Conversation
gknapp1
force-pushed
the
thesis-depth-map
branch
from
80e6584 to
4b3aeaf
Compare
gknapp1
force-pushed
the
thesis-depth-map
branch
from
4b3aeaf to
cc11f05
Compare
gknapp1
force-pushed
the
thesis-depth-map
branch
from
df95385 to
3069ae4
Compare
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new simulation type, depth_map_part, to calculate the melt pool depth as a function of XY location in a layer using 3DThesis, integrating new application logic, configuration, execution, and post-processing files. However, a security audit identified three critical vulnerabilities related to path traversal and arbitrary file copy. These stem from improper handling of user-supplied input from configuration files, which could allow an attacker to read or write arbitrary files on the system.
| dir_parts = os.path.dirname(mynafile).split(os.path.sep) | ||
| case_dict = { | ||
| "build": dir_parts[-4], | ||
| "part": dir_parts[-3], | ||
| "layer": dir_parts[-2], | ||
| "case_dir": os.path.dirname(mynafile), | ||
| "mynafile": mynafile, | ||
| } | ||
| return case_dict | ||
|
|
||
| def configure_case(self, myna_file): | ||
| """Configure a valid 3DThesis case from Myna data""" | ||
| # Load case information | ||
| case_info = self.parse_mynafile_path_to_dict(myna_file) | ||
|
|
||
| # Copy template case | ||
| self.copy(case_info["case_dir"]) |
There was a problem hiding this comment.
A path traversal vulnerability exists in the configure_case method. The mynafile path, derived from user-controlled settings, is used to construct the case_dir path without proper sanitization. This allows an attacker to use ../ sequences to traverse the file system and perform file operations (like self.copy) outside of the intended directory, leading to arbitrary file writes and information disclosure. Additionally, the parse_mynafile_path_to_dict function assumes a specific directory structure; robust validation is needed to prevent errors and mitigate this vulnerability.
1 participant
Adds a new type of simulation that produces a map of the melt pool depth as a function of XY location in a layer. Implements a 3DThesis application for the simulation type.
This is different than the existing
melt_pool_geometry_part, which outputs melt pool geometry as a time series.This pull request adds:
thesis/depth_map_partsimulation tool and templatemyna.application.thesismoduleFileDpethMapoutput file typeComponentDepthMapPartcomponent classdepth_map_partsimulationdepth_map_partsimulation configuration and runningThe output data from the example, at a higher resolution of 25e-6 m for visual clarity, is plotted below.