Skip to content

poc #623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
polina-c wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

poc #623

polina-c wants to merge 6 commits into from

Conversation

@polina-c
Copy link
Collaborator

@polina-c polina-c commented Dec 18, 2025

No description provided.

@polina-c polina-c marked this pull request as draft December 18, 2025 19:59
gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces new configuration and prompt builder classes. However, a high-severity Prompt Injection vulnerability has been identified in packages/genui/lib/src/model/prompt_builder2.dart due to a flawed prompt construction pattern that discards user input and relies on an attacker-controllable system prompt. Additionally, the PR contains critical issues such as compile-time errors in prompt_builder2.dart (undefined type, method overloading), UnimplementedError in prompt_builder1.dart, and an empty pull request description, which violates contributing guidelines.

packages/genui/lib/src/model/prompt_builder2.dart Outdated

String prompt(String userMessage);

GenUiPrompt prompt(UserMessage userMessage);
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The type GenUiPrompt used in the prompt method signature of GenUiPromptBuilder is not defined or imported in this file. This will cause a compile-time error. Please ensure GenUiPrompt is correctly defined or exported from an imported library (e.g., genui.dart).

packages/genui/lib/src/model/prompt_builder2.dart Outdated
Comment on lines 22 to 24
String prompt(String userMessage);

GenUiPrompt prompt(UserMessage userMessage);
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Dart does not support method overloading based on parameter types. The GenUiPromptBuilder abstract class declares two methods named prompt with different signatures, which will result in a compile-time error. You need to either rename one of them or consolidate their functionality into a single method.

Suggested change
String prompt(String userMessage);
GenUiPrompt prompt(UserMessage userMessage);
GenUiPrompt prompt(UserMessage userMessage);

packages/genui/lib/src/model/prompt_builder2.dart Outdated
_CustomGenUiConfiguration(this._prompt, this._catalog);

@override
String prompt(UserMessage userMessage) => _prompt;
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

This prompt method in _CustomGenUiConfiguration is highly susceptible to Prompt Injection. It completely ignores the userMessage parameter, returning _prompt directly, which can be controlled by an attacker if systemPrompt is untrusted. This also creates a type mismatch, as the GenUiPromptBuilder interface (line 24) expects a GenUiPrompt return type, but the current implementation returns a String, leading to a compile-time error.

Suggested change
String prompt(UserMessage userMessage) => _prompt;
String prompt(UserMessage userMessage) => '${_prompt}\n\n${userMessage.toString()}';

packages/genui/lib/src/model/prompt_builder1.dart
Comment on lines +51 to +54
String prompt() => throw UnimplementedError();

@override
ToolSet toolSet() => throw UnimplementedError();
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The prompt() and toolSet() methods in _BasicGenUiConfiguration currently throw UnimplementedError. If _BasicGenUiConfiguration is meant to be a concrete implementation, these methods should provide actual logic or sensible default values rather than throwing runtime errors. This could lead to unexpected crashes if this configuration is used.

  @override
  String prompt() => _prompt;

  @override
  ToolSet toolSet() => ToolSet();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@polina-c