Re: [PR] fix(uploads,dao): add zip-safety check to columnar reader and cap DAO page size [superset]

Mon, 08 Jun 2026 15:44:26 -0700 


rusackas commented on code in PR #40637:
URL: https://github.com/apache/superset/pull/40637#discussion_r3376771727


##########
superset/daos/base.py:
##########
@@ -749,7 +750,10 @@ def list(  # noqa: C901
             else:
                 query = query.order_by(asc(column))
         page = page
-        page_size = max(page_size, 1)
+        # Clamp the page size to a sane range: at least 1, and no larger than
+        # the configured upper bound, to keep result sets bounded.
+        max_page_size = current_app.config.get("SQLALCHEMY_DAO_MAX_PAGE_SIZE", 
1000)
+        page_size = min(max(page_size, 1), max_page_size)

Review Comment:
   Good call — I went ahead and addressed this here rather than deferring it. 
`BaseDAO.list` now coerces `SQLALCHEMY_DAO_MAX_PAGE_SIZE` to an int (falling 
back to the 1000 default on a bad value) and clamps it to at least 1 before the 
`min(...)`, so a non-int or <= 0 config can no longer produce a non-positive 
page size or an unbounded query.



##########
superset/daos/base.py:
##########
@@ -749,7 +750,10 @@ def list(  # noqa: C901
             else:
                 query = query.order_by(asc(column))
         page = page
-        page_size = max(page_size, 1)
+        # Clamp the page size to a sane range: at least 1, and no larger than
+        # the configured upper bound, to keep result sets bounded.
+        max_page_size = current_app.config.get("SQLALCHEMY_DAO_MAX_PAGE_SIZE", 
1000)
+        page_size = min(max(page_size, 1), max_page_size)

Review Comment:
   Fixed in this PR — `max_page_size` is now coerced to `int` (with a fallback 
to the 1000 default if it cannot be parsed) and clamped to at least 1 before 
applying `min(max(page_size, 1), max_page_size)`, so a non-int or <= 0 config 
no longer raises a `TypeError` or yields `page_size=0`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to