qgis-plugin-analyzer 1.4.0__py3-none-any.whl → 1.6.0__py3-none-any.whl

analyzer/secrets.py

@@ -0,0 +1,84 @@
+"""Secret detection logic for QGIS Plugin Analyzer.
+
+Handles regex-based matching of API keys and high-entropy string detection.
+"""
+
+import math
+import re
+from dataclasses import dataclass
+from typing import List
+
+
+@dataclass
+class SecretFinding:
+    """Represents a detected secret or sensitive string."""
+
+    type: str
+    message: str
+    line: int
+    confidence: str
+
+
+class SecretScanner:
+    """Scanner for hardcoded secrets and high-entropy strings."""
+
+    # Common patterns for API keys and tokens
+    PATTERNS = {
+        "AWS_KEY": r"(?i)AKIA[0-9A-Z]{16}",
+        "GOOGLE_API_KEY": r"(?i)AIza[0-9A-Za-z\\-_]{35}",
+        "TWILIO_KEY": r"(?i)SK[a-z0-9]{32}",
+        "GENERIC_SECRET": r"(?i)(password|secret|passwd|api_key|token|access_key)[\"']?\s*[:=]\s*[\"']?([A-Za-z0-9/+=]{16,})[\"']?",
+    }
+
+    def __init__(self):
+        self.compiled_patterns = {k: re.compile(v) for k, v in self.PATTERNS.items()}
+
+    def scan_text(self, text: str) -> List[SecretFinding]:
+        """Scans a file's content for secrets line by line."""
+        findings = []
+        lines = text.splitlines()
+
+        for i, line in enumerate(lines, 1):
+            # 1. Regex Pattern Matching
+            for p_name, pattern in self.compiled_patterns.items():
+                match = pattern.search(line)
+                if match:
+                    findings.append(
+                        SecretFinding(
+                            type=p_name,
+                            message=f"Possible hardcoded secret detected: {p_name}",
+                            line=i,
+                            confidence="HIGH" if p_name != "GENERIC_SECRET" else "MEDIUM",
+                        )
+                    )
+
+            # 2. Entropy Analysis for long strings (heuristic)
+            # Find strings in double or single quotes
+            str_matches = re.finditer(r"[\"']([A-Za-z0-9/+=]{20,})[\"']", line)
+            for m in str_matches:
+                candidate = m.group(1)
+                entropy = self.calculate_entropy(candidate)
+                # Shanon entropy: random strings usually > 3.5 - 4.0
+                if entropy > 4.5:
+                    findings.append(
+                        SecretFinding(
+                            type="HIGH_ENTROPY",
+                            message=f"High-entropy string detected (possible token/key): {candidate[:8]}...",
+                            line=i,
+                            confidence="MEDIUM",
+                        )
+                    )
+
+        return findings
+
+    @staticmethod
+    def calculate_entropy(data: str) -> float:
+        """Calculates Shannon entropy of a string."""
+        if not data:
+            return 0.0
+        entropy = 0.0
+        for x in range(256):
+            p_x = float(data.count(chr(x))) / len(data)
+            if p_x > 0:
+                entropy += -p_x * math.log(p_x, 2)
+        return entropy

analyzer/security_checker.py

@@ -0,0 +1,85 @@
+"""Core infrastructure for security scanning in QGIS Plugin Analyzer.
+
+Inspired by Bandit's architecture, this module provides a decorator-based
+registry for security checks and a context helper for AST analysis.
+"""
+
+import ast
+from dataclasses import dataclass
+from typing import Any, Callable, Dict, List, Optional, Type
+
+
+@dataclass
+class SecurityFinding:
+    """Represents a detected security vulnerability."""
+
+    id: str
+    severity: str  # LOW, MEDIUM, HIGH
+    confidence: str  # LOW, MEDIUM, HIGH
+    message: str
+    line: int
+    code_snippet: Optional[str] = None
+    cwe: Optional[int] = None
+
+
+class SecurityContext:
+    """Helper class providing easy access to AST node information for security checks."""
+
+    def __init__(self, node: ast.AST, filename: str):
+        self.node = node
+        self.filename = filename
+
+    @property
+    def call_function_name(self) -> Optional[str]:
+        """Returns the name of the function being called if the node is a Call."""
+        if isinstance(self.node, ast.Call):
+            if isinstance(self.node.func, ast.Name):
+                return self.node.func.id
+            if isinstance(self.node.func, ast.Attribute):
+                return self.node.func.attr
+        return None
+
+    @property
+    def call_args_count(self) -> int:
+        """Returns the number of positional arguments in a Call node."""
+        if isinstance(self.node, ast.Call):
+            return len(self.node.args)
+        return 0
+
+    def get_call_keyword_value(self, keyword_name: str) -> Any:
+        """Returns the value of a specific keyword argument in a Call node."""
+        if isinstance(self.node, ast.Call):
+            for kw in self.node.keywords:
+                if kw.arg == keyword_name:
+                    if isinstance(kw.value, ast.Constant):
+                        return kw.value.value
+        return None
+
+
+class SecurityRegistry:
+    """Registry for security checks managed by decorators."""
+
+    _checks: Dict[Type[ast.AST], List[Callable[[SecurityContext], Optional[SecurityFinding]]]] = {}
+
+    @classmethod
+    def register(cls, node_type: Type[ast.AST]) -> Callable:
+        """Decorator to register a function as a security check for a specific node type."""
+
+        def decorator(func: Callable[[SecurityContext], Optional[SecurityFinding]]):
+            if node_type not in cls._checks:
+                cls._checks[node_type] = []
+            cls._checks[node_type].append(func)
+            return func
+
+        return decorator
+
+    @classmethod
+    def get_checks_for_node(
+        cls, node_type: Type[ast.AST]
+    ) -> List[Callable[[SecurityContext], Optional[SecurityFinding]]]:
+        """Returns all registered checks for a given AST node type."""
+        return cls._checks.get(node_type, [])
+
+
+# Decorator alias
+security_check = SecurityRegistry.register

