BOM (Bill Of Materials) function

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
realthunder
Posts: 913
Joined: Tue Jan 03, 2017 10:55 am

Re: BOM (Bill Of Materials) function

Postby realthunder » Mon Dec 03, 2018 12:21 pm

kbwbe wrote:
Mon Dec 03, 2018 10:52 am
One question: Is it possible to disable python code execution in spreadsheets if i get files from untrusted sources ?
Not now, but eventually sure, I'll add some way for user to decide. I am very aware of the potential security problem, which is why these scripts are not run by Python interpreter. But then the callables may eventually calls Python code, so there is still risk there. I did block the usual hazardous Python built-in calls like eval and stuff, and also put user configurable restriction on which Python modules can be imported.
Try Assembly3 (latest version 0.9.1) along with my custom build of FreeCAD at here.
And if you like to show your support, you can find the donate button at here.
User avatar
furti
Posts: 193
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Postby furti » Sun Jan 27, 2019 5:26 pm

Came here because this Topic was linked from a help request.

Look here https://forum.freecadweb.org/viewtopic. ... 10#p282734 to see my attempt of a BOM with the new Reporting workbench. https://forum.freecadweb.org/viewtopic.php?f=9&t=33403

I think this is a pretty flexible approach. Doesn't really matter how the document is structured. The right SQL Statement should get as much information out of the model as needed.

Hope this might be useful for some of you :)
freedman
Posts: 653
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: BOM (Bill Of Materials) function

Postby freedman » Wed Jan 30, 2019 11:40 pm

I would like an option to not open scripted/spreadsheet files, so if I happen to click on one from a user it won't open.
User avatar
furti
Posts: 193
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Postby furti » Thu Jan 31, 2019 7:08 am

What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
andrew.j.smart1988
Posts: 12
Joined: Tue Sep 05, 2017 2:03 am

Re: BOM (Bill Of Materials) function

Postby andrew.j.smart1988 » Fri Feb 01, 2019 1:18 pm

kbwbe wrote:
Mon Dec 03, 2018 10:52 am
One question: Is it possible to disable python code execution in spreadsheets if i get files from untrusted sources ?
freedman wrote:
Wed Jan 30, 2019 11:40 pm
I would like an option to not open scripted/spreadsheet files, so if I happen to click on one from a user it won't open.
furti wrote:
Thu Jan 31, 2019 7:08 am
What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
They're concerned with security implications (malware). Consider a feature like this as seen in Microsoft Excel:
Image
And:
Image
IIRC these warnings are based on the location/origin of the file. Doesn't seem worth it to me to support such things, though maybe there is some python gizmo (e.g. sandboxing) which will safely handle such risks.

Spreadsheets in the cloud (Google Sheets & Microsoft equivalent) don't have access to the local file system but have permissions based access to other stuff in the cloud (per popup queries per their cloud API). All this is beyond my head/interest so don't take what I say as irrefutable truth.
User avatar
furti
Posts: 193
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Postby furti » Fri Feb 01, 2019 2:10 pm

This is true. Macros in Spreadsheets are Pretty bad.

But I don't exactly know what the security benefits are of disabling Files with spreadsheets in them. Spreadsheets are a core feature of FreeCAD. If it is possible to write a FreeCAD File with a spreadsheet in it, that deletes all files on a disk, this should be fixed. But what makes a FreeCAD File with a Spreadsheet different to any other Spreadsheet FreeCAD File? Why is a Spreadsheet less truthworthy than lets say a simple Expression in a Sketcher Constraint? So one has to trust the FreeCAD core Code (including Spreadsheets). Otherwise one should not install FreeCAD at all (just my opinion).


For Scripted files it is the same. If a FreeCAD File contains a Object form a thirdparty workbench, and the workbench is not installed on my PC. Nothing should ever get executed when I open such a file. And when I install a thirdparty workbench, I have to trust the Code inside it. And then it does not matter when I open a File containing such an object.

Edit: fixed some typos
Last edited by furti on Sat Feb 02, 2019 7:29 am, edited 1 time in total.
chrisb
Posts: 14019
Joined: Tue Mar 17, 2015 9:14 am

Re: BOM (Bill Of Materials) function

Postby chrisb » Fri Feb 01, 2019 4:09 pm

In Excel it is possible to execute arbitrary code with its VBA or VSTO programming facilities. So every Excel sheet can be an individual program. there is no distinction between program and data files (except by the filename extension). In FreeCAD arbitrary python code has been banned from being embedded in simple models for that very reason. So you have a distinction between the program (FreeCAD) and data (FreeCAD model files).

With this architecture you can always trust the data and you only have to validate the program once.
User avatar
yorik
Site Admin
Posts: 10708
Joined: Tue Feb 17, 2009 9:16 pm
Location: São Paulo, Brazil
Contact:

Re: BOM (Bill Of Materials) function

Postby yorik » Sat Feb 02, 2019 12:07 am

Unlike excel, there is no scripting possible in FreeCAD spreadsheets, nor in any other part of a FreeCAD file. It's often confusing because FreeCAD has a "macros" feature, but it's very different than Excel macros, and it is not possible to embed macros inside a FreeCAD file, exactly for that same security reasons. *EDIT* Oops just repeating what chrisb said... :oops:
triplus
Posts: 8124
Joined: Mon Dec 12, 2011 4:45 pm

Re: BOM (Bill Of Materials) function

Postby triplus » Sat Feb 02, 2019 10:02 pm

furti wrote:
Thu Jan 31, 2019 7:08 am
What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
Likely comments are related to this discussion:

https://forum.freecadweb.org/viewtopic.php?f=3&t=30731

And somehow likely some thought Reporting workbench is embedding Python code in Spreadsheet.
User avatar
furti
Posts: 193
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Postby furti » Sun Feb 03, 2019 5:44 am

triplus wrote:
Sat Feb 02, 2019 10:02 pm
Reporting workbench is embedding Python code in Spreadsheet.
No worries about that. The opposite is happening. The spreadsheet generated by the reporting workbench only contains literal text. No even expressions are inserted :)