feat: add --addr flag to daft-dashboard cli #5444
Open
+43
−19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds --addr flag to daft-dashboard CLI to support binding to arbitrary addresses, with CLI default changed to 127.0.0.1 for security.
Critical Issues Found:
- Invalid IPv6 URL generation:
DEFAULT_SERVER_ADDRchanged fromIpv4Addr::UNSPECIFIEDto"::"(IPv6), butgenerate_interactive_htmlcreateshttp://:::portwhich is invalid syntax - IPv6 addresses must be wrapped in brackets[::]:port - Panic on invalid input: Address parsing uses
panic!instead of proper error handling viaResult - Inconsistent security model: CLI defaults to
127.0.0.1(localhost only) butpython.rshardcodes"::"(all interfaces), contradicting the PR's stated security goal
Recommendations:
- Fix IPv6 URL formatting in
generate_interactive_htmlby detecting IPv6 and wrapping in brackets - Change
launch_serverto returnResultinstead of panicking on parse errors - Align
python.rsdefault with CLI's127.0.0.1or update both to use a consistentDEFAULT_SERVER_ADDR
Confidence Score: 1/5
- This PR has critical bugs that will cause runtime failures and security issues
- Score of 1 reflects multiple critical issues: (1) generates syntactically invalid URLs when using IPv6 addresses that will break the dashboard's JavaScript functionality, (2) server can panic/crash on invalid address input, (3) stated security goal contradicted by hardcoded "::" binding to all interfaces in python.rs. These issues require fixes before merge.
src/daft-dashboard/src/lib.rsrequires immediate attention for URL formatting and error handling.src/daft-dashboard/src/python.rsneeds alignment with security goals.
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| src/daft-dashboard/src/lib.rs | 1/5 | Changed DEFAULT_SERVER_ADDR to "::" (IPv6) and added addr parameter to launch_server() - critical issues: panic on invalid input, generates invalid IPv6 URLs, conflicts with stated security goal |
| src/daft-cli/src/python.rs | 3/5 | Added --addr flag with default 127.0.0.1 for CLI - implementation looks correct but inconsistent with python.rs hardcoded "::" |
| src/daft-dashboard/src/python.rs | 2/5 | Updated to use new launch_server() signature with hardcoded "::" address - inconsistent with CLI default of 127.0.0.1, note added about making addr/port configurable |
Sequence Diagram
sequenceDiagram
participant User
participant CLI as daft-cli
participant Dashboard as daft-dashboard::lib
participant Browser
User->>CLI: daft-dashboard --addr 127.0.0.1 --port 80
CLI->>CLI: Parse args (addr, port, verbose)
CLI->>Dashboard: launch_server(addr, port, shutdown_fn)
Dashboard->>Dashboard: Parse addr string to IpAddr
Dashboard->>Dashboard: Bind TcpListener to (addr, port)
Dashboard-->>CLI: Server running
CLI-->>User: Display "View dashboard at http://addr:port"
User->>Browser: Navigate to http://addr:port
Browser->>Dashboard: HTTP GET /
Dashboard->>Dashboard: generate_interactive_html(df_id, host, port)
Note over Dashboard: Bug: IPv6 addr "::" becomes<br/>http://:::port (invalid URL)
Dashboard-->>Browser: HTML with JavaScript
Browser->>Dashboard: Fetch /api/dataframes/{id}/cell
Dashboard-->>Browser: Cell data
User->>CLI: Ctrl+C
CLI->>Dashboard: Send shutdown signal
Dashboard->>Dashboard: Graceful shutdown
Dashboard-->>CLI: Shutdown complete
3 files reviewed, 3 comments
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5444 +/- ##
==========================================
- Coverage 71.45% 71.44% -0.02%
==========================================
Files 1001 1001
Lines 126760 126783 +23
==========================================
+ Hits 90579 90581 +2
- Misses 36181 36202 +21
🚀 New features to boost your workflow:
|
|
The PR test suite looks like failed without any error message |
srilman
reviewed
Oct 27, 2025
src/daft-dashboard/src/python.rs
Outdated
| } | ||
|
|
||
| #[pyfunction] | ||
| // TODO(void001): Make addr & port configurable |
There was a problem hiding this comment.
Actually I don't think we want this to be configurable for the jupyter notebook side, it should be auto-detected
There was a problem hiding this comment.
Hmm I saw a comment at L86, shall we remove the comment as well?
