codeant-ai-for-open-source[bot] commented on PR #36805: URL: https://github.com/apache/superset/pull/36805#issuecomment-3685459027
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/36805/files#diff-9319f7e9cd472910177e7ee1ecd81e6980cfacf5eebb44fdf4edf829e45ec708R82-R126'><strong>Broken AST extraction</strong></a><br>The fallback AST extraction code injects a literal placeholder (`${extractDatabaseDocsCode()}`) into the spawned Python script. This will fail at runtime and makes `extractDatabaseDocs()` effectively broken. Confirm that this path is tested or replace it with a robust approach (e.g., direct import of `DATABASE_DOCS` or a correct AST->source extraction).<br> - [ ] <a href='https://github.com/apache/superset/pull/36805/files#diff-9319f7e9cd472910177e7ee1ecd81e6980cfacf5eebb44fdf4edf829e45ec708R498-R519'><strong>Unsanitized logo filenames</strong></a><br>`generateReadmeLogos()` inserts `db.documentation.logo` directly into generated HTML (README). If `logo` contains unexpected characters or crafted input (quotes, angle brackets, protocol strings), the resulting HTML could be malformed or allow injection in rendered contexts. Validate or sanitize logo values (allowlist filenames only) before embedding.<br> - [ ] <a href='https://github.com/apache/superset/pull/36805/files#diff-9319f7e9cd472910177e7ee1ecd81e6980cfacf5eebb44fdf4edf829e45ec708R356-R391'><strong>Unescaped frontmatter</strong></a><br>`generateDatabaseMDX()` writes `title` and `sidebar_label` values into YAML frontmatter without quoting or sanitization. Database names with special characters (colons, newlines, leading dashes, or YAML-sensitive characters) could produce invalid/incorrect MDX/YAML. These fields should be properly quoted/escaped.<br> - [ ] <a href='https://github.com/apache/superset/pull/36805/files#diff-364754127aa1d723a9e8e65215412a8aa870ba82d4dd1465be57601b656f6b23R27-R30'><strong>Missing data guard</strong></a><br>The page directly indexes `databaseData.databases["YDB"]` and will throw or render incorrectly if the key is absent or the JSON shape changes. Add a defensive fallback or conditional render to avoid build/runtime errors when the generated JSON doesn't contain the expected key.<br> - [ ] <a href='https://github.com/apache/superset/pull/36805/files#diff-364754127aa1d723a9e8e65215412a8aa870ba82d4dd1465be57601b656f6b23R28-R29'><strong>Bundle size / import pattern</strong></a><br>Each MDX page imports the entire `databases.json`. With 53 generated pages this can increase bundle size or build time. Consider lazy-loading the specific database entry or creating per-database JSON files so each page only includes the data it needs.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
