REFACTOR: Updates related to vulnerabilities and documentation (#6110)

Co-authored-by: pyansys-ci-bot <[email protected]>

Author: SMoraisAnsys

doc/changelog.d/6110.miscellaneous.md

@@ -0,0 +1 @@
+Updates related to vulnerabilities and documentation

doc/source/User_guide/security_consideration.rst

@@ -1,3 +1,5 @@
+.. _ref_security_consideration:
+
 Security considerations
 =======================
 
@@ -6,6 +8,24 @@ of PyAEDT. It is important to understand the capabilities which PyAEDT
 provides, especially when using it to build applications or scripts that
 accept untrusted input.
 
+If a function displays a warning that redirects to this page, it indicates
+that the function may expose security risks when used improperly.
+In such cases, it is essential to pay close attention to:
+
+- **Function arguments**: Ensure that arguments passed to the function are
+  properly validated and do not contain untrusted content such as arbitrary
+  file paths, shell commands, or serialized data.
+- **Environment variables**: Be cautious of environment variables that can
+  influence the behavior of the function, particularly if they are user-defined
+  or inherited from an untrusted execution context.
+- **Global settings (`settings`)**: PyAEDT settings control various aspects of
+  runtime behavior such as AEDT features, use of LSF cluster or remote server
+  connections. Review these settings to avoid unexpected side effects or security
+  vulnerabilities.
+
+Always validate external input, avoid executing arbitrary commands or code,
+and follow the principle of least privilege when developing with PyAEDT.
+
 .. _security_launch_aedt:
 
 Launching AEDT

src/ansys/aedt/core/__init__.py

@@ -84,8 +84,8 @@ def custom_show_warning(message, category, filename, lineno, file=None, line=Non
 if not (".NETFramework" in sys.version):  # pragma: no cover
     import ansys.aedt.core.examples.downloads as downloads
 
-from ansys.aedt.core.edb import Edb  # nosec
-from ansys.aedt.core.edb import Siwave  # nosec
+from ansys.aedt.core.edb import Edb
+from ansys.aedt.core.edb import Siwave
 from ansys.aedt.core.generic import constants
 import ansys.aedt.core.generic.data_handlers as data_handler
 from ansys.aedt.core.generic.design_types import Circuit

src/ansys/aedt/core/application/analysis.py

@@ -32,7 +32,6 @@
 import os
 import re
 import shutil
-import subprocess  # nosec
 import tempfile
 import time
 from typing import Dict
@@ -1921,9 +1920,10 @@ def solve_in_batch(
            To use this function, the project must be closed.
 
         .. warning::
-            Do not execute this function with untrusted input parameters.
-            See the :ref:`security guide<https://aedt.docs.pyansys.com/version/stable/User_guide/security_consideration.html>`
-            for details.
+
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
+            See the :ref:`security guide<ref_security_consideration>` for details.
 
         Parameters
         ----------
@@ -1951,6 +1951,8 @@ def solve_in_batch(
          bool
            ``True`` when successful, ``False`` when failed.
         """
+        import subprocess  # nosec
+
         try:
             cores = int(cores)
         except ValueError:

src/ansys/aedt/core/desktop.py

@@ -92,7 +92,8 @@ def launch_aedt(
 
     .. warning::
 
-        Do not execute this function with untrusted input parameters.
+        Do not execute this function with untrusted function argument, environment
+        variables or pyaedt global settings.
         See the :ref:`security guide<security_launch_aedt>` for details.
     """
 
@@ -1803,7 +1804,8 @@ def get_ansyscloud_job_info(self, job_id=None, job_name=None):  # pragma: no cov
 
         .. warning::
 
-            Do not execute this function with untrusted environment variables.
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
             See the :ref:`security guide<security_ansys_cloud>` for details.
 
         Parameters
@@ -1923,7 +1925,8 @@ def get_available_cloud_config(self, region="westeurope"):  # pragma: no cover
 
         .. warning::
 
-            Do not execute this function with untrusted environment variables.
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
             See the :ref:`security guide<security_ansys_cloud>` for details.
 
         Parameters

src/ansys/aedt/core/examples/downloads.py

@@ -100,9 +100,9 @@ def _download_file(
         if not local_path.exists():
             ssl_context = ssl.create_default_context()
             pyaedt_logger.debug(f"Downloading file from URL {url}")
-            with urllib.request.urlopen(url, context=ssl_context) as response, open(
+            with urllib.request.urlopen(url, context=ssl_context) as response, open(  # nosec
                 local_path, "wb"
-            ) as out_file:  # nosec
+            ) as out_file:
                 shutil.copyfileobj(response, out_file)
         else:
             pyaedt_logger.debug(f"File already exists in {local_path}. Skipping download.")