BTW what does it mean by "auto-detect"
let port = super::DEFAULT_SERVER_PORT; // TODO: Make configurable
|
@VOID001 can you re-request a review when you're ready? Thanks! |
VOID001
force-pushed
the
feat-add-addr-to-daft-dashboard
branch
from
8b759a2 to
31605a1
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
Adds --addr flag to daft-dashboard CLI enabling custom bind addresses, but introduces inconsistencies between stated security goals and implementation
Key Changes:
- CLI now accepts
--addrflag (defaults to0.0.0.0with port 80) - Modified
launch_server()to acceptIpAddrparameter - Added warning when binding to unspecified addresses (
0.0.0.0or::) - Python API still hardcodes
DEFAULT_SERVER_ADDR(0.0.0.0)
Issues Found:
- PR description states default should be
127.0.0.1for security, but implementation uses0.0.0.0in CLI and maintains0.0.0.0constant - Previous review comments identified critical issues with panic on invalid address and IPv6 URL formatting that remain unresolved
Confidence Score: 2/5
- This PR has unresolved critical issues and contradicts its stated security goals
- Score reflects multiple critical issues: panic on invalid address input (needs Result return), IPv6 URL formatting bug, and fundamental contradiction between PR description (claiming
127.0.0.1default for security) and actual implementation (0.0.0.0default). Previous review comments remain unaddressed. - Pay close attention to
src/daft-dashboard/src/lib.rs(panic handling and IPv6 URL generation) andsrc/daft-cli/src/python.rs(default address security)
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| src/daft-cli/src/python.rs | 3/5 | Added --addr flag with 0.0.0.0 default and warning for unspecified addresses, but contradicts PR description stating default should be 127.0.0.1 for security |
| src/daft-dashboard/src/lib.rs | 2/5 | Modified launch_server to accept IpAddr parameter with panic on invalid address, but needs Result return type for proper error handling |
| src/daft-dashboard/src/python.rs | 3/5 | Updated Python launcher to use DEFAULT_SERVER_ADDR (still 0.0.0.0), maintaining consistency but not addressing security concerns from PR description |
Sequence Diagram
sequenceDiagram
participant User
participant CLI as daft-cli
participant Dashboard as daft-dashboard
participant Server as Axum Server
User->>CLI: Run daft dashboard --addr 0.0.0.0 --port 80
CLI->>CLI: Parse address argument
CLI->>CLI: Check if addr.is_unspecified()
alt Address is unspecified (0.0.0.0 or ::)
CLI->>User: Display warning about security risk
end
CLI->>Dashboard: launch_server(addr, port, shutdown_fn)
Dashboard->>Server: TcpListener::bind((addr, port))
Server->>Server: Start HTTP server on specified address
Server->>CLI: Server ready
CLI->>User: Display connection instructions with http://addr:port
Note over User,Server: Python API Launch Path (from Python code)
User->>Dashboard: dashboard.launch()
Dashboard->>Dashboard: Use hardcoded DEFAULT_SERVER_ADDR (0.0.0.0)
Dashboard->>Server: TcpListener::bind((DEFAULT_SERVER_ADDR, 3238))
Server->>User: Return ConnectionHandle
3 files reviewed, no comments
VOID001
force-pushed
the
feat-add-addr-to-daft-dashboard
branch
from
31605a1 to
ba60eb5
Compare
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds an --addr flag to the daft-dashboard CLI to allow binding to arbitrary addresses, moving away from the hardcoded default. It includes a security warning when binding to all interfaces (0.0.0.0 or ::).
