Skip to content

Security fixes#101

Merged
chadlawlis merged 4 commits into
mainfrom
chad/fix-release-blocking-security-issues
Jun 17, 2026
Merged

Security fixes#101
chadlawlis merged 4 commits into
mainfrom
chad/fix-release-blocking-security-issues

Conversation

@chadlawlis

Copy link
Copy Markdown
Contributor

Fixes two "critical" issues flagged by the QGIS plugin repository security scan that were blocking the v3.2.0 release.

Bumps to v3.2.1.

Security scan findings

Bandit Security Analysis

  • felt/core/auth.py:185 — Call to requests without timeout

Secrets Detection

  • felt/core/api_client.py:349 — Potential Base64 High Entropy String detected
  • felt/core/api_client.py:367 — Potential Base64 High Entropy String detected

Note on severity

The QGIS plugin scan labels these "critical," but that reflects the scanner's default tags, not real-world impact in this plugin:

  • Secrets Detection (api_client.py) — False positive. The flagged string was a multipart/form-data boundary marker (a public, plaintext HTTP delimiter, identical for every user), not a credential. Nothing to leak; the change is cosmetic to satisfy the scanner's entropy heuristic.
  • Bandit, requests without timeout (auth.py) — A legitimate best-practice fix, but low severity here: the call targets 127.0.0.1 against a server the plugin itself just started, with no untrusted input or remote attacker. Worst case is a hung thread (reliability/UX), not an exploitable vulnerability.

Both are fixed because the scan is a binary publication gate on plugins.qgis.org, and both changes are harmless-to-positive regardless. Users of 3.2.0 were not realistically at risk.

Changes

  • Add timeout to OAuth callback unblock request (auth.py) — The requests.get() call that unblocks the local OAuth callback server's handle_request() loop had no
    timeout (the warning was previously suppressed with a missing-timeout pylint pragma). Added an explicit timeout=10 and removed the now-unneeded pragma. Behavior is
    unchanged on the normal localhost path and strictly safer in the edge case (bounded wait instead of an indefinite hang).

  • Replace high-entropy multipart boundary with a readable constant (api_client.py) — The hardcoded multipart/form-data boundary QGISFormBoundary2XCkqVRLJ5XMxfw5
    tripped the secrets scanner's base64 high-entropy heuristic, though it was only a MIME boundary marker, not a secret. Replaced it with a single low-entropy, readable constant
    (MULTIPART_BOUNDARY = "QGISFeltPluginFormBoundary") referenced everywhere the boundary is used, and updated the matching test assertion.

Notes

  • No functional/behavioral change to the OAuth flow or file-upload requests.
  • Also includes updates to metadata and releasing docs to clarify use of changelog and what to do in the event of a blocked release submission

Test plan

CI

chadlawlis and others added 4 commits June 17, 2026 17:34
Bandit flagged the requests.get() call in auth.py used to unblock the
local OAuth callback server's handle_request() loop as a call to
requests without a timeout. Add an explicit timeout=10 and remove the
now-unneeded missing-timeout pylint pragma.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The secrets scanner flagged the hardcoded multipart/form-data boundary
"QGISFormBoundary2XCkqVRLJ5XMxfw5" as a potential base64 high-entropy
string. It was only a MIME boundary marker, not a secret. Replace it
with a single readable, low-entropy constant
(MULTIPART_BOUNDARY = "QGISFeltPluginFormBoundary") referenced
everywhere the boundary is used, and update the matching test
assertion.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The 3.2.0 release was blocked from publication to the QGIS plugin
repository by the security scan. Since a 3.2.0 GitHub release/tag was
already cut against code without these fixes, bump to 3.2.1 for the
fixed release rather than reusing the spent version number.

Add the corresponding 3.2.1 entry to CHANGELOG.md (qgis-plugin-ci
injects this into metadata.txt at release time).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Document that the metadata.txt changelog= field is auto-populated from
CHANGELOG.md by qgis-plugin-ci at release time and must not be edited by
hand. Correct RELEASING.md, which previously described CHANGELOG.md as
cosmetic, to explain that its notes are injected into the published
package and surfaced to users in the QGIS Plugin Manager. Add guidance
for resubmitting under a new patch version when plugins.qgis.org blocks
an upload after a tag has been cut.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Plugin ready!

A test version of this PR is available for testing here.

(Built from commit d1f4127)

@chadlawlis chadlawlis requested a review from samhashemi June 17, 2026 22:09
@chadlawlis chadlawlis merged commit 2df1afc into main Jun 17, 2026
14 checks passed
@chadlawlis chadlawlis deleted the chad/fix-release-blocking-security-issues branch June 17, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants