codeant-ai-for-open-source[bot] commented on PR #37037: URL: https://github.com/apache/superset/pull/37037#issuecomment-3736363402
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/37037/files#diff-5a26a6f929c730969af4026eca1a499754cd7101a1ce96e1b3246540364914cbR505-R505'><strong>Unsanitized custom_width sent</strong></a><br>The change makes `custom_width` included for PDF reports (via `isScreenshot`). There is no server-side clamping; the UI enforces min/max constraints, but `currentAlert?.custom_width` is taken as-is when building the payload. Consider normalizing/clamping the value before sending to ensure it always falls within allowed bounds and to avoid unexpected server behavior for out-of-range or NaN values.<br> - [ ] <a href='https://github.com/apache/superset/pull/37037/files#diff-5a26a6f929c730969af4026eca1a499754cd7101a1ce96e1b3246540364914cbR505-R505'><strong>Case sensitivity risk</strong></a><br>The new visibility check compares `reportFormat === 'PNG' || reportFormat === 'PDF'`. If `reportFormat` ever comes in lowercase (e.g. 'pdf' or 'png') from another code path or remote source, the screenshot input will be hidden even though it should be shown. Consider normalizing or using a case-insensitive comparison to avoid brittle behavior.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
