> For example, is it possible to compromise QGIS Desktop via a > opening/connecting to a compromised shapefile/Geopackage/web-service/CSV > etc etc? I have no idea, but it'd definitely be a useful thing to > investigate.
For file formats, part of the security/insecurity would fall on GDAL (and underlying libraries). GDAL has been integrated with oss-fuzz [1] since 3 years and we have fixed a big number of issues raised by it (not all strictly security related). That said, that doesn't test the pure QGIS side of things, since there could be issues in QGIS provider code, or in non-GDAL code paths (text delimited provider, web service providers). One technical issue with oss-fuzz is that it requires statically linked binaries, due to constraints how they deploy the binaries in their stress-testing cloud. An alternative would be to use AFL ([2]) (which is one of the backends used by oss-fuzz), which doesn't have this statically linked binary requirement. On the client side, testing the security of web service providers would be pretty challenging since you'd have to simulate potentially hostile servers and look at how the client reacts to those hostile responses. For the server side, you could imagine having a ossfuzz/afl integration where what would be fuzzed would be the request sent to the server. Even [1] https://github.com/google/oss-fuzz [2] https://github.com/google/AFL -- Spatialys - Geospatial professional services http://www.spatialys.com _______________________________________________ QGIS-Developer mailing list [email protected] List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