Major changes:
- Added
--addrCLI parameter with default0.0.0.0indaft-cli - Updated
launch_serversignature to acceptaddr: IpAddrparameter - Added warning message for unspecified addresses that bind to all network interfaces
- Updated URL formatting to use
SocketAddrinstead of separate host/port strings
Critical issues found:
generate_interactive_htmlfunction still hardcodesDEFAULT_SERVER_ADDRinstead of using the actual server address, causing generated HTML to contain incorrect URLs- The Python binding's
generate_interactive_htmlpassesDEFAULT_SERVER_ADDR.to_string()as the host, perpetuating the problem - Default of
0.0.0.0conflicts with PR description's security goal of using127.0.0.1 - IPv6 addresses in URLs need bracket notation (e.g.,
http://[::]:3238) which isn't handled
Confidence Score: 2/5
- This PR has multiple critical functional bugs that will break interactive HTML generation
- Score reflects critical logic errors where
generate_interactive_htmlhardcodes the server address instead of using the actual bind address, resulting in broken URLs in generated HTML. Additionally, IPv6 addresses aren't properly formatted in URLs, and the default address choice contradicts the stated security goals. - All three files need attention:
src/daft-dashboard/src/lib.rsandsrc/daft-dashboard/src/python.rshave the critical URL generation bug, whilesrc/daft-cli/src/python.rshas the default address inconsistency
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| src/daft-cli/src/python.rs | 3/5 | Adds --addr flag with default 0.0.0.0 and warning for unspecified addresses; passes address to launch_server but default conflicts with security goal |
| src/daft-dashboard/src/lib.rs | 2/5 | Updates launch_server to accept address parameter but generate_interactive_html still hardcodes DEFAULT_SERVER_ADDR, breaking URL generation |
| src/daft-dashboard/src/python.rs | 2/5 | Updates launch to pass address to launch_server but generate_interactive_html still uses hardcoded DEFAULT_SERVER_ADDR, generating incorrect URLs |
Sequence Diagram
sequenceDiagram
participant User
participant CLI as daft-cli
participant Dashboard as daft-dashboard
participant Server as Axum Server
User->>CLI: Run with --addr flag
CLI->>CLI: Parse addr (IpAddr)
CLI->>CLI: Check if unspecified
alt Address is 0.0.0.0 or ::
CLI->>User: Display warning
end
CLI->>CLI: Create SocketAddr
CLI->>Dashboard: launch_server(addr, port, shutdown_fn)
Dashboard->>Server: Bind TcpListener to (addr, port)
Server->>User: Server running
User->>Server: Request interactive HTML
Server->>Dashboard: generate_interactive_html()
Note over Dashboard: ⚠️ Uses DEFAULT_SERVER_ADDR<br/>instead of actual addr
Dashboard->>Server: Return HTML with hardcoded addr
Server->>User: Return HTML
Note over User: URLs in HTML may be incorrect
Additional Comments (2)
-
src/daft-dashboard/src/lib.rs, line 38-43 (link)logic:
generate_interactive_htmldoesn't receive the actual server address, so generated HTML will always useDEFAULT_SERVER_ADDR(0.0.0.0) in URLs even when server binds to a different address like 127.0.0.1fn generate_interactive_html( record_batch: &RecordBatch, df_id: &str, addr: &IpAddr, port: u16, ) -> String { -
src/daft-dashboard/src/python.rs, line 57-62 (link)logic: passing
DEFAULT_SERVER_ADDR.to_string()ashostparameter means generated HTML always uses 0.0.0.0 in URLs, breaking functionality when server uses different address - needs to track and use actual server address
3 files reviewed, 2 comments
|
Hi @srilman , could you please take another look for this patch? Thanks! |
srilman
reviewed
Nov 3, 2025
| .bold() | ||
| .magenta() | ||
| .underlined(), | ||
| console::style(format!("http://{}", socket_addr)) |
There was a problem hiding this comment.
Can we include the port here?
There was a problem hiding this comment.
it's already included,this is a better way to join ip and port together, even if it is a ipv6 address,it can display correctly
There was a problem hiding this comment.
it's better than just format ip:port which will cause trouble to v6 address
There was a problem hiding this comment.
Now it display like this
src/daft-dashboard/src/lib.rs
Outdated
| port: u16, | ||
| shutdown_fn: impl Future<Output = ()> + Send + 'static, | ||
| ) -> std::io::Result<()> { | ||
| // parse the addr to either v4 or v6 address |
There was a problem hiding this comment.
Remove comment, not longer relevant?
There was a problem hiding this comment.
Ah, my bad. removed. PTAL
- Add `--addr` flag to daft dashboard, so that it can support arbitrary address - Add warning when running `daft-dashboard` with addr 0.0.0.0 or :: to avoid accidentally exposing the service to the external network **NOTE**: Will first make daft-cli work, the python.rs will get changed in another patch <!-- Link to related GitHub issues, e.g., "Closes Eventual-Inc#123" --> - [ ] Documented in API Docs (if applicable) - [ ] Documented in User Guide (if applicable) - [ ] If adding a new documentation page, doc is added to `docs/mkdocs.yml` navigation - [ ] Documentation builds and is formatted properly Signed-off-by: JQ <[email protected]>
VOID001
force-pushed
the
feat-add-addr-to-daft-dashboard
branch
from
ba60eb5 to
33e4c2d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes Made
--addrflag to daft dashboard, so that it can support arbitrary addressdaft-dashboardwith addr 0.0.0.0 or :: toavoid accidentally exposing the service to the external network
NOTE: Will first make daft-cli work, the python.rs will get changed in another patch
Related Issues
Checklist
docs/mkdocs.ymlnavigation