CRA review qml/jsruntime

This relies heavily on the documented fact that we only support trusted QML/JS content, meaning most files are only significant, not critical. This also extends to the handling of qmlc files (as in compilationunitmapper), as we store them in a user owned, non-shared cache directory – so any vulnerability there would already mean that an attacker has write-priviledges on user data. An exception is ArrayBuffer, which can be used with arbitrary user data, and should create a valid QBA. Fixes: QTBUG-136970 Pick-to: 6.10 6.9 6.8 QUIP: 23 Change-Id: I22033fe6ab4acf8362a8183e25b92331d45cb32c Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2025-08-26 17:35:24 +0200
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2025-09-16 15:17:44 +0200
commit: 22df353c14800d2e9b6d57a9a0cb9c6baa337999 (patch)
tree: c0d9c6cc4588cafff7d0782c5a6d0e2f20800c67 /src/qml/jsruntime/qv4booleanobject.cpp
parent: a346f6d0f3a26b134060b8d3f9e008a8e08353b9 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/qml/jsruntime/qv4booleanobject.cpp b/src/qml/jsruntime/qv4booleanobject.cpp
index 5c1d50e753..45692e8030 100644
--- a/src/qml/jsruntime/qv4booleanobject.cpp
+++ b/src/qml/jsruntime/qv4booleanobject.cpp
@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #include "qv4booleanobject_p.h"
author	Fabian Kosmale <fabian.kosmale@qt.io>	2025-08-26 17:35:24 +0200
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2025-09-16 15:17:44 +0200
commit	22df353c14800d2e9b6d57a9a0cb9c6baa337999 (patch)
tree	c0d9c6cc4588cafff7d0782c5a6d0e2f20800c67 /src/qml/jsruntime/qv4booleanobject.cpp
parent	a346f6d0f3a26b134060b8d3f9e008a8e08353b9 (diff)