Tool to reconcile property:value within nodes that are supercedeBy new nodes

[ajaits]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a robust mechanism for schema reconciliation within the data processing pipeline. It allows for the automatic updating of properties and values in data nodes that have been superseded by newer definitions, ensuring data consistency and adherence to evolving schema standards. The new tool is designed to be flexible, supporting both in-place updates and the preservation of legacy data for specific node types, and can dynamically extend its schema knowledge through API lookups.

Highlights

• New Schema Reconciliation Tool: A new SchemaReconciler class and command-line tool have been introduced to automatically update properties and values in MCF nodes based on a schema that defines supercededBy relationships. This allows for dynamic mapping of old or deprecated schema elements to their newer counterparts.
• Integration into StatVar Processor: The new reconciliation logic has been integrated into the StatVarProcessor pipeline, enabling automatic reconciliation of statistical variables and observations during the data processing and output generation stages.
• Handling of StatVarObservations: The reconciler provides an option to either update existing nodes in place or create new, duplicated nodes for StatVarObservation types when a property or value is remapped, preserving the original legacy observation if desired.
• Dynamic Schema Lookup: The reconciler can dynamically query a DC API to fetch supercededBy information for properties or values not already present in the preloaded schema, ensuring comprehensive reconciliation.

Changelog

• tools/statvar_importer/mcf_file_util.py
  • Added type casting to string for input values in get_value_list to prevent errors with non-string inputs.
• tools/statvar_importer/schema/schema_reconciler.py
  • Added a new module schema_reconciler.py containing the SchemaReconciler class and its associated functions.
  • Implemented logic to load schema definitions and reconcile input nodes by replacing supercededBy properties and values.
  • Included functionality to lookup remapped schema elements via an API if not found locally.
  • Provided a command-line interface for running the reconciliation process.
• tools/statvar_importer/schema/schema_reconciler_test.py
  • Added a new module schema_reconciler_test.py with unit tests for the SchemaReconciler class.
  • Included tests for value reconciliation, property reconciliation, handling of StatVarObservation nodes, and scenarios with no changes or list values.
• tools/statvar_importer/schema/schema_resolver.py
  • Updated imports to retrieve get_node_dcid from mcf_file_util.
  • Removed the local definition of get_node_dcid, centralizing its implementation.
• tools/statvar_importer/stat_var_processor.py
  • Imported the new SchemaReconciler class.
  • Added a reconcile_nodes method to the StatVarProcessor class to apply schema reconciliation to statistical variables and observations.
  • Integrated the reconcile_nodes call into the write_outputs method, making reconciliation an optional step during output generation.
• util/dc_api_wrapper.py
  • Updated the docstring for dc_api_get_node_property to accurately reflect its return type as a dictionary mapping input DCIDs to property:value pairs.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new tool, SchemaReconciler, to reconcile schema nodes based on supercededBy properties, integrating it into stat_var_processor with unit tests. A critical arbitrary file write vulnerability and a high-severity path traversal vulnerability have been identified in schema_reconciler.py. These issues arise from exposing command-line flags through a web interface and using them directly in file system operations without sanitization, which could allow an attacker to read or overwrite arbitrary files. Beyond these critical security concerns, the review also suggests improvements for the robustness and correctness of SchemaReconciler, such as more robust path and key generation, safer default arguments, and corrections in type hints and test assertions. Strict path validation and sanitization for all file-related flags are strongly recommended.

[gemini-code-assist]

A critical arbitrary file write vulnerability exists where the recon_output flag, used to specify the output file path for write_mcf_nodes, lacks validation. This allows path traversal and overwriting arbitrary files. Additionally, the __init__ method signature has issues: schema_mcf_files: list = '' has a type hint mismatch with its default value, and config: dict = {} uses a mutable default argument, which can lead to unexpected behavior. It's best practice to use None as the default for mutable types and ensure type hints align with default values.

[gemini-code-assist]

A high-severity path traversal vulnerability exists because the recon_input flag, used for input file paths in load_mcf_nodes, lacks proper validation. This could allow an attacker to read arbitrary files from the server. Additionally, when a StatVarObservation is duplicated, the current key generation method (appending -1) is unsafe and could overwrite existing nodes. A more robust approach would involve checking for key existence in a loop and incrementing a suffix until a unique key is found.

[gemini-code-assist]

The logic for setting up sys.path is fragile. Specifically, _SCRIPT_DIR.split('/data/')[0] assumes that the execution path contains /data/, which may not always be true and could lead to an ImportError. A more robust approach would be to use relative paths from the script's location to determine the project root.

Suggested change

	_SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
	_DATA_DIR = os.path.join(_SCRIPT_DIR.split('/data/')[0], 'data')
	sys.path.append(_SCRIPT_DIR)
	sys.path.append(os.path.dirname(_SCRIPT_DIR))
	sys.path.append(_DATA_DIR)
	sys.path.append(os.path.join(_DATA_DIR, 'util'))
	_PROJECT_ROOT = os.path.dirname(os.path.dirname(os.path.dirname(_SCRIPT_DIR)))
	sys.path.append(_SCRIPT_DIR)
	sys.path.append(os.path.dirname(_SCRIPT_DIR))
	sys.path.append(_PROJECT_ROOT)
	sys.path.append(os.path.join(_PROJECT_ROOT, 'util'))

[gemini-code-assist]

The check or ' ' in val skips reconciliation lookup for any value containing a space. While many dcids do not contain spaces, this is not a universal rule, and some valid identifiers might be skipped. This could prevent them from being correctly reconciled if they are superseded. Consider removing this part of the condition to allow lookup for all potential identifiers.

Suggested change

	if val.startswith('#') or val.startswith('"') or ' ' in val:
	if val.startswith('#') or val.startswith('"'):

[gemini-code-assist]

The function schema_reconcile_nodes is type-hinted to return a bool, but it actually returns an int (the number of remapped nodes from recon.reconcile_nodes). While the caller correctly handles the integer as a truthy value, the type hint should be corrected for clarity and correctness.

Suggested change

	counters: Counters = None) -> bool:
	counters: Counters = None) -> int:

[gemini-code-assist]

The test asserts that the new node's key is '1', but SchemaReconciler generates the new key as f'{key}-1'. In this test case, the original key is 'obs1', so the new key will be 'obs1-1'. The test assertions should be updated to check for the correct key.

Suggested change

	self.assertIn('1', nodes)
	self.assertEqual(nodes['1']['prop1'], 'dcid:NewVal')
	self.assertIn('obs1-1', nodes)
	self.assertEqual(nodes['obs1-1']['prop1'], 'dcid:NewVal')