Re: [PR] fix(docker): restore working `docker compose up` for the dev stack [superset]

[via GitHub]

codeant-ai-for-open-source[bot] commented on code in PR #41077:
URL: https://github.com/apache/superset/pull/41077#discussion_r3416838570


##########
docker/docker-bootstrap.sh:
##########
@@ -81,17 +81,17 @@ case "${1}" in
   app)
     echo "Starting web app (using development server)..."
 
-    # Environment-based debugger control for security
-    # Only enable Werkzeug interactive debugger when explicitly requested
-    # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth 
approach
-    # Override FLASK_DEBUG so the effective state matches 
SUPERSET_DEBUG_ENABLED even
-    # when FLASK_DEBUG=true is inherited from docker/.env or .flaskenv
+    # Always run in Flask debug mode here: this is the dev compose entrypoint,
+    # and Superset's Talisman selector keys off app.debug to serve the dev CSP
+    # (which permits 'unsafe-eval' required by React Refresh / HMR).
+    export FLASK_DEBUG=1

Review Comment:
   **Suggestion:** This hard-overrides any user-provided `FLASK_DEBUG` value 
from `docker/.env` or `.env-local`, so operators cannot disable debug mode even 
when they explicitly set it to false. That forces debug-only behavior (like dev 
CSP selection and debug-mode startup paths) on every `app` run. Preserve 
configurability by only defaulting `FLASK_DEBUG` when it is unset instead of 
unconditionally exporting `1`. [logic error]
   
   <details>
   <summary><b>Severity Level:</b> Major ⚠️</summary>
   
   ```mdx
   - ⚠️ Dev superset service ignores FLASK_DEBUG overrides from .env-local.
   - ⚠️ Operators cannot run dev stack without debug semantics.
   - ⚠️ Harder to test production-like CSP and error handling.
   ```
   </details>
   <details>
   <summary><b>Steps of Reproduction ✅ </b></summary>
   
   ```mdx
   1. Observe that the `superset` service in `docker-compose.yml:6-15` uses 
`env_file`
   entries `docker/.env` and optional `docker/.env-local` and starts the app 
with `command:
   ["/app/docker/docker-bootstrap.sh", "app"]`, meaning any FLASK_DEBUG value 
from these env
   files is injected into the container before `docker-bootstrap.sh` runs.
   
   2. Create `docker/.env-local` locally (env override explicitly supported by
   `docker-compose.yml:8-11`) with `FLASK_DEBUG=false`, intending to run the 
dev stack
   without Flask debug features while still using the same compose stack.
   
   3. Run `docker compose up superset` (or `docker compose up`) from the 
project root so the
   `superset` container starts and executes `/app/docker/docker-bootstrap.sh 
app`; in the
   `app` case, the script reaches lines `81-87` where it unconditionally runs 
`export
   FLASK_DEBUG=1`, overwriting the `FLASK_DEBUG=false` value supplied via
   `docker/.env-local`.
   
   4. Inside the running container, Superset's configuration at 
`superset/config.py:350`
   reads `DEBUG = utils.parse_boolean_string(os.environ.get("FLASK_DEBUG"))`, 
and
   initialization at `superset/initialization/__init__.py:4-9` selects 
`TALISMAN_DEV_CONFIG`
   when `self.superset_app.debug or self.config["DEBUG"]` is true; because 
`FLASK_DEBUG` was
   forced to `1` in step 3, the app always runs with debug-mode semantics and 
dev CSP even
   though the operator explicitly set `FLASK_DEBUG=false`.
   ```
   </details>
   
   [![Fix in 
Cursor](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-cursor-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=daeb7260fddc4c94a6f399f11f7e2e01&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
 [![Fix in VSCode 
Claude](https://new-codeant-butcket.s3.us-west-1.amazonaws.com/badges/fix-in-vscode-claude-flat.svg)](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=daeb7260fddc4c94a6f399f11f7e2e01&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
   
   *(Use Cmd/Ctrl + Click for best experience)*
   <details>
   <summary><b>Prompt for AI Agent 🤖 </b></summary>
   
   ```mdx
   This is a comment left during a code review.
   
   **Path:** docker/docker-bootstrap.sh
   **Line:** 87:87
   **Comment:**
        *Logic Error: This hard-overrides any user-provided `FLASK_DEBUG` value 
from `docker/.env` or `.env-local`, so operators cannot disable debug mode even 
when they explicitly set it to false. That forces debug-only behavior (like dev 
CSP selection and debug-mode startup paths) on every `app` run. Preserve 
configurability by only defaulting `FLASK_DEBUG` when it is unset instead of 
unconditionally exporting `1`.
   
   Validate the correctness of the flagged issue. If correct, How can I resolve 
this? If you propose a fix, implement it and please make it concise.
   Once fix is implemented, also check other comments on the same PR, and ask 
user if the user wants to fix the rest of the comments as well. if said yes, 
then fetch all the comments validate the correctness and implement a minimal fix
   ```
   </details>
   <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F41077&comment_hash=ee659a2a71868536d4094eeaeb753fe6e132f1e9ff32b2d9da0562abbd420fbf&reaction=like'>👍</a>
 | <a 
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F41077&comment_hash=ee659a2a71868536d4094eeaeb753fe6e132f1e9ff32b2d9da0562abbd420fbf&reaction=dislike'>👎</a>



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org