[Qgis-psc] 2025 Grant: Trusted projects and folders (QEP 336) progress report

[Mathieu Pellerin]

Greetings PSC,

I’m happy to report that the work for the above mentioned QEP has been
completed and merged during the month of October 2025.

As a result of the work done, QGIS has enhanced security measures around
its handling of embedded scripts while at the same time increasing user
convenience by providing project-based security prompts.

In order to achieve that, QGIS has gained a new trust status -
undetermined, untrusted, and trusted – associated with individual projects
files as well as folders paths. The trust determination by the
user can be temporary - lasting for a single QGIS session - or saved in
the user profile’s settings and remembered across sessions.

The untrusted and trusted status of projects and folders saved in the
user profile can be modified at any time by the user through a dedicated
UI within the options dialog, as well as preconfigured in the global
INI file.

Project trust is used to determine whether the following embedded scripts
are permitted to run:

- macros;
- custom expression functions;
- map layer actions (python as well as Windows, Linux, and macos
scripts); and
- attribute form custom init code.

For macros and custom expression functions which require activation on
project load, users opening projects containing these two types of
embedded scripts will be presented with a modal dialog seeking a
decision on whether to allow for the scripts to run or deny. The dialog
contains a list of embedded scripts found within the project being
opened and allows for each embedded script to be previewed directly
within that dialog.

For map layer actions and attribute form custom init code, QGIS will
defer the dialog until an action is triggered or an attribute form
is opened. This allows for the newly-introduced security measure to not
have an impact on users' workflow unless and until it is relevant and
necessary.

It’s also worth mentioning that contrary to macros and expression
functions, the layer actions and attribute form init code were until
this work not placed behind a user permission mechanism, which
allowed for arbitrary code to be executed, in many cases without the
knowledge by users of the potential risks.

To drive this new UX, a new objects visitor set of classes has been
added to traverse a given project and its layers to gather all embedded
scripts. This ensures that the functionality can easily be extended when
new embedded scripts are added in the future.

I would like to thank the QGIS grant programme for having sponsored
what amounts to a substantial leap forward in the way we handle safety
and user awareness around embedded scripts.

Best regards,

Mathieu Pellerin
OPENGIS.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20251031/0601bf5b/attachment.htm>