korbit-ai[bot] commented on code in PR #32261: URL: https://github.com/apache/superset/pull/32261#discussion_r1958520528
########## scripts/check-type.js: ########## @@ -0,0 +1,220 @@ +#!/usr/bin/env node + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +// @ts-check +const { exit } = require("node:process"); +const { join, dirname, normalize, sep } = require("node:path"); +const { readdir } = require("node:fs/promises"); +const { existsSync } = require("node:fs"); +const { chdir, cwd } = require("node:process"); +const { createRequire } = require("node:module"); + +const SUPERSET_ROOT = dirname(__dirname); +const PACKAGE_ARG_REGEX = /^package=/; +const EXCLUDE_DECLARATION_DIR_REGEX = /^excludeDeclarationDir=/; +const DECLARATION_FILE_REGEX = /\.d\.ts$/; + +void (async () => { + const args = process.argv.slice(2); + const { + matchedArgs: [packageArg, excludeDeclarationDirArg], + remainingArgs, + } = extractArgs(args, [PACKAGE_ARG_REGEX, EXCLUDE_DECLARATION_DIR_REGEX]); + + if (!packageArg) { + console.error("package is not specified"); + exit(1); + } + + const packageRootDir = getPackage(packageArg); + const updatedArgs = removePackageSegment(remainingArgs, packageRootDir); + const argsStr = updatedArgs.join(" "); + + const excludedDeclarationDirs = getExcludedDeclarationDirs( + excludeDeclarationDirArg + ); + let declarationFiles = await getFilesRecursively( + packageRootDir, + DECLARATION_FILE_REGEX, + excludedDeclarationDirs + ); + declarationFiles = removePackageSegment(declarationFiles, packageRootDir); + const declarationFilesStr = declarationFiles.join(" "); + + const packageRootDirAbsolute = join(SUPERSET_ROOT, packageRootDir); + const tsConfig = getTsConfig(packageRootDirAbsolute); + const command = `--noEmit --allowJs --composite false --project ${tsConfig} ${argsStr} ${declarationFilesStr}`; Review Comment: ### Command Injection Vulnerability in TypeScript Compiler Command <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? Command string is constructed using direct string interpolation with user-provided input (argsStr and declarationFilesStr), which could lead to command injection if the input is malicious. ###### Why this matters An attacker could potentially inject malicious commands by providing specially crafted arguments that escape the intended TypeScript compiler context and execute arbitrary system commands. ###### Suggested change ∙ *Feature Preview* Validate and sanitize argsStr and declarationFilesStr to ensure they only contain safe TypeScript compiler arguments. Consider using a whitelist of allowed arguments or a safer command construction method: ```javascript const safeArgs = validateTypeScriptArgs(argsStr); const safeDeclarationFiles = validateDeclarationFiles(declarationFilesStr); const command = ['--noEmit', '--allowJs', '--composite', 'false', '--project', tsConfig, ...safeArgs, ...safeDeclarationFiles].join(' '); ``` </details> <sub> [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/4bba0d61-d34c-46af-8e5c-56ad19060adc?suggestedFixEnabled=true) 💬 Chat with Korbit by mentioning @korbit-ai. </sub> <!--- korbi internal id:44589a6d-27bc-405a-9fbd-48748abc53a6 --> ########## scripts/check-type.js: ########## @@ -0,0 +1,220 @@ +#!/usr/bin/env node + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +// @ts-check +const { exit } = require("node:process"); +const { join, dirname, normalize, sep } = require("node:path"); +const { readdir } = require("node:fs/promises"); +const { existsSync } = require("node:fs"); +const { chdir, cwd } = require("node:process"); +const { createRequire } = require("node:module"); + +const SUPERSET_ROOT = dirname(__dirname); +const PACKAGE_ARG_REGEX = /^package=/; +const EXCLUDE_DECLARATION_DIR_REGEX = /^excludeDeclarationDir=/; +const DECLARATION_FILE_REGEX = /\.d\.ts$/; + +void (async () => { + const args = process.argv.slice(2); + const { + matchedArgs: [packageArg, excludeDeclarationDirArg], + remainingArgs, + } = extractArgs(args, [PACKAGE_ARG_REGEX, EXCLUDE_DECLARATION_DIR_REGEX]); + + if (!packageArg) { + console.error("package is not specified"); + exit(1); + } + + const packageRootDir = getPackage(packageArg); + const updatedArgs = removePackageSegment(remainingArgs, packageRootDir); + const argsStr = updatedArgs.join(" "); + + const excludedDeclarationDirs = getExcludedDeclarationDirs( + excludeDeclarationDirArg + ); + let declarationFiles = await getFilesRecursively( + packageRootDir, + DECLARATION_FILE_REGEX, + excludedDeclarationDirs + ); + declarationFiles = removePackageSegment(declarationFiles, packageRootDir); + const declarationFilesStr = declarationFiles.join(" "); + + const packageRootDirAbsolute = join(SUPERSET_ROOT, packageRootDir); + const tsConfig = getTsConfig(packageRootDirAbsolute); + const command = `--noEmit --allowJs --composite false --project ${tsConfig} ${argsStr} ${declarationFilesStr}`; + + try { + chdir(packageRootDirAbsolute); + // Please ensure that tscw-config is installed in the package being type-checked. + const tscw = packageRequire("tscw-config"); + const child = await tscw`${command}`; + + if (child.stdout) { + console.log(child.stdout); + } + + if (child.stderr) { + console.error(child.stderr); + } + + exit(child.exitCode); + } catch (e) { + console.error("Failed to execute type checking:", e); + console.error("Package:", packageRootDir); + console.error("Command:", `tscw ${command}`); + exit(1); + } +})(); + +/** + * @param {string} dir + * @param {RegExp} regex + * @param {string[]} excludedDirs + * + * @returns {Promise<string[]>} + */ + +async function getFilesRecursively(dir, regex, excludedDirs) { + const files = await readdir(dir, { withFileTypes: true }); Review Comment: ### Missing Directory Read Error Handling <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? The getFilesRecursively function does not handle filesystem errors during directory reading. ###### Why this matters Directory access can fail due to permissions or I/O errors, causing unhandled promise rejections that could crash the application. ###### Suggested change ∙ *Feature Preview* Add try-catch block around directory operations: ```javascript async function getFilesRecursively(dir, regex, excludedDirs) { try { const files = await readdir(dir, { withFileTypes: true }); // ... rest of the function } catch (err) { console.error(`Failed to read directory ${dir}:`, err?.message || err); return []; } } ``` </details> <sub> [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/a4a5032e-0ff1-4799-9877-655ac4300a43?suggestedFixEnabled=true) 💬 Chat with Korbit by mentioning @korbit-ai. </sub> <!--- korbi internal id:5f8e00f5-a65b-4a73-8f25-5092008a33b0 --> ########## scripts/check-type.js: ########## @@ -0,0 +1,220 @@ +#!/usr/bin/env node + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +// @ts-check +const { exit } = require("node:process"); +const { join, dirname, normalize, sep } = require("node:path"); +const { readdir } = require("node:fs/promises"); +const { existsSync } = require("node:fs"); +const { chdir, cwd } = require("node:process"); +const { createRequire } = require("node:module"); + +const SUPERSET_ROOT = dirname(__dirname); +const PACKAGE_ARG_REGEX = /^package=/; +const EXCLUDE_DECLARATION_DIR_REGEX = /^excludeDeclarationDir=/; +const DECLARATION_FILE_REGEX = /\.d\.ts$/; + +void (async () => { + const args = process.argv.slice(2); + const { + matchedArgs: [packageArg, excludeDeclarationDirArg], + remainingArgs, + } = extractArgs(args, [PACKAGE_ARG_REGEX, EXCLUDE_DECLARATION_DIR_REGEX]); + + if (!packageArg) { + console.error("package is not specified"); + exit(1); + } + + const packageRootDir = getPackage(packageArg); + const updatedArgs = removePackageSegment(remainingArgs, packageRootDir); + const argsStr = updatedArgs.join(" "); + + const excludedDeclarationDirs = getExcludedDeclarationDirs( + excludeDeclarationDirArg + ); + let declarationFiles = await getFilesRecursively( + packageRootDir, + DECLARATION_FILE_REGEX, + excludedDeclarationDirs + ); + declarationFiles = removePackageSegment(declarationFiles, packageRootDir); + const declarationFilesStr = declarationFiles.join(" "); + + const packageRootDirAbsolute = join(SUPERSET_ROOT, packageRootDir); + const tsConfig = getTsConfig(packageRootDirAbsolute); + const command = `--noEmit --allowJs --composite false --project ${tsConfig} ${argsStr} ${declarationFilesStr}`; + + try { + chdir(packageRootDirAbsolute); + // Please ensure that tscw-config is installed in the package being type-checked. + const tscw = packageRequire("tscw-config"); + const child = await tscw`${command}`; + + if (child.stdout) { + console.log(child.stdout); + } + + if (child.stderr) { + console.error(child.stderr); + } + + exit(child.exitCode); + } catch (e) { + console.error("Failed to execute type checking:", e); + console.error("Package:", packageRootDir); + console.error("Command:", `tscw ${command}`); + exit(1); + } +})(); + +/** + * @param {string} dir + * @param {RegExp} regex + * @param {string[]} excludedDirs + * + * @returns {Promise<string[]>} + */ + +async function getFilesRecursively(dir, regex, excludedDirs) { + const files = await readdir(dir, { withFileTypes: true }); + /** @type {string[]} */ + let result = []; + + for (const file of files) { + const fullPath = join(dir, file.name); + const shouldExclude = excludedDirs.includes(file.name); + + if (file.isDirectory() && !shouldExclude) { + result = result.concat( + await getFilesRecursively(fullPath, regex, excludedDirs) + ); Review Comment: ### Inefficient Array Concatenation <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? Repeatedly concatenating arrays in a loop creates unnecessary intermediate arrays and causes memory churn. ###### Why this matters Each concat operation creates a new array, leading to O(n^2) complexity in terms of memory operations and potential garbage collection overhead. ###### Suggested change ∙ *Feature Preview* Use array spread with a single concatenation after the loop or maintain a flat array structure from the start: ```javascript const allResults = await Promise.all(recursivePromises); return [...result, ...allResults.flat()]; ``` </details> <sub> [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/f820226e-4fcb-4309-b023-a79b366587be?suggestedFixEnabled=true) 💬 Chat with Korbit by mentioning @korbit-ai. </sub> <!