src/ansys/aedt/core/extensions/customize_automation_tab.py

@@ -357,7 +357,15 @@ def __tab_map(product):  # pragma: no cover
 
 
 def run_command(command: List[str], desktop_object):  # pragma: no cover
-    """Run a command through subprocess."""
+    """Run a command through subprocess.
+
+    .. warning::
+
+        Do not execute this function with untrusted function argument, environment
+        variables or pyaedt global settings.
+        See the :ref:`security guide<ref_security_consideration>` for details.
+
+    """
     try:
         subprocess.run(command, check=True, capture_output=True, text=True)  # nosec
     except subprocess.CalledProcessError as e:
@@ -370,6 +378,12 @@ def run_command(command: List[str], desktop_object):  # pragma: no cover
 def add_custom_toolkit(desktop_object, toolkit_name, wheel_toolkit=None, install=True):  # pragma: no cover
     """Add toolkit to AEDT Automation Tab.
 
+    .. warning::
+
+        Do not execute this function with untrusted function argument, environment
+        variables or pyaedt global settings.
+        See the :ref:`security guide<ref_security_consideration>` for details.
+
     Parameters
     ----------
     desktop_object : :class:ansys.aedt.core.desktop.Desktop

src/ansys/aedt/core/extensions/project/create_report.py

@@ -82,6 +82,7 @@ def main(extension_args):
     if is_windows and not extension_args["is_test"]:  # pragma: no cover
         try:
             if os.path.isfile(pdf_path) and pdf_path.endswith(".pdf"):
+                # FIXME: Should be replaced with a cross-platform solution ? Like webbrowser.open(pdf_path)
                 os.startfile(pdf_path)  # nosec
         except Exception:
             aedtapp.logger.warning(f"Failed to open {pdf_path}")

src/ansys/aedt/core/generic/file_utils.py

@@ -43,6 +43,7 @@
 from ansys.aedt.core.generic.numbers import Quantity
 from ansys.aedt.core.generic.settings import settings
 from ansys.aedt.core.internal.aedt_versions import aedt_versions
+from ansys.aedt.core.internal.errors import AEDTRuntimeError
 
 is_linux = os.name == "posix"
 is_windows = not is_linux
@@ -918,6 +919,13 @@ def available_license_feature(
     feature: str = "electronics_desktop", input_dir: Union[str, Path] = None, port: int = 1055, name: str = "127.0.0.1"
 ) -> int:  # pragma: no cover
     """Check available license feature.
+
+    .. warning::
+
+        Do not execute this function with untrusted function argument, environment
+        variables or pyaedt global settings.
+        See the :ref:`security guide<ref_security_consideration>` for details.
+
     The method retrieves the port and name values from the ``ANSYSLMD_LICENSE_FILE`` environment variable if available.
     If not, the default values are applied.
 
@@ -939,7 +947,7 @@ def available_license_feature(
     int
         Number of available license features, ``False`` when license server is down.
     """
-    import subprocess  # nosec B404
+    import subprocess  # nosec
 
     if os.getenv("ANSYSLMD_LICENSE_FILE", None):
         name_env = os.getenv("ANSYSLMD_LICENSE_FILE")
@@ -972,11 +980,11 @@ def available_license_feature(
 
     cmd = [str(ansysli_util_path), "lmstat", "-f", feature, "-c", str(port) + "@" + str(name)]
 
-    f = open(str(tempfile_checkout), "w")
-
-    subprocess.Popen(cmd, stdout=f, stderr=f, env=my_env).wait()  # nosec
-
-    f.close()
+    try:
+        with tempfile_checkout.open("w") as f:
+            subprocess.run(cmd, stdout=f, stderr=f, env=my_env, check=True)  # nosec
+    except Exception as e:
+        raise AEDTRuntimeError("Failed to check available licenses") from e
 
     available_licenses = 0
     pattern_license = r"Total of\s+(\d+)\s+licenses? issued;\s+Total of\s+(\d+)\s+licenses? in use"

src/ansys/aedt/core/generic/general_methods.py

@@ -41,6 +41,7 @@
 from ansys.aedt.core.generic.numbers import _units_assignment
 from ansys.aedt.core.generic.settings import inner_project_settings  # noqa: F401
 from ansys.aedt.core.generic.settings import settings
+from ansys.aedt.core.internal.errors import AEDTRuntimeError
 from ansys.aedt.core.internal.errors import GrpcApiError
 from ansys.aedt.core.internal.errors import MethodNotSupportedError
 import psutil
@@ -998,6 +999,11 @@ def install_with_pip(package_name, package_path=None, upgrade=False, uninstall=F
 
     This method is useful for installing a package from the AEDT Console without launching the Python environment.
 
+    .. warning::
+
+        Do not execute this function with untrusted environment variables.
+        See the :ref:`security guide<ref_security_consideration>` for details.
+
     Parameters
     ----------
     package_name : str
@@ -1011,8 +1017,10 @@ def install_with_pip(package_name, package_path=None, upgrade=False, uninstall=F
     """
     import subprocess  # nosec B404
 
-    executable = f'"{sys.executable}"' if is_windows else sys.executable
+    if not package_name or not isinstance(package_name, str):
+        raise ValueError("A valid package name must be provided.")
 
