Re: [PR] fix(viz): gate stacktrace behind SHOW_STACKTRACE and allowlist resample method [superset]

Mon, 01 Jun 2026 18:37:05 -0700 


rusackas commented on code in PR #40636:
URL: https://github.com/apache/superset/pull/40636#discussion_r3338100384


##########
superset/viz.py:
##########
@@ -633,7 +654,10 @@ def get_df_payload(  # pylint: disable=too-many-statements 
 # noqa: C901
                 )
                 self.errors.append(error)
                 self.status = QueryStatus.FAILED
-                stacktrace = utils.get_stacktrace()
+                # Only expose the raw stacktrace when explicitly enabled, 
mirroring
+                # the gating used elsewhere (e.g. 
superset.views.base.get_error_msg).
+                if current_app.debug or 
current_app.config.get("SHOW_STACKTRACE"):
+                    stacktrace = utils.get_stacktrace()

Review Comment:
   The debug branch calls `utils.get_stacktrace()` which already respects the 
debug flag (returns a value when `current_app.debug` is True or 
`SHOW_STACKTRACE` is set). The intent is consistent: both flags feed the same 
helper. If the debug path should be independent of `SHOW_STACKTRACE`, that 
would be a separate behavior change — flagging as a follow-up.



##########
superset/viz.py:
##########
@@ -1061,6 +1085,13 @@ def process_data(self, df: pd.DataFrame, aggregate: bool 
= False) -> VizData:
         method = self.form_data.get("resample_method")
 
         if rule and method:
+            if method not in ALLOWED_RESAMPLE_METHODS:
+                raise QueryObjectValidationError(
+                    _(
+                        "Resample method '%(method)s' is not supported.",
+                        method=method,
+                    )
+                )

Review Comment:
   The `resample_method` allowlist check (`method not in 
ALLOWED_RESAMPLE_METHODS`) would not raise `TypeError` on a list — frozenset 
`in` operator accepts any hashable; a list is unhashable, so Python raises 
`TypeError` before even calling `__contains__`. In practice, the payload is 
validated upstream by the schema layer (marshmallow `fields.String()`) so a 
list would be rejected before reaching this code. Valid as a defense-in-depth 
note but not a live risk given the schema guard.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to