--- korbi internal id:6a9c503a-9995-42b7-8d00-88767cc16a3c --> ########## scripts/check-type.js: ########## @@ -0,0 +1,220 @@ +#!/usr/bin/env node + +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +// @ts-check +const { exit } = require("node:process"); +const { join, dirname, normalize, sep } = require("node:path"); +const { readdir } = require("node:fs/promises"); +const { existsSync } = require("node:fs"); +const { chdir, cwd } = require("node:process"); +const { createRequire } = require("node:module"); + +const SUPERSET_ROOT = dirname(__dirname); +const PACKAGE_ARG_REGEX = /^package=/; +const EXCLUDE_DECLARATION_DIR_REGEX = /^excludeDeclarationDir=/; +const DECLARATION_FILE_REGEX = /\.d\.ts$/; + +void (async () => { + const args = process.argv.slice(2); + const { + matchedArgs: [packageArg, excludeDeclarationDirArg], + remainingArgs, + } = extractArgs(args, [PACKAGE_ARG_REGEX, EXCLUDE_DECLARATION_DIR_REGEX]); + + if (!packageArg) { + console.error("package is not specified"); + exit(1); + } + + const packageRootDir = getPackage(packageArg); + const updatedArgs = removePackageSegment(remainingArgs, packageRootDir); + const argsStr = updatedArgs.join(" "); + + const excludedDeclarationDirs = getExcludedDeclarationDirs( + excludeDeclarationDirArg + ); + let declarationFiles = await getFilesRecursively( + packageRootDir, + DECLARATION_FILE_REGEX, + excludedDeclarationDirs + ); + declarationFiles = removePackageSegment(declarationFiles, packageRootDir); + const declarationFilesStr = declarationFiles.join(" "); + + const packageRootDirAbsolute = join(SUPERSET_ROOT, packageRootDir); + const tsConfig = getTsConfig(packageRootDirAbsolute); + const command = `--noEmit --allowJs --composite false --project ${tsConfig} ${argsStr} ${declarationFilesStr}`; + + try { + chdir(packageRootDirAbsolute); + // Please ensure that tscw-config is installed in the package being type-checked. + const tscw = packageRequire("tscw-config"); + const child = await tscw`${command}`; + + if (child.stdout) { + console.log(child.stdout); + } + + if (child.stderr) { + console.error(child.stderr); + } + + exit(child.exitCode); + } catch (e) { + console.error("Failed to execute type checking:", e); + console.error("Package:", packageRootDir); + console.error("Command:", `tscw ${command}`); + exit(1); + } +})(); + +/** + * @param {string} dir + * @param {RegExp} regex + * @param {string[]} excludedDirs + * + * @returns {Promise<string[]>} + */ + +async function getFilesRecursively(dir, regex, excludedDirs) { + const files = await readdir(dir, { withFileTypes: true }); + /** @type {string[]} */ + let result = []; + + for (const file of files) { + const fullPath = join(dir, file.name); + const shouldExclude = excludedDirs.includes(file.name); + + if (file.isDirectory() && !shouldExclude) { + result = result.concat( + await getFilesRecursively(fullPath, regex, excludedDirs) + ); + } else if (regex.test(file.name)) { Review Comment: ### Sequential Directory Traversal <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? The function performs sequential directory traversal with await inside a loop, which is inefficient for large directory structures. ###### Why this matters This implementation will process directories one at a time, significantly increasing execution time in repositories with deep directory structures or many files. ###### Suggested change ∙ *Feature Preview* Use Promise.all to process directories in parallel: ```javascript async function getFilesRecursively(dir, regex, excludedDirs) { const files = await readdir(dir, { withFileTypes: true }); const recursivePromises = []; const result = []; for (const file of files) { const fullPath = join(dir, file.name); const shouldExclude = excludedDirs.includes(file.name); if (file.isDirectory() && !shouldExclude) { recursivePromises.push(getFilesRecursively(fullPath, regex, excludedDirs)); } else if (regex.test(file.name)) { result.push(fullPath); } } const recursiveResults = await Promise.all(recursivePromises); return result.concat(...recursiveResults); } ``` </details> <sub> [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/0b7ed95a-6306-411b-99d4-21f25b3f5198?suggestedFixEnabled=true) 💬 Chat with Korbit by mentioning @korbit-ai. </sub> <!--- korbi internal id:10b01f21-c954-4ae6-baa7-3d8780d14709 --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