analyzer/security_rules.py

@@ -0,0 +1,127 @@
+"""Security rules for QGIS Plugin Analyzer.
+
+Each check is registered for a specific AST node type and performs a focused
+security audit.
+"""
+
+import ast
+from typing import Optional, cast
+
+from .security_checker import SecurityContext, SecurityFinding, security_check
+
+
+@security_check(node_type=ast.Call)
+def check_exec_eval(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B102/B307: Detect use of exec or eval."""
+    func_name = context.call_function_name
+    if func_name in ("exec", "eval"):
+        node = cast(ast.Call, context.node)
+        return SecurityFinding(
+            id="B102" if func_name == "exec" else "B307",
+            severity="HIGH",
+            confidence="HIGH",
+            message=f"Use of '{func_name}' detected. This can lead to arbitrary code execution.",
+            line=node.lineno,
+            code_snippet=ast.unparse(node),
+            cwe=95 if func_name == "eval" else 78,
+        )
+    return None
+
+
+@security_check(node_type=ast.Call)
+def check_insecure_deserialization(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B301: Detect unsafe pickle.load()."""
+    if context.call_function_name == "load":
+        # Check if it's from 'pickle'
+        node = cast(ast.Call, context.node)
+        if isinstance(node.func, ast.Attribute) and isinstance(node.func.value, ast.Name):
+            if node.func.value.id == "pickle":
+                return SecurityFinding(
+                    id="B301",
+                    severity="HIGH",
+                    confidence="HIGH",
+                    message="Use of 'pickle.load()' detected. Deserializing untrusted data can lead to remote code execution.",
+                    line=node.lineno,
+                    code_snippet=ast.unparse(node),
+                    cwe=502,
+                )
+    return None
+
+
+@security_check(node_type=ast.Call)
+def check_subprocess_shell(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B602: Subprocess call with shell=True."""
+    func_name = context.call_function_name
+    subprocess_funcs = {"run", "call", "Popen", "check_call", "check_output"}
+
+    if func_name in subprocess_funcs:
+        shell_val = context.get_call_keyword_value("shell")
+        if shell_val is True:
+            node = cast(ast.Call, context.node)
+            return SecurityFinding(
+                id="B602",
+                severity="HIGH",
+                confidence="HIGH",
+                message=f"Subprocess call '{func_name}' with 'shell=True' detected. This is a primary source of shell injection.",
+                line=node.lineno,
+                code_snippet=ast.unparse(node),
+                cwe=78,
+            )
+    return None
+
+
+@security_check(node_type=ast.Call)
+def check_sql_injection(context: SecurityContext) -> Optional[SecurityFinding]:
+    """B608: Basic detection of SQL injection via string formatting."""
+    if context.call_function_name == "execute":
+        if context.call_args_count > 0:
+            node = cast(ast.Call, context.node)
+            sql_arg = node.args[0]
+            # Check for f-strings or .format() or % formatting in the first argument
+            is_unsafe = False
+            if isinstance(sql_arg, ast.JoinedStr):
+                is_unsafe = True
+            elif isinstance(sql_arg, ast.BinOp) and isinstance(sql_arg.op, ast.Mod):
+                is_unsafe = True
+            elif isinstance(sql_arg, ast.Call) and isinstance(sql_arg.func, ast.Attribute):
+                if sql_arg.func.attr == "format":
+                    is_unsafe = True
+
+            if is_unsafe:
+                return SecurityFinding(
+                    id="B608",
+                    severity="HIGH",
+                    confidence="MEDIUM",
+                    message="Possible SQL injection detected. Use parameterized queries instead of string formatting.",
+                    line=node.lineno,
+                    code_snippet=ast.unparse(node),
+                    cwe=89,
+                )
+    return None
+
+
+@security_check(node_type=ast.Assign)
+def check_hardcoded_secrets(context: SecurityContext) -> Optional[SecurityFinding]:
+    """Detect assignments of sensitive names to constants."""
+    node = context.node
+    if not isinstance(node, ast.Assign):
+        return None
+
+    sensitive_names = {"password", "token", "api_key", "secret", "access_key"}
+
+    for target in node.targets:
+        if isinstance(target, ast.Name) and any(s in target.id.lower() for s in sensitive_names):
+            if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
+                # Only flag if it's not empty and looks like a secret
+                val = node.value.value
+                if len(val) > 8:
+                    cast_node = cast(ast.Assign, node)
+                    return SecurityFinding(
+                        id="HARDCODED_SECRET",
+                        severity="MEDIUM",
+                        confidence="MEDIUM",
+                        message=f"Possible hardcoded secret in assignment to '{target.id}'.",
+                        line=cast_node.lineno,
+                        code_snippet=ast.unparse(cast_node),
+                    )
+    return None

