qgis-plugin-analyzer 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl

analyzer/secrets.py

@@ -0,0 +1,84 @@
+"""Secret detection logic for QGIS Plugin Analyzer.
+
+Handles regex-based matching of API keys and high-entropy string detection.
+"""
+
+import math
+import re
+from dataclasses import dataclass
+from typing import List
+
+
+@dataclass
+class SecretFinding:
+    """Represents a detected secret or sensitive string."""
+
+    type: str
+    message: str
+    line: int
+    confidence: str
+
+
+class SecretScanner:
+    """Scanner for hardcoded secrets and high-entropy strings."""
+
+    # Common patterns for API keys and tokens
+    PATTERNS = {
+        "AWS_KEY": r"(?i)AKIA[0-9A-Z]{16}",
+        "GOOGLE_API_KEY": r"(?i)AIza[0-9A-Za-z\\-_]{35}",
+        "TWILIO_KEY": r"(?i)SK[a-z0-9]{32}",
+        "GENERIC_SECRET": r"(?i)(password|secret|passwd|api_key|token|access_key)[\"']?\s*[:=]\s*[\"']?([A-Za-z0-9/+=]{16,})[\"']?",
+    }
+
+    def __init__(self):
+        self.compiled_patterns = {k: re.compile(v) for k, v in self.PATTERNS.items()}
+
+    def scan_text(self, text: str) -> List[SecretFinding]:
+        """Scans a file's content for secrets line by line."""
+        findings = []
+        lines = text.splitlines()
+
+        for i, line in enumerate(lines, 1):
+            # 1. Regex Pattern Matching
+            for p_name, pattern in self.compiled_patterns.items():
+                match = pattern.search(line)
+                if match:
+                    findings.append(
+                        SecretFinding(
+                            type=p_name,
+                            message=f"Possible hardcoded secret detected: {p_name}",
+                            line=i,
+                            confidence="HIGH" if p_name != "GENERIC_SECRET" else "MEDIUM",
+                        )
+                    )
+
+            # 2. Entropy Analysis for long strings (heuristic)
+            # Find strings in double or single quotes
+            str_matches = re.finditer(r"[\"']([A-Za-z0-9/+=]{20,})[\"']", line)
+            for m in str_matches:
+                candidate = m.group(1)
+                entropy = self.calculate_entropy(candidate)
+                # Shanon entropy: random strings usually > 3.5 - 4.0
+                if entropy > 4.5:
+                    findings.append(
+                        SecretFinding(
+                            type="HIGH_ENTROPY",
+                            message=f"High-entropy string detected (possible token/key): {candidate[:8]}...",
+                            line=i,
+                            confidence="MEDIUM",
+                        )
+                    )
+
+        return findings
+
+    @staticmethod
+    def calculate_entropy(data: str) -> float:
+        """Calculates Shannon entropy of a string."""
+        if not data:
+            return 0.0
+        entropy = 0.0
+        for x in range(256):
+            p_x = float(data.count(chr(x))) / len(data)
+            if p_x > 0:
+                entropy += -p_x * math.log(p_x, 2)
+        return entropy

analyzer/security_checker.py

@@ -0,0 +1,85 @@
+"""Core infrastructure for security scanning in QGIS Plugin Analyzer.
+
+Inspired by Bandit's architecture, this module provides a decorator-based
+registry for security checks and a context helper for AST analysis.
+"""
+
+import ast
+from dataclasses import dataclass
+from typing import Any, Callable, Dict, List, Optional, Type
+
+
+@dataclass
+class SecurityFinding:
+    """Represents a detected security vulnerability."""
+
+    id: str
+    severity: str  # LOW, MEDIUM, HIGH
+    confidence: str  # LOW, MEDIUM, HIGH
+    message: str
+    line: int
+    code_snippet: Optional[str] = None
+    cwe: Optional[int] = None
+
+
+class SecurityContext:
+    """Helper class providing easy access to AST node information for security checks."""
+
+    def __init__(self, node: ast.AST, filename: str):
+        self.node = node
+        self.filename = filename
+
+    @property
+    def call_function_name(self) -> Optional[str]:
+        """Returns the name of the function being called if the node is a Call."""
+        if isinstance(self.node, ast.Call):
+            if isinstance(self.node.func, ast.Name):
+                return self.node.func.id
+            if isinstance(self.node.func, ast.Attribute):
+                return self.node.func.attr
+        return None
+
+    @property
+    def call_args_count(self) -> int:
+        """Returns the number of positional arguments in a Call node."""
+        if isinstance(self.node, ast.Call):
+            return len(self.node.args)
+        return 0
+
+    def get_call_keyword_value(self, keyword_name: str) -> Any:
+        """Returns the value of a specific keyword argument in a Call node."""
+        if isinstance(self.node, ast.Call):
+            for kw in self.node.keywords:
+                if kw.arg == keyword_name:
+                    if isinstance(kw.value, ast.Constant):
+                        return kw.value.value
+        return None
+
+
+class SecurityRegistry:
+    """Registry for security checks managed by decorators."""
+
+    _checks: Dict[Type[ast.AST], List[Callable[[SecurityContext], Optional[SecurityFinding]]]] = {}
+
+    @classmethod
+    def register(cls, node_type: Type[ast.AST]) -> Callable:
+        """Decorator to register a function as a security check for a specific node type."""
+
+        def decorator(func: Callable[[SecurityContext], Optional[SecurityFinding]]):
+            if node_type not in cls._checks:
+                cls._checks[node_type] = []
+            cls._checks[node_type].append(func)
+            return func
+
+        return decorator
+
+    @classmethod
+    def get_checks_for_node(
+        cls, node_type: Type[ast.AST]
+    ) -> List[Callable[[SecurityContext], Optional[SecurityFinding]]]:
+        """Returns all registered checks for a given AST node type."""
+        return cls._checks.get(node_type, [])
+
+
+# Decorator alias
+security_check = SecurityRegistry.register

