fix(import): harden WinSCP password and site import reliability

[Orinks]

Summary

Improve WinSCP importer reliability end-to-end (password + site import) with FileZilla importer resilience as the quality bar.

Root-cause gaps addressed

• WinSCP password decryption did not match upstream algorithm structure (version, length width, and shift handling), causing real-world password imports to fail or decode incorrectly.
• WinSCP INI parsing assumed UTF-8 only, failing on valid exports with alternate encodings (e.g. UTF-16).
• URL-encoded WinSCP fields (notably PublicKeyFile, also session/dir values) were not consistently decoded, causing site import fidelity issues.
• Error/no-results messages in import dialog were generic and not actionable for WinSCP-specific fallback paths.

Design (scoped, low regression risk)

• Keep importer APIs stable (list[ImportedSite]) and harden internals.
• Make WinSCP parser tolerant (encoding fallback + strict=False) while preserving skip-invalid-site behavior.
• Decrypt safely: support WinSCP internal formats; treat unsupported external/master-password encryption as non-fatal empty password.
• Preserve partial import: malformed password payloads no longer block site import.
• Add source-specific user guidance in dialog error/no-results messaging.

Before / After

Before

• Some valid WinSCP passwords failed to import due to incomplete decode logic.
• Some WinSCP INI exports failed to parse depending on file encoding.
• URL-encoded key paths could import literally encoded.
• Users saw generic failure/no-results messages with limited next steps.

After

• WinSCP password decoding aligns with upstream simple algorithm variants and shift handling.
• Unsupported external/master-password-encrypted values are safely ignored (password blank), without blocking site import.
• WinSCP INI encoding fallback supports UTF-8/UTF-16/common legacy encodings.
• URL-encoded key path/remote dir/session-host fields decode to usable values.
• Dialog messaging now includes WinSCP-specific troubleshooting and fallback hints.

Testing

• Added comprehensive WinSCP tests for:
  • internal v0 and internal v2 length formats
  • shift-byte payloads
  • odd-length, truncated, invalid, and key-prefix-mismatch payloads
  • external/master-password-encrypted payload handling
  • UTF-16 INI parsing
  • URL-decoded site fields
• Added dialog tests validating WinSCP-specific user messaging for parse errors and empty results.

Validation runs

• pytest -q tests/test_importers_winscp.py tests/test_import_connections_dialog.py tests/test_importers_filezilla.py tests/test_importers_init.py
• pytest -q
• ruff check src/portkeydrop/importers/winscp.py src/portkeydrop/dialogs/import_connections.py tests/test_importers_winscp.py tests/test_import_connections_dialog.py
• ruff format --check src/portkeydrop/importers/winscp.py src/portkeydrop/dialogs/import_connections.py tests/test_importers_winscp.py tests/test_import_connections_dialog.py

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}