Re: [QGIS-Developer] Security issues with plugins
> > >
> > > On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
> > > >
> > > > Hello fellow QGISrs,
> > > >
> > > >
> > > >
> > > > I maintain a couple of plugins that require a substantial number of extra Python packages (many of which have
> > > compiled/binary components). Hence, those plugins install all such requirements in a folder directly inside the plugin itself,
> > > keeping it quite clean when the user wants to remove said plugins.
> > > >
> > > >
> > > > I have been doing it this way for many years now, but this weekend I received security alerts that both plugins were taken down
> > > due to code that downloads extra dependencies (offending code at
> > > qaequilibrae/qaequilibrae/download_extra_packages_class.py at develop · AequilibraE/qaequilibrae).
> > > >
> > > > Does anyone have any recommendations on how to proceed? What is currently the recommended way for plugins to install
> > > further dependencies?
> > >
> > > My personal 2c: a plugin should NEVER automatically install dependencies like this. Rather, you should detect missing
> > > dependencies, warn the user, and point them to a documentation page directing them how to install the missing libraries on
> > > different operating systems.
> > >
> > > I think it's EXTREMELY dangerous for a plugin to assume that it can mess with the user's operating system in this way, as it risks
> > > completely breaking their QGIS install or even their wider python environment. I would like to see us explicitly blocking all plugins
> > > from the repository that do this in future. 👎
> > >
> > > Nyall
> > >
> > > >
> > > > Cheers,
> > > > Pedro
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > QGIS-Developer mailing list
> > > > QGIS-Developer at lists.osgeo.org
> > > > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > > > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > >
> > > _______________________________________________
> > > QGIS-Developer mailing list
> > > QGIS-Developer at lists.osgeo.org
> > > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > >
> > > _______________________________________________
> > > QGIS-Developer mailing list
> > > QGIS-Developer at lists.osgeo.org
> > > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >
> > --
> >
> > Julien Cabieces
> > Senior Developer at Oslandia
> > julien.cabieces at oslandia.com
> >
--
Julien Cabieces
Senior Developer at Oslandia
julien.cabieces at oslandia.com
More information about the QGIS-Developer
mailing list