[ui] add security warning when executing scripts

src/app/qgisapp.cpp

@@ -6177,30 +6177,50 @@ void QgisApp::runScript( const QString &filePath )
   if ( !mPythonUtils || !mPythonUtils->isEnabled() )
     return;
 
-  mPythonUtils->runString(
+  QgsSettings settings;
-    QString( "import sys\n"
+  bool showScriptWarning = settings.value( QStringLiteral( "UI/showScriptWarning" ), true ).toBool();
-             "import inspect\n"
+
-             "from qgis.utils import iface\n"
+  QMessageBox msgbox;
-             "try:\n"
+  if ( showScriptWarning )
-             "    from qgis.core import QgsApplication, QgsProcessingAlgorithm, QgsProcessingFeatureBasedAlgorithm\n"
+  {
-             "    from processing.gui.AlgorithmDialog import AlgorithmDialog\n"
+    msgbox.setText( tr( "Security warning: executing a script from an untrusted source can lead to data loss and/or leak. Continue?" ) );
-             "except ImportError:\n"
+    msgbox.setIcon( QMessageBox::Icon::Warning );
-             "    processing_found = False\n"
+    msgbox.addButton( QMessageBox::Yes );
-             "else:\n"
+    msgbox.addButton( QMessageBox::No );
-             "    processing_found = True\n"
+    msgbox.setDefaultButton( QMessageBox::No );
-             "d={}\n"
+    QCheckBox *cb = new QCheckBox( tr( "Don't show this again." ) );
-             "exec(open(\"%1\".replace(\"\\\\\", \"/\").encode(sys.getfilesystemencoding())).read(), d)\n"
+    msgbox.setCheckBox( cb );
-             "if processing_found:\n"
+    msgbox.exec();
-             "    alg = None\n"
+    settings.setValue( QStringLiteral( "UI/showScriptWarning" ), !msgbox.checkBox()->isChecked() );
-             "    for k, v in d.items():\n"
+  }
-             "        if inspect.isclass(v) and issubclass(v, (QgsProcessingAlgorithm, QgsProcessingFeatureBasedAlgorithm)) and v.__name__ not in (\"QgsProcessingAlgorithm\", \"QgsProcessingFeatureBasedAlgorithm\"):\n"
+
-             "            alg = v()\n"
+  if ( !showScriptWarning || msgbox.result() == QMessageBox::Yes )
-             "            break\n"
+  {
-             "    if alg:\n"
+    mPythonUtils->runString(
-             "        alg.setProvider(QgsApplication.processingRegistry().providerById(\"script\"))\n"
+      QString( "import sys\n"
-             "        alg.initAlgorithm()\n"
+               "import inspect\n"
-             "        dlg = AlgorithmDialog(alg)\n"
+               "from qgis.utils import iface\n"
-             "        dlg.show()\n" ).arg( filePath ), tr( "Failed to run Python script:" ), false );
+               "try:\n"
+               "    from qgis.core import QgsApplication, QgsProcessingAlgorithm, QgsProcessingFeatureBasedAlgorithm\n"
+               "    from processing.gui.AlgorithmDialog import AlgorithmDialog\n"
+               "except ImportError:\n"
+               "    processing_found = False\n"
+               "else:\n"
+               "    processing_found = True\n"
+               "d={}\n"
+               "exec(open(\"%1\".replace(\"\\\\\", \"/\").encode(sys.getfilesystemencoding())).read(), d)\n"
+               "if processing_found:\n"
+               "    alg = None\n"
+               "    for k, v in d.items():\n"
+               "        if inspect.isclass(v) and issubclass(v, (QgsProcessingAlgorithm, QgsProcessingFeatureBasedAlgorithm)) and v.__name__ not in (\"QgsProcessingAlgorithm\", \"QgsProcessingFeatureBasedAlgorithm\"):\n"
+               "            alg = v()\n"
+               "            break\n"
+               "    if alg:\n"
+               "        alg.setProvider(QgsApplication.processingRegistry().providerById(\"script\"))\n"
+               "        alg.initAlgorithm()\n"
+               "        dlg = AlgorithmDialog(alg)\n"
+               "        dlg.show()\n" ).arg( filePath ), tr( "Failed to run Python script:" ), false );
+  }
 #else
   Q_UNUSED( filePath );
 #endif