codeant-ai-for-open-source[bot] commented on code in PR #40980:
URL: https://github.com/apache/superset/pull/40980#discussion_r3398336155
##########
superset/reports/filters.py:
##########
@@ -47,11 +55,11 @@ class ReportScheduleAllTextFilter(BaseFilter): # pylint:
disable=too-few-public
def apply(self, query: Query, value: Any) -> Query:
if not value:
return query
- ilike_value = f"%{value}%"
+ ilike_value = f"%{_escape_like(value)}%"
Review Comment:
**Suggestion:** The new `_escape_like(value)` call assumes `value` is always
a string, but list-filter payloads can carry non-string JSON values (for
example unquoted numbers in Rison). In that case `value.replace(...)` raises
`AttributeError` and the endpoint returns 500 instead of safely handling the
filter. Coerce `value` to `str` (or guard non-string input) before calling
`_escape_like` to preserve the previous behavior. [type error]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ /api/v1/report listing fails for non-string name filters.
- ⚠️ Backward compatibility broken for numeric report_all_text clients.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Use the ReportSchedule REST API list endpoint `/api/v1/report/`
implemented by
`ReportScheduleRestApi` in `superset/reports/api.py:73-232`, which defines
`search_filters
= {"name": [ReportScheduleAllTextFilter]}` at
`superset/reports/api.py:219-231`.
2. Construct a Rison-encoded `q` parameter similar to the integration test
`test_get_list_report_schedule_filter_custom` in
`superset/tests/integration_tests/reports/api_tests.py:14-27`, but with a
non-string
value, for example:
`arguments = {"columns": ["name"], "filters": [{"col": "name", "opr":
"report_all_text", "value": 123}]}` and call `GET
/api/v1/report/?q=<rison.dumps(arguments)>`.
3. The request is parsed by `BaseSupersetModelRestApi._handle_filters_args`
in
`superset/views/base_api.py:122-149`, which builds a `Filters` instance from
`search_columns`/`search_filters` and calls
`filters.rest_add_filters(rison_args.get(API_FILTERS_RIS_KEY, []))` without
coercing
`value` to `str`, so the filter for `col: "name", opr: "report_all_text"`
receives `value`
as the integer `123`.
4. When the query is executed, `ReportScheduleAllTextFilter.apply` in
`superset/reports/filters.py:51-64` is invoked with `value=123`; it passes
this value into
`_escape_like` at `superset/reports/filters.py:28-33`, and `_escape_like`
executes
`value.replace(...)` on the integer, raising `AttributeError: 'int' object
has no
attribute 'replace'`, which is caught by `handle_api_exception`
(`superset/views/error_handling.py:10-47`) and returned to the client as an
HTTP 500 error
instead of a normal filtered list response.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=27da549f76254501813d7a21c0bd7b5b&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=27da549f76254501813d7a21c0bd7b5b&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/reports/filters.py
**Line:** 58:58
**Comment:**
*Type Error: The new `_escape_like(value)` call assumes `value` is
always a string, but list-filter payloads can carry non-string JSON values (for
example unquoted numbers in Rison). In that case `value.replace(...)` raises
`AttributeError` and the endpoint returns 500 instead of safely handling the
filter. Coerce `value` to `str` (or guard non-string input) before calling
`_escape_like` to preserve the previous behavior.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40980&comment_hash=107407ddbfd6e19cd413cf53a93fdf2c01961d2fff1c2a28d9ceaaec9a37f5ba&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40980&comment_hash=107407ddbfd6e19cd413cf53a93fdf2c01961d2fff1c2a28d9ceaaec9a37f5ba&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
