codeant-ai-for-open-source[bot] commented on code in PR #40536:
URL: https://github.com/apache/superset/pull/40536#discussion_r3328016974
##########
superset/commands/chart/create.py:
##########
@@ -43,6 +44,11 @@ class CreateChartCommand(CreateMixin, BaseCommand):
def __init__(self, data: dict[str, Any]):
self._properties = data.copy()
+ if params_str := self._properties.get("params"):
+ params = json.loads(params_str)
+ if isinstance(params, dict) and "viz_type" in params:
+ self._properties["viz_type"] = params["viz_type"]
Review Comment:
**Suggestion:** This unconditionally overwrites a user-supplied top-level
chart type whenever `params` contains `viz_type`. If both are present but
differ, the explicit API field is silently ignored and the chart can be created
with the wrong visualization type. Only copy from `params` when the top-level
field is missing. [incorrect condition logic]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ POST /api/v1/chart persists unexpected viz_type from params.
- ⚠️ Programmatic chart creation can silently ignore explicit viz_type.
- ⚠️ Generated charts may render with inconsistent visualization type.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Send a POST request to the chart creation API `POST /api/v1/chart/`
handled by
`ChartRestApi.post()` in `superset/charts/api.py` (around lines 359–366 per
`add` method
snippet).
2. In the JSON body, provide a valid top-level `viz_type`, e.g. `"viz_type":
"bar"`, and a
`params` string whose JSON contains a conflicting `viz_type`, e.g. `"params":
"{\"viz_type\": \"line\"}"`. This request payload is loaded by
`ChartPostSchema` in
`superset/charts/schemas.py:28-53`, which validates the top-level `viz_type`
as a string
and `params` as JSON.
3. After schema validation, `ChartRestApi.post()` calls
`CreateChartCommand(item).run()`
(see `superset/charts/api.py` snippet lines 20-27). Inside
`CreateChartCommand.__init__`
in `superset/commands/chart/create.py:44-50`, `self._properties` is set to
the validated
data, then `params_str` is JSON-decoded and, because the decoded dict has
`"viz_type":
"line"`, the unconditional assignment at lines 49-50 overwrites the
already-validated
top-level `"viz_type": "bar"` with `"line"`.
4. `CreateChartCommand.run()` then calls
`ChartDAO.create(attributes=self._properties)`
(create.py:52-57), which persists a `Slice` model
(`superset/models/slice.py:68-82`) with
`viz_type="line"`. Fetching or rendering this chart later (e.g. via explore
or GET
endpoints) shows `viz_type="line"`, demonstrating that the explicit API
field was silently
ignored whenever `params` also contained `viz_type`.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=ff6f30e2abf246a3ab10136434c67902&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=ff6f30e2abf246a3ab10136434c67902&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/commands/chart/create.py
**Line:** 49:50
**Comment:**
*Incorrect Condition Logic: This unconditionally overwrites a
user-supplied top-level chart type whenever `params` contains `viz_type`. If
both are present but differ, the explicit API field is silently ignored and the
chart can be created with the wrong visualization type. Only copy from `params`
when the top-level field is missing.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40536&comment_hash=a0b5e9f73902579991f5b15d8100f54796a61931b2dd9e02b2ea90838a5ee90b&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40536&comment_hash=a0b5e9f73902579991f5b15d8100f54796a61931b2dd9e02b2ea90838a5ee90b&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