analyzer/transformers.py

@@ -154,26 +154,24 @@ class I18nTransformer(ast.NodeTransformer):
         return node
 
 
-def apply_transformation(file_path: pathlib.Path, transformer: ast.NodeTransformer) -> bool:
-    """Applies an AST transformation to a file and writes back the modified code.
+def apply_transformation_to_content(
+    content: str, transformer: ast.NodeTransformer
+) -> Optional[str]:
+    """Applies an AST transformation to code content string.
 
     Args:
-        file_path: Path to the Python file to transform.
+        content: The Python source code.
         transformer: The AST node transformer to apply.
 
     Returns:
-        True if the file was modified, False otherwise.
+        The transformed code string if changes were made, None otherwise.
     """
     try:
-        content = file_path.read_text(encoding="utf-8")
         tree = ast.parse(content)
-
-        # Apply transformation
         new_tree = transformer.visit(tree)
         ast.fix_missing_locations(new_tree)
 
         if hasattr(transformer, "changes_made") and transformer.changes_made:
-            # Unparse back to code
             new_code = ast.unparse(new_tree)
 
             # Add necessary imports if needed
@@ -181,6 +179,29 @@ def apply_transformation(file_path: pathlib.Path, transformer: ast.NodeTransform
                 if "from qgis.core import QgsMessageLog, Qgis" not in new_code:
                     new_code = "from qgis.core import QgsMessageLog, Qgis\n\n" + new_code
 
+            return new_code
+
+        return None
+    except Exception as e:
+        print(f"Error transforming content: {e}")
+        return None
+
+
+def apply_transformation(file_path: pathlib.Path, transformer: ast.NodeTransformer) -> bool:
+    """Applies an AST transformation to a file and writes back the modified code.
+
+    Args:
+        file_path: Path to the Python file to transform.
+        transformer: The AST node transformer to apply.
+
+    Returns:
+        True if the file was modified, False otherwise.
+    """
+    try:
+        content = file_path.read_text(encoding="utf-8")
+        new_code = apply_transformation_to_content(content, transformer)
+
+        if new_code is not None:
             file_path.write_text(new_code, encoding="utf-8")
             return True
 

analyzer/utils/__init__.py

@@ -13,6 +13,7 @@ from .logging_utils import logger, setup_logger
 from .path_utils import (
     DEFAULT_EXCLUDE,
     IgnoreMatcher,
+    discover_project_files,
     load_ignore_patterns,
     safe_path_resolve,
 )
@@ -29,6 +30,7 @@ __all__ = [
     "logger",
     "safe_path_resolve",
     "IgnoreMatcher",
+    "discover_project_files",
     "load_ignore_patterns",
     "DEFAULT_EXCLUDE",
     "load_profile_config",

analyzer/utils/path_utils.py

@@ -3,7 +3,7 @@
 import fnmatch
 import os
 import pathlib
-from typing import Dict, List
+from typing import Any, Dict, List
 
 # Default patterns to ignore if not specified
 DEFAULT_EXCLUDE = {
@@ -21,6 +21,9 @@ DEFAULT_EXCLUDE = {
     "analysis_results/",
 }
 