analyzer/security_rules.py

@@ -0,0 +1,127 @@
+"""Security rules for QGIS Plugin Analyzer.
+
+Each check is registered for a specific AST node type and performs a focused
+security audit.
+"""
+
+import ast
+from typing import Optional, cast
+
+from .security_checker import SecurityContext, SecurityFinding, security_check
+
+
+@security_check(node_type=ast.Call)
+def check_exec_eval(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B102/B307: Detect use of exec or eval."""
+    func_name = context.call_function_name
+    if func_name in ("exec", "eval"):
+        node = cast(ast.Call, context.node)
+        return SecurityFinding(
+            id="B102" if func_name == "exec" else "B307",
+            severity="HIGH",
+            confidence="HIGH",
+            message=f"Use of '{func_name}' detected. This can lead to arbitrary code execution.",
+            line=node.lineno,
+            code_snippet=ast.unparse(node),
+            cwe=95 if func_name == "eval" else 78,
+        )
+    return None
+
+
+@security_check(node_type=ast.Call)
+def check_insecure_deserialization(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B301: Detect unsafe pickle.load()."""
+    if context.call_function_name == "load":
+        # Check if it's from 'pickle'
+        node = cast(ast.Call, context.node)
+        if isinstance(node.func, ast.Attribute) and isinstance(node.func.value, ast.Name):
+            if node.func.value.id == "pickle":
+                return SecurityFinding(
+                    id="B301",
+                    severity="HIGH",
+                    confidence="HIGH",
+                    message="Use of 'pickle.load()' detected. Deserializing untrusted data can lead to remote code execution.",
+                    line=node.lineno,
+                    code_snippet=ast.unparse(node),
+                    cwe=502,
+                )
+    return None
+
+
+@security_check(node_type=ast.Call)
+def check_subprocess_shell(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B602: Subprocess call with shell=True."""
+    func_name = context.call_function_name
+    subprocess_funcs = {"run", "call", "Popen", "check_call", "check_output"}
+
+    if func_name in subprocess_funcs:
+        shell_val = context.get_call_keyword_value("shell")
+        if shell_val is True:
+            node = cast(ast.Call, context.node)
+            return SecurityFinding(
+                id="B602",
+                severity="HIGH",
+                confidence="HIGH",
+                message=f"Subprocess call '{func_name}' with 'shell=True' detected. This is a primary source of shell injection.",
+                line=node.lineno,
+                code_snippet=ast.unparse(node),
+                cwe=78,
+            )
+    return None
+
+
+@security_check(node_type=ast.Call)
+def check_sql_injection(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B608: Basic detection of SQL injection via string formatting."""
+    if context.call_function_name == "execute":
+        if context.call_args_count > 0:
+            node = cast(ast.Call, context.node)
+            sql_arg = node.args[0]
+            # Check for f-strings or .format() or % formatting in the first argument
+            is_unsafe = False
+            if isinstance(sql_arg, ast.JoinedStr):
+                is_unsafe = True
+            elif isinstance(sql_arg, ast.BinOp) and isinstance(sql_arg.op, ast.Mod):
+                is_unsafe = True
+            elif isinstance(sql_arg, ast.Call) and isinstance(sql_arg.func, ast.Attribute):
+                if sql_arg.func.attr == "format":
+                    is_unsafe = True
+
+            if is_unsafe:
+                return SecurityFinding(
+                    id="B608",
+                    severity="HIGH",
+                    confidence="MEDIUM",
+                    message="Possible SQL injection detected. Use parameterized queries instead of string formatting.",
+                    line=node.lineno,
+                    code_snippet=ast.unparse(node),
+                    cwe=89,
+                )
+    return None
+
+
+@security_check(node_type=ast.Assign)
+def check_hardcoded_secrets(context: SecurityContext) -> Optional[SecurityFinding]:
+    """Detect assignments of sensitive names to constants."""
+    node = context.node
+    if not isinstance(node, ast.Assign):
+        return None
+
+    sensitive_names = {"password", "token", "api_key", "secret", "access_key"}
+
+    for target in node.targets:
+        if isinstance(target, ast.Name) and any(s in target.id.lower() for s in sensitive_names):
+            if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
+                # Only flag if it's not empty and looks like a secret
+                val = node.value.value
+                if len(val) > 8:
+                    cast_node = cast(ast.Assign, node)
+                    return SecurityFinding(
+                        id="HARDCODED_SECRET",
+                        severity="MEDIUM",
+                        confidence="MEDIUM",
+                        message=f"Possible hardcoded secret in assignment to '{target.id}'.",
+                        line=cast_node.lineno,
+                        code_snippet=ast.unparse(cast_node),
+                    )
+    return None