Security fixes#101
Merged
Merged
Conversation
Bandit flagged the requests.get() call in auth.py used to unblock the local OAuth callback server's handle_request() loop as a call to requests without a timeout. Add an explicit timeout=10 and remove the now-unneeded missing-timeout pylint pragma. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The secrets scanner flagged the hardcoded multipart/form-data boundary "QGISFormBoundary2XCkqVRLJ5XMxfw5" as a potential base64 high-entropy string. It was only a MIME boundary marker, not a secret. Replace it with a single readable, low-entropy constant (MULTIPART_BOUNDARY = "QGISFeltPluginFormBoundary") referenced everywhere the boundary is used, and update the matching test assertion. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The 3.2.0 release was blocked from publication to the QGIS plugin repository by the security scan. Since a 3.2.0 GitHub release/tag was already cut against code without these fixes, bump to 3.2.1 for the fixed release rather than reusing the spent version number. Add the corresponding 3.2.1 entry to CHANGELOG.md (qgis-plugin-ci injects this into metadata.txt at release time). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Document that the metadata.txt changelog= field is auto-populated from CHANGELOG.md by qgis-plugin-ci at release time and must not be edited by hand. Correct RELEASING.md, which previously described CHANGELOG.md as cosmetic, to explain that its notes are injected into the published package and surfaced to users in the QGIS Plugin Manager. Add guidance for resubmitting under a new patch version when plugins.qgis.org blocks an upload after a tag has been cut. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
samhashemi
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes two "critical" issues flagged by the QGIS plugin repository security scan that were blocking the v3.2.0 release.
Bumps to v3.2.1.
Security scan findings
Bandit Security Analysis
felt/core/auth.py:185— Call torequestswithout timeoutSecrets Detection
felt/core/api_client.py:349— Potential Base64 High Entropy String detectedfelt/core/api_client.py:367— Potential Base64 High Entropy String detectedNote on severity
The QGIS plugin scan labels these "critical," but that reflects the scanner's default tags, not real-world impact in this plugin:
api_client.py) — False positive. The flagged string was amultipart/form-databoundary marker (a public, plaintext HTTP delimiter, identical for every user), not a credential. Nothing to leak; the change is cosmetic to satisfy the scanner's entropy heuristic.requestswithout timeout (auth.py) — A legitimate best-practice fix, but low severity here: the call targets127.0.0.1against a server the plugin itself just started, with no untrusted input or remote attacker. Worst case is a hung thread (reliability/UX), not an exploitable vulnerability.Both are fixed because the scan is a binary publication gate on plugins.qgis.org, and both changes are harmless-to-positive regardless. Users of 3.2.0 were not realistically at risk.
Changes
Add timeout to OAuth callback unblock request (
auth.py) — Therequests.get()call that unblocks the local OAuth callback server'shandle_request()loop had notimeout (the warning was previously suppressed with a
missing-timeoutpylint pragma). Added an explicittimeout=10and removed the now-unneeded pragma. Behavior isunchanged on the normal localhost path and strictly safer in the edge case (bounded wait instead of an indefinite hang).
Replace high-entropy multipart boundary with a readable constant (
api_client.py) — The hardcodedmultipart/form-databoundaryQGISFormBoundary2XCkqVRLJ5XMxfw5tripped the secrets scanner's base64 high-entropy heuristic, though it was only a MIME boundary marker, not a secret. Replaced it with a single low-entropy, readable constant
(
MULTIPART_BOUNDARY = "QGISFeltPluginFormBoundary") referenced everywhere the boundary is used, and updated the matching test assertion.Notes
changelogand what to do in the event of a blocked release submissionTest plan
CI