+    executable = sys.executable
     commands = []
     if uninstall:
         commands.append([executable, "-m", "pip", "uninstall", "--yes", package_name])
@@ -1024,14 +1032,13 @@ def install_with_pip(package_name, package_path=None, upgrade=False, uninstall=F
             command = [executable, "-m", "pip", "install", package_name]
         if upgrade:
             command.append("-U")
-
         commands.append(command)
+
     for command in commands:
-        if is_linux:
-            p = subprocess.Popen(command)
-        else:
-            p = subprocess.Popen(" ".join(command))
-        p.wait()
+        try:
+            subprocess.run(command, check=True)  # nosec
+        except subprocess.CalledProcessError as e:  # nosec
+            raise AEDTRuntimeError("An error occurred while installing with pip") from e
 
 
 class Help:  # pragma: no cover

src/ansys/aedt/core/icepak.py

@@ -28,7 +28,6 @@
 import os
 from pathlib import Path
 import re
-import subprocess  # nosec
 import warnings
 
 from ansys.aedt.core.application.analysis_icepak import FieldAnalysisIcepak
@@ -2865,6 +2864,12 @@ def generate_fluent_mesh(
     ):  # pragma: no cover
         """Generate a Fluent mesh for a list of selected objects and assign the mesh automatically to the objects.
 
+        .. warning::
+
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
+            See the :ref:`security guide<ref_security_consideration>` for details.
+
         Parameters
         ----------
         object_lists : list, optional
@@ -2887,6 +2892,8 @@ def generate_fluent_mesh(
         -------
         :class:`ansys.aedt.core.modules.mesh.MeshOperation`
         """
+        import subprocess  # nosec
+
         version = self.aedt_version_id[-3:]
         ansys_install_dir = os.environ.get(f"ANSYS{version}_DIR", "")
         if not ansys_install_dir:

src/ansys/aedt/core/modeler/cad/elements_3d.py

@@ -1366,8 +1366,8 @@ def _update_children(self):
                     self._children[i] = BinaryTreeNode(
                         i, self.child_object.GetChildObject(i), root_name=self._saved_root_name, app=self._app
                     )
-                except Exception:  # nosec
-                    pass
+                except Exception:
+                    settings.logger.debug(f"Failed to instantiate BinaryTreeNode for {i}")
             else:
                 names = self.child_object.GetChildObject(i).GetChildNames()
                 for name in names:

src/ansys/aedt/core/rpc/rpyc_services.py

@@ -264,6 +264,12 @@ def _beta(self):
     def exposed_run_script(self, script, aedt_version="2021.2", ansysem_path=None, non_graphical=True):
         """Run script on AEDT in the server.
 
+        .. warning::
+
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
+            See the :ref:`security guide<ref_security_consideration>` for details.
+
         Parameters
         ----------
         script : str or list
@@ -893,6 +899,12 @@ def exposed_restore(self):
     def aedt_grpc(port=None, beta_options: List[str]=None, use_aedt_relative_path=False, non_graphical=True, check_interval=2):
         """Start a new AEDT session on a specified gRPC port.
 
+        .. warning::
+
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
+            See the :ref:`security guide<ref_security_consideration>` for details.
+
         Returns
         -------
         port : int
@@ -1129,6 +1141,12 @@ def on_disconnect(self, connection):
     def start_service(self, port):
         """Connect to remove service manager and run a new server on specified port.
 
+        .. warning::
+
+            Do not execute this function with untrusted function argument, environment
+            variables or pyaedt global settings.
+            See the :ref:`security guide<ref_security_consideration>` for details.
+
         Parameters
         ----------
         aedt_client_port : int

src/ansys/aedt/core/visualization/advanced/touchstone_parser.py

@@ -26,7 +26,6 @@
 import itertools
 import os
 import re
-import subprocess  # nosec
 import warnings
 
 from ansys.aedt.core import Edb
@@ -597,6 +596,12 @@ def read_touchstone(input_file):
 def check_touchstone_files(input_dir="", passivity=True, causality=True):
     """Check passivity and causality for all Touchstone files included in the folder.
 
+    .. warning::
+
+        Do not execute this function with untrusted function argument, environment
+        variables or pyaedt global settings.
+        See the :ref:`security guide<ref_security_consideration>` for details.
+
     Parameters
     ----------
     input_dir : str
@@ -615,6 +620,8 @@ def check_touchstone_files(input_dir="", passivity=True, causality=True):
         is a string with the log information.
 
     """
+    import subprocess  # nosec
+
     out = {}
     snp_files = find_touchstone_files(input_dir)
     if not snp_files: