Skip to content

fix: parse adjacency-list values for non-root paths #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andrewkolos wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: parse adjacency-list values for non-root paths #712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0d1406f
fix: parse adjacency-list values for non-root paths
andrewkolos Feb 11, 2026
2bbfb50
fix: apply adjacency-list guard to prevent native lists from parsing …
andrewkolos Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 34 additions & 10 deletions packages/genui/lib/src/model/data_model.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,13 @@ class DataContext {
/// Manages the application's Object? data model and provides
/// a subscription-based mechanism for reactive UI updates.
class DataModel {
static const _a2uiValueKeys = [
'valueString',
'valueNumber',
'valueBoolean',
'valueMap',
];

JsonMap _data = {};
final Map<DataPath, ValueNotifier<Object?>> _subscriptions = {};
final Map<DataPath, ValueNotifier<Object?>> _valueSubscriptions = {};
Expand All @@ -129,9 +136,20 @@ class DataModel {
'DataModel.update: path=$absolutePath, contents='
'${const JsonEncoder.withIndent(' ').convert(contents)}',
);
final bool isAdjacencyList = contents is List && _isAdjacencyList(contents);
final Object? parsedContents = isAdjacencyList
? _parseDataModelContents(contents)
: contents;

if (absolutePath == null || absolutePath.segments.isEmpty) {
if (contents is List) {
_data = _parseDataModelContents(contents);
if (parsedContents is Map) {
_data = parsedContents as Map<String, Object?>;
} else if (parsedContents is List) {
genUiLogger.warning(
'DataModel.update: literal list cannot be used as '
'root data model: $contents',
);
Comment on lines +148 to +151
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The DataModel.update method logs the entire contents object at the WARNING level when a literal list is used as the root data model. This is a medium-severity security issue as it can lead to sensitive information exposure (PII, tokens, etc.) in the application logs. Additionally, string interpolation of large or deeply nested objects can cause performance issues or even a stack overflow due to recursive toString() calls in Dart's collection classes. It is recommended to remove the object from the log message to prevent data leakage and ensure stability.

Suggested change
genUiLogger.warning(
'DataModel.update: literal list cannot be used as '
'root data model: $contents',
);
genUiLogger.warning(
'DataModel.update: literal list cannot be used as '
'root data model',
);

_data = <String, Object?>{};
} else if (contents is Map) {
// Permissive: Allow a map to be sent for the root, even though the
// schema expects a list.
Expand All @@ -151,7 +169,7 @@ class DataModel {
return;
}

_updateValue(_data, absolutePath.segments, contents);
_updateValue(_data, absolutePath.segments, parsedContents);
_notifySubscribers(absolutePath);
}

Expand Down Expand Up @@ -184,6 +202,18 @@ class DataModel {
return notifier;
}

/// Determines if the given contents are likely an A2UI adjacency list.
bool _isAdjacencyList(List<Object?> contents) {
if (contents.isEmpty) return false;
for (final item in contents) {
if (item is! Map) return false;
if (!item.containsKey('key')) return false;

if (!_a2uiValueKeys.any(item.containsKey)) return false;
}
return true;
}
Comment on lines +206 to +215
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For improved conciseness and to follow a more functional style, you could consider using the every method on the list. This checks if all items satisfy the conditions for being part of an adjacency list and can make the intent of the code slightly clearer.

  bool _isAdjacencyList(List<Object?> contents) {
    if (contents.isEmpty) return false;
    return contents.every((item) {
      if (item is! Map || !item.containsKey('key')) {
        return false;
      }
      return _a2uiValueKeys.any(item.containsKey);
    });
  }


/// Retrieves a static, one-time value from the data model at the
/// specified absolute path without creating a subscription.
T? getValue<T>(DataPath absolutePath) {
Expand All @@ -207,13 +237,7 @@ class DataModel {
Object? value;
var valueCount = 0;

const valueKeys = [
'valueString',
'valueNumber',
'valueBoolean',
'valueMap',
];
for (final valueKey in valueKeys) {
for (final String valueKey in _a2uiValueKeys) {
if (item.containsKey(valueKey)) {
if (valueCount == 0) {
if (valueKey == 'valueMap') {
Expand Down
16 changes: 16 additions & 0 deletions packages/genui/test/model/data_model_test.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,22 @@ void main() {
]);
expect(dataModel.getValue<Object?>(DataPath('/f')), isNull);
});

test('parses contents for non-root paths', () {
dataModel.update(DataPath('/todos'), <Object?>[
{
'key': '0',
'valueMap': <Object?>[
{'key': 'id', 'valueString': 'abc'},
{'key': 'title', 'valueString': 'Buy groceries'},
],
},
]);
expect(
dataModel.getValue<Map<Object?, Object?>>(DataPath('/todos/0')),
{'id': 'abc', 'title': 'Buy groceries'},
);
});
});
});

Expand Down
Loading