codeant-ai-for-open-source[bot] commented on code in PR #40543:
URL: https://github.com/apache/superset/pull/40543#discussion_r3328170358
##########
superset/commands/chart/create.py:
##########
@@ -43,6 +44,13 @@ class CreateChartCommand(CreateMixin, BaseCommand):
def __init__(self, data: dict[str, Any]):
self._properties = data.copy()
+ if params_str := self._properties.get("params"):
+ params = json.loads(params_str)
+ if isinstance(params, dict) and "viz_type" in params:
+ # Only fall back to params when no top-level viz_type was
supplied;
+ # an explicit top-level field takes precedence.
+ self._properties.setdefault("viz_type", params["viz_type"])
Review Comment:
**Suggestion:** The fallback copies `viz_type` from `params` without
applying the same validation as `ChartPostSchema.viz_type` (string
type/length). A request can pass schema validation (because `params` is only
JSON-validated) but still inject a non-string or oversized `viz_type`, causing
DB bind/constraint failures during create instead of a clean validation error.
Validate the extracted fallback value before assigning it. [type error]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ /api/v1/chart accepts invalid viz_type via params.
- ⚠️ Invalid viz_type surfaces as generic DB/create failure.
- ⚠️ Users lose field-specific viz_type validation feedback.
- ⚠️ Potentially inconsistent viz_type across params and column.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Call the chart creation API `POST /api/v1/chart/` handled by
`ChartRestApi.post` at
`superset/charts/api.py:324-365`, sending JSON with required fields
(`slice_name`,
`datasource_id`, `datasource_type`) and a `params` field containing a JSON
string like
`{"viz_type": "<300+ character string>"}`, but omit the top-level `viz_type`
field.
2. In `ChartRestApi.post`, the payload is validated by `ChartPostSchema`
(`superset/charts/schemas.py:187-207`): `params` passes `utils.validate_json`
(`superset/utils/schema.py:43-52`), which only checks that the string is
valid JSON and
does not inspect or constrain the embedded `viz_type` field, so the request
passes schema
validation despite the oversized inner `viz_type`.
3. `ChartRestApi.post` then constructs `CreateChartCommand(item)` at
`superset/charts/api.py:365`; inside `CreateChartCommand.__init__`
(`superset/commands/chart/create.py:43-52`), `params_str` is loaded with
`json.loads`,
producing a dict whose `viz_type` key holds the oversized string, and
because there is no
top-level `viz_type` key, the block at `create.py:49-52` executes and copies
this
unvalidated value directly into `self._properties["viz_type"]` via
`setdefault`, bypassing
the `Length(0, 250)` constraint defined for the top-level `viz_type` field in
`ChartPostSchema`.
4. When `CreateChartCommand.run` (`create.py:54-59`) is called, `validate()`
does not
check `viz_type`, so `ChartDAO.create` persists `self._properties` into the
`Slice` model
(`superset/models/slice.py:68-82`), where `viz_type` maps to a `String(250)`
column; on
commit, the database can raise a `DataError` or related constraint/bind
error because the
value exceeds the column size, which is then wrapped as
`ChartCreateFailedError` by the
`@transaction` decorator (`superset/utils/decorators.py:235-252`), causing a
generic 422
error from `ChartRestApi.post` (`charts/api.py:45-59`) instead of a clean,
field-specific
validation error at schema level.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=3d2828ff9d974bb0bbc2f7999647c323&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=3d2828ff9d974bb0bbc2f7999647c323&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/commands/chart/create.py
**Line:** 49:52
**Comment:**
*Type Error: The fallback copies `viz_type` from `params` without
applying the same validation as `ChartPostSchema.viz_type` (string
type/length). A request can pass schema validation (because `params` is only
JSON-validated) but still inject a non-string or oversized `viz_type`, causing
DB bind/constraint failures during create instead of a clean validation error.
Validate the extracted fallback value before assigning it.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40543&comment_hash=065f1fb8f266b0584e5c0054e75125d461463df2f6129dc8998c3351b559bdce&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40543&comment_hash=065f1fb8f266b0584e5c0054e75125d461463df2f6129dc8998c3351b559bdce&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
