BOM (Bill Of Materials) function

Have some feature requests, feedback, cool stuff to share, or want to know where FreeCAD is going? This is the place.
Forum rules
Be nice to others! Read the FreeCAD code of conduct!
realthunder
Veteran
Posts: 2190
Joined: Tue Jan 03, 2017 10:55 am

Re: BOM (Bill Of Materials) function

Post by realthunder »

kbwbe wrote: Mon Dec 03, 2018 10:52 am One question: Is it possible to disable python code execution in spreadsheets if i get files from untrusted sources ?
Not now, but eventually sure, I'll add some way for user to decide. I am very aware of the potential security problem, which is why these scripts are not run by Python interpreter. But then the callables may eventually calls Python code, so there is still risk there. I did block the usual hazardous Python built-in calls like eval and stuff, and also put user configurable restriction on which Python modules can be imported.
Try Assembly3 with my custom build of FreeCAD at here.
And if you'd like to show your support, you can donate through patreon, liberapay, or paypal
User avatar
furti
Posts: 344
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Post by furti »

Came here because this Topic was linked from a help request.

Look here https://forum.freecadweb.org/viewtopic. ... 10#p282734 to see my attempt of a BOM with the new Reporting workbench. https://forum.freecadweb.org/viewtopic.php?f=9&t=33403

I think this is a pretty flexible approach. Doesn't really matter how the document is structured. The right SQL Statement should get as much information out of the model as needed.

Hope this might be useful for some of you :)
freedman
Veteran
Posts: 3441
Joined: Thu Mar 22, 2018 3:02 am
Location: Washington State, USA

Re: BOM (Bill Of Materials) function

Post by freedman »

I would like an option to not open scripted/spreadsheet files, so if I happen to click on one from a user it won't open.
User avatar
furti
Posts: 344
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Post by furti »

What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
andrew.j.smart1988
Posts: 16
Joined: Tue Sep 05, 2017 2:03 am

Re: BOM (Bill Of Materials) function

Post by andrew.j.smart1988 »

kbwbe wrote: Mon Dec 03, 2018 10:52 am One question: Is it possible to disable python code execution in spreadsheets if i get files from untrusted sources ?
freedman wrote: Wed Jan 30, 2019 11:40 pm I would like an option to not open scripted/spreadsheet files, so if I happen to click on one from a user it won't open.
furti wrote: Thu Jan 31, 2019 7:08 am What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
They're concerned with security implications (malware). Consider a feature like this as seen in Microsoft Excel:
Image
And:
Image
IIRC these warnings are based on the location/origin of the file. Doesn't seem worth it to me to support such things, though maybe there is some python gizmo (e.g. sandboxing) which will safely handle such risks.

Spreadsheets in the cloud (Google Sheets & Microsoft equivalent) don't have access to the local file system but have permissions based access to other stuff in the cloud (per popup queries per their cloud API). All this is beyond my head/interest so don't take what I say as irrefutable truth.
User avatar
furti
Posts: 344
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Post by furti »

This is true. Macros in Spreadsheets are Pretty bad.

But I don't exactly know what the security benefits are of disabling Files with spreadsheets in them. Spreadsheets are a core feature of FreeCAD. If it is possible to write a FreeCAD File with a spreadsheet in it, that deletes all files on a disk, this should be fixed. But what makes a FreeCAD File with a Spreadsheet different to any other Spreadsheet FreeCAD File? Why is a Spreadsheet less truthworthy than lets say a simple Expression in a Sketcher Constraint? So one has to trust the FreeCAD core Code (including Spreadsheets). Otherwise one should not install FreeCAD at all (just my opinion).


For Scripted files it is the same. If a FreeCAD File contains a Object form a thirdparty workbench, and the workbench is not installed on my PC. Nothing should ever get executed when I open such a file. And when I install a thirdparty workbench, I have to trust the Code inside it. And then it does not matter when I open a File containing such an object.

Edit: fixed some typos
Last edited by furti on Sat Feb 02, 2019 7:29 am, edited 1 time in total.
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: BOM (Bill Of Materials) function

Post by chrisb »

In Excel it is possible to execute arbitrary code with its VBA or VSTO programming facilities. So every Excel sheet can be an individual program. there is no distinction between program and data files (except by the filename extension). In FreeCAD arbitrary python code has been banned from being embedded in simple models for that very reason. So you have a distinction between the program (FreeCAD) and data (FreeCAD model files).

With this architecture you can always trust the data and you only have to validate the program once.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
User avatar
yorik
Founder
Posts: 13640
Joined: Tue Feb 17, 2009 9:16 pm
Location: Brussels
Contact:

Re: BOM (Bill Of Materials) function

Post by yorik »

Unlike excel, there is no scripting possible in FreeCAD spreadsheets, nor in any other part of a FreeCAD file. It's often confusing because FreeCAD has a "macros" feature, but it's very different than Excel macros, and it is not possible to embed macros inside a FreeCAD file, exactly for that same security reasons. *EDIT* Oops just repeating what chrisb said... :oops:
triplus
Veteran
Posts: 9471
Joined: Mon Dec 12, 2011 4:45 pm

Re: BOM (Bill Of Materials) function

Post by triplus »

furti wrote: Thu Jan 31, 2019 7:08 am What do you mean by "scripted/spreadsheet files"? And what does it have to do with BOM?
Likely comments are related to this discussion:

https://forum.freecadweb.org/viewtopic.php?f=3&t=30731

And somehow likely some thought Reporting workbench is embedding Python code in Spreadsheet.
User avatar
furti
Posts: 344
Joined: Mon Nov 27, 2017 5:27 pm

Re: BOM (Bill Of Materials) function

Post by furti »

triplus wrote: Sat Feb 02, 2019 10:02 pm Reporting workbench is embedding Python code in Spreadsheet.
No worries about that. The opposite is happening. The spreadsheet generated by the reporting workbench only contains literal text. No even expressions are inserted :)
Post Reply