+# Prohibited binary extensions per QGIS repository policy
+BINARY_EXTENSIONS = {".exe", ".dll", ".so", ".dylib", ".pyd", ".bin", ".a", ".lib"}
+
 
 def safe_path_resolve(base_path: pathlib.Path, target_path_str: str) -> pathlib.Path:
     """Resolves a target path safely relative to a base path.
@@ -133,3 +136,52 @@ def load_ignore_patterns(ignore_file: pathlib.Path) -> List[str]:
         return []
     with open(ignore_file) as f:
         return f.readlines()
+
+
+def discover_project_files(project_path: pathlib.Path, matcher: IgnoreMatcher) -> Dict[str, Any]:
+    """Scans the project directory once to discover all relevant files and metrics.
+    This replaces multiple redundant rglob calls, optimizing I/O performance.
+
+    Args:
+        project_path: Root path of the project.
+        matcher: IgnoreMatcher instance for filtering.
+
+    Returns:
+        A dictionary with:
+            - python_files: List of Paths to .py files.
+            - binaries: List of relative paths to binary files.
+            - total_size_mb: Total size of non-ignored files in MB.
+            - has_metadata: Boolean indicating if metadata.txt exists.
+    """
+    python_files = []
+    binaries = []
+    total_bytes = 0
+    has_metadata = False
+
+    for file_path in project_path.rglob("*"):
+        if not file_path.is_file():
+            continue
+
+        if matcher.is_ignored(file_path):
+            continue
+
+        # Basics
+        total_bytes += file_path.stat().st_size
+
+        # Check metadata
+        if file_path.name == "metadata.txt" and file_path.parent == project_path:
+            has_metadata = True
+
+        # Classify by extension
+        ext = file_path.suffix.lower()
+        if ext == ".py":
+            python_files.append(file_path)
+        elif ext in BINARY_EXTENSIONS:
+            binaries.append(str(file_path.relative_to(project_path)))
+
+    return {
+        "python_files": python_files,
+        "binaries": binaries,
+        "total_size_mb": total_bytes / (1024 * 1024),
+        "has_metadata": has_metadata,
+    }

analyzer/validators.py

@@ -6,66 +6,13 @@
 
 import ipaddress
 import pathlib
+import re  # Added for folder name validation
 import socket
 import urllib.error
 import urllib.parse
 import urllib.request
 from typing import Any, Dict, List
 
-# Prohibited binary extensions per QGIS repository policy
-BINARY_EXTENSIONS = {".exe", ".dll", ".so", ".dylib", ".pyd", ".bin", ".a", ".lib"}
-
-
-def scan_for_binaries(project_path: pathlib.Path, ignore_matcher: Any = None) -> List[str]:
-    """Scans the project for prohibited binary files per QGIS policies.
-
-    Args:
-        project_path: Root path of the project.
-        ignore_matcher: Optional object to determine if a path should be ignored.
-
-    Returns:
-        A list of relative paths to any binary files found.
-    """
-    binaries = []
-
-    for file_path in project_path.rglob("*"):
-        if file_path.is_file():
-            # Skip if matches ignore pattern
-            if ignore_matcher and ignore_matcher.is_ignored(file_path):
-                continue
-
-            if file_path.suffix.lower() in BINARY_EXTENSIONS:
-                rel_path = str(file_path.relative_to(project_path))
-                binaries.append(rel_path)
-
-    return binaries
-
-
-def calculate_package_size(project_path: pathlib.Path, ignore_matcher: Any = None) -> float:
-    """Calculates the total package size in Megabytes (MB).
-
-    Args:
-        project_path: Root path of the project.
-        ignore_matcher: Optional object to determine if a path should be ignored.
-
-    Returns:
-        The total size of the plugin package in MB.
-    """
-    total_size = 0
-
-    for file_path in project_path.rglob("*"):
-        if file_path.is_file():
-            # Skip if matches ignore pattern
-            if ignore_matcher:
-                str(file_path.relative_to(project_path))
-                if ignore_matcher.is_ignored(file_path):
-                    continue
-
-            total_size += file_path.stat().st_size
-
-    # Convert bytes to MB
-    return total_size / (1024 * 1024)
-
 
 def is_ssrf_safe(url: str) -> bool:
     """Checks if a URL is safe from Server-Side Request Forgery (SSRF).
@@ -167,6 +114,39 @@ def validate_metadata_urls(metadata: Dict[str, str]) -> Dict[str, str]:
     return results
 
