[Development] Proposing QUIP-23: Qt-Security header in source code files

Giuseppe D'Angelo giuseppe.dangelo at kdab.com
Thu Jul 11 15:51:07 CEST 2024 

On 11/07/2024 15:21, Volker Hilsheimer wrote:
> For many APIs, application code provides the data (perhaps indirectly),
> e.g. to QDateTime::fromString. In that case we can assume that the
> application had at least some chance to scrub the input, or at the very
> least control where that string comes from (perhaps a file on disk). For
>   other APIs, Qt processes the data without the application seeing it
> (eg. network protocol, loading an image etc from file).

I'm not too sure I appreciate the difference here. Either the input is 
trusted (= the onus of validating it, if any, is on the application / 
system side), or it is not (= Qt can't assume anything about it and must 
validate it).


> To document the respective expectations and responsibilities on a higher
>   level, we need start with understanding and documenting what the code
> does. The header helps us with that, and at the same time enables some
> degree of automation.

Fair enough, but then I'd kindly ask to reframe this discussion with 
this in mind; that is, this isn't about "security" in general, it's 
about untrusted inputs. I'm not sure what buzzword to use here, though.

So what is the plan of action?

* Define what "external inputs" are?
* Identifying code in Qt that processes such external inputs?
* Figure out whether such code deals with trusted or untrusted inputs, 
and add relevant notes in the documentation (where?)?
* If it's untrusted, figure out whether Qt is directly responsible for 
parsing the input, or if Qt is just offloading it to a 3rd party (e.g. 
image formats), or possibly both?
* Tag all the files that contain such code according to some schema?
* (Possibly, refactor the code in separate .cpp files to isolate it, so 
that the tagging can be "accurate"?)
* Check that we have fuzzing, ubsan, etc. enabled on Qt code that parses 
untrusted inputs?


Thanks,

-- 
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - Trusted Software Excellence

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4244 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.qt-project.org/pipermail/development/attachments/20240711/56340227/attachment.bin>

More information about the Development mailing list