fix: usability improvement to the graph visualizer

[ericfe-google]

1. Disallow backticks in the graph name, as the code doesn't handle them properly 2) Add try/catch so a failed information_schema query only disables schema view, not the entire visualizer 3) Remove the default table view when the graph visualizer is used.

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

• Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
• Ensure the tests and linter pass
• Code coverage does not decrease (if any source code was changed)
• Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 🦕

[gemini-code-assist]

Summary of Changes

Hello @ericfe-google, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements several bug fixes to improve the stability and user experience of the BigQuery magics extension. It enhances graph visualization by preventing errors from invalid characters in graph names, makes schema retrieval more resilient to query failures, and refines the display logic to avoid redundant table output when a graph visualizer is presented.

Highlights

• Graph Name Validation: Backticks are now disallowed in graph dataset and ID names to prevent parsing issues and ensure proper schema view functionality.
• Robust Schema Retrieval: INFORMATION_SCHEMA queries are now wrapped in a try/catch block, ensuring that a failed query only disables the schema view, not the entire visualizer.
• Streamlined Graph Visualization: The default table view is suppressed when the graph visualizer is active, avoiding redundant display and improving user experience.

Changelog

• bigquery_magics/bigquery.py
  • Disallowed backticks in dataset_id and graph_id within _get_graph_name to prevent issues with schema view.
  • Wrapped bq_client.query for INFORMATION_SCHEMA in a try/except block in _get_graph_schema to gracefully handle failures.
  • Changed _add_graph_widget to return a boolean indicating success or failure of widget display.
  • Modified _make_bq_query to suppress the default table view when the graph visualizer is successfully displayed.
• tests/unit/bigquery/test_bigquery.py
  • Added test__get_graph_name to verify correct parsing and backtick rejection for graph names.
  • Added test__get_graph_schema_exception to confirm _get_graph_schema returns None on INFORMATION_SCHEMA query failure.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces several bug fixes, including disallowing backticks in graph names, making schema retrieval more robust by handling exceptions, and improving the UI by removing the redundant table view when the graph visualizer is active. However, a security audit identified significant vulnerabilities: a Cross-Site Scripting (XSS) flaw in how query results are rendered in the notebook, and a critical broken access control issue where a local HTTP server is exposed without authentication. These security issues should be prioritized for remediation. Additionally, there are suggestions to improve code clarity and to log a suppressed exception for better debugging.

[gemini-code-assist]

The graph visualization feature relies on an insecure local HTTP server (defined in graph_server.py). The server binds to all network interfaces (0.0.0.0) and lacks authentication, allowing any local or network user to read the notebook user's BigQuery data. To fix this, the server should bind to 127.0.0.1 and implement token-based authentication.

[tswast]

127.0.0.1 would indeed be a bit more secure. I believe the difference between that and 0.0.0.0 is that 0.0.0.0 is open to external connections.

[gemini-code-assist]

The _add_graph_widget function is vulnerable to Cross-Site Scripting (XSS). It renders query results into the notebook's HTML output without properly escaping the </script> tag. An attacker who can control the data returned by a BigQuery query can execute arbitrary JavaScript in the user's browser. To fix this, ensure that all data embedded in the HTML is properly escaped or use a safe JSON embedding technique.

[gemini-code-assist]

The tuple assignment on line 651 is syntactically correct, but its formatting is unconventional and could be confusing. It can be simplified for better readability.

Suggested change

	(dataset_id, graph_id) = (match.group(1)), match.group(2)
	if "`" in dataset_id or "`" in graph_id:
	return None # Backticks in graph name not support for schema view
	return (dataset_id, graph_id)
	dataset_id, graph_id = match.group(1), match.group(2)
	if "`" in dataset_id or "`" in graph_id:
	return None # Backticks in graph name not support for schema view
	return dataset_id, graph_id

[gemini-code-assist]

Catching a broad Exception and swallowing it silently can make debugging difficult. It would be better to at least log that an error occurred, for example by printing a warning to stderr. This will make it clear to users why the schema view might be unavailable without causing the entire operation to fail.

Suggested change

	except Exception:
	# If the INFORMATION_SCHEMA query fails for some reason, disable only schema
	# view, not the entire visualizer.
	return None
	except Exception as e:
	# If the INFORMATION_SCHEMA query fails for some reason, disable only schema
	# view, not the entire visualizer.
	print(f"Warning: Failed to retrieve graph schema, continuing without it: {e}", file=sys.stderr)
	return None