 
+def validate_package_constraints(total_size_mb: float, binaries: List[str]) -> Dict[str, Any]:
+    """Validates package size and binary constraints against Official Repository rules.
+
+    Args:
+        total_size_mb: Total size of the package in MB.
+        binaries: List of detected binary files.
+
+    Returns:
+        Validation results including error messages.
+    """
+    errors = []
+
+    # Rule: Max 20MB
+    if total_size_mb > 20:
+        errors.append(f"Package size ({total_size_mb:.2f}MB) exceeds the 20MB limit.")
+
+    # Rule: No Binaries
+    if binaries:
+        count = len(binaries)
+        shown = ", ".join(binaries[:3])
+        suffix = "..." if count > 3 else ""
+        errors.append(
+            f"Detected {count} binary file(s): {shown}{suffix}. Binaries are not allowed."
+        )
+
+    return {
+        "is_valid": len(errors) == 0,
+        "errors": errors,
+        "total_size_mb": total_size_mb,
+        "binary_count": len(binaries),
+    }
+
+
 def validate_plugin_structure(project_path: pathlib.Path) -> Dict[str, Any]:
     """Validates that the plugin following the required QGIS file structure.
 
@@ -193,12 +173,29 @@ def validate_plugin_structure(project_path: pathlib.Path) -> Dict[str, Any]:
     py_files = list(project_path.glob("*.py"))
     has_python = len(py_files) > 0
 
+    # Check Folder Name (Official Repo Rule: ASCII, alphanumeric, no start with digit)
+    folder_name = project_path.name
+    # Regex explanation:
+    # ^[a-zA-Z_]      : Must start with letter or underscore (cannot start with digit/hyphen)
+    # [a-zA-Z0-9_-]*$ : Followed by alphanumeric, underscore, or hyphen
+    # Note: Official repo is strictly ASCII.
+    folder_valid = False
+    try:
+        # Check ASCII encoding implicitly by regex matching on string, or strict encode check
+        folder_name.encode("ascii")
+        if re.match(r"^[a-zA-Z_][a-zA-Z0-9_-]*$", folder_name):
+            folder_valid = True
+    except UnicodeEncodeError:
+        folder_valid = False
+
     return {
         "files": found,
         "missing_files": missing,
         "has_class_factory": has_factory,
         "has_python_files": has_python,
-        "is_valid": all(found.values()) and has_factory and has_python,
+        "folder_name": folder_name,
+        "folder_name_valid": folder_valid,
+        "is_valid": all(found.values()) and has_factory and has_python and folder_valid,
     }
 
 
@@ -218,6 +215,7 @@ def validate_metadata(metadata_path: pathlib.Path) -> Dict[str, Any]:
         "qgisMinimumVersion",
         "author",
         "email",
+        "about",
     ]
 
     recommended_fields = [
@@ -261,3 +259,40 @@ def validate_metadata(metadata_path: pathlib.Path) -> Dict[str, Any]:
         "recommended_missing": recommended_missing,
         "metadata": metadata,
     }
+
+
+def calculate_package_size(directory: pathlib.Path) -> float:
+    """Calculates the total size of a directory in megabytes.
+
+    Args:
+        directory: The directory path.
+
+    Returns:
+        The total size in MB.
+    """
+    total_size = 0
+    for file in directory.rglob("*"):
+        if file.is_file():
+            total_size += file.stat().st_size
+    return total_size / (1024 * 1024)
+
+
+def scan_for_binaries(directory: pathlib.Path) -> List[str]:
+    """Scans for binary files in the directory.
+
+    Args:
+        directory: The directory path.
+
+    Returns:
+        A list of relative paths to detected binary files.
+    """
+    binary_extensions = {".dll", ".so", ".exe", ".dylib", ".pyd", ".o", ".a"}
+    binaries = []
+    for file in directory.rglob("*"):
+        if file.suffix.lower() in binary_extensions:
+            try:
+                rel_path = file.relative_to(directory)
+                binaries.append(str(rel_path))
+            except ValueError:
+                binaries.append(str(file))
+    return binaries

analyzer/visitors/__init__.py

@@ -0,0 +1,19 @@
+"""AST Visitors for QGIS Plugin Analysis.
+
+This package provides modular AST visitors for analyzing QGIS plugin code.
+Each visitor is specialized for a specific concern (imports, metrics, standards, security).
+"""
+
+from .composite_visitor import CompositeVisitor
+from .security_visitor import SecurityVisitor
+
+# Maintain backward compatibility
+QGISASTVisitor = CompositeVisitor
+QGISSecurityVisitor = SecurityVisitor
+
+__all__ = [
+    "QGISASTVisitor",
+    "QGISSecurityVisitor",
+    "CompositeVisitor",
+    "SecurityVisitor",
+]