Fixes #: Activity feed creation API restrictions and UI JSON parsing crash

[Copilot]

The feed API accepted and stored tasks with plain-string values in suggestion/oldValue fields that must be JSON arrays (tag tasks), and allowed taskDetails on non-Task thread types. Stored corrupted payloads caused an unrecoverable full-page crash in the UI (Unexpected token 'h', "this is a d"... is not valid JSON).

Backend (FeedRepository.java)

• validateTaskDetails(): for RequestTag/UpdateTag task types, rejects suggestion or oldValue that is not valid JSON (via JsonUtils.isValidJson())
• createThread(): rejects any thread of type Conversation, Announcement, etc. that carries a non-null taskDetails

UI (TagsTask.tsx)

• Extracted all JSON.parse(oldValue), JSON.parse(newValue), JSON.parse(suggestion) calls into individual useMemo hooks with try/catch, falling back to [] on parse failure — prevents the error boundary from catching a render-time exception on already-persisted bad data

Type of change:

• Bug fix

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

• I have added a test that covers the exact scenario we are fixing. For complex issues, comment the issue number in the test for future reference.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• repository.apache.org
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.13/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.13/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.13 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.13/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service org.codehaus.plexus.classworlds.launcher.Launcher spotless:check -q (dns block)
• s3.amazonaws.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.13/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.13/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.13 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.13/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/OpenMetadata/OpenMetadata/openmetadata-service org.codehaus.plexus.classworlds.launcher.Launcher spotless:check -q (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Activity feed creation API restrictions missing</issue_title>
<issue_description>The feed API accepts and stores a corrupted Json object thereafter. As such when retrieving the tasks associated with the corrupted payload, it now results in a non-recoverable crash in the UI. This is with two taks type values RequestApproval and Conversation

example data:

{
"message": "this is a test, I am a very good programmer",
"from": "TestUser",
"about": "<#E::table::testTable::columns::location_id>",
"type": "Task",
"taskDetails": {
"type": "RequestApproval",
"assignees": [
{
"id": "ce782180-36f6-4d4a-9fbe-ee6103d4146f",
"type": "user",
"name": "string",
"fullyQualifiedName": "string",
"description": "this is a description of the task",
"displayName": "string",
"deleted": false,
"inherited": false,
"href": "http://example.com/ (http://example.com/)"
}
],
"oldValue": "this is a test suggestion",
"suggestion": "this is a different test suggestion2"
},
"domains": [
"19cf92da-baa0-7685-84a1-3b8b25da8d01"
]
}

Expectations:

• Backend should restrict the feed/task creation with a wrong JSON object.
• UI should not be broken in case of failure in JSON parsing.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Activity feed creation API restrictions missing #26554

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[gitar-bot]

Code Review ⚠️ Changes requested 0 resolved / 1 findings

Addresses activity feed API restrictions and UI JSON parsing crash, but the new validateTaskDetails() method uses isValidJson which allows non-array JSON while the UI expects TagLabel[] arrays, potentially causing runtime crashes.

⚠️ Bug: isValidJson allows non-array JSON, UI expects TagLabel[]

📄 openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/FeedRepository.java:1201-1211

The new validateTaskDetails() calls JsonUtils.isValidJson() which accepts any valid JSON value — including plain strings ("hello"), numbers (42), booleans, and objects. However, the UI (TagsTask.tsx) and the backend task resolution (resolveTagTaskMessage → JsonUtils.readObjects) both expect these fields to be JSON arrays of TagLabel objects.

A payload like {"suggestion": "42"} or {"suggestion": ""hello""} would pass the new validation but still cause a deserialization error on task resolution or produce unexpected behavior in the UI (the try/catch would silently swallow the error and show an empty tag list).

Consider validating that the value is a JSON array specifically, e.g. by attempting to deserialize it as a list of TagLabel.

Suggested fix

// Replace isValidJson with a stricter check:
if (suggestion != null) {
  try {
    JsonUtils.readObjects(suggestion, TagLabel.class);
  } catch (Exception e) {
    throw new IllegalArgumentException(
        "taskDetails.suggestion must be a valid JSON array of tags for task type " + taskType);
  }
}
// Same for oldValue

🤖 Prompt for agents

Code Review: Addresses activity feed API restrictions and UI JSON parsing crash, but the new validateTaskDetails() method uses isValidJson which allows non-array JSON while the UI expects TagLabel[] arrays, potentially causing runtime crashes.

1. ⚠️ Bug: isValidJson allows non-array JSON, UI expects TagLabel[]
   Files: openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/FeedRepository.java:1201-1211

   The new `validateTaskDetails()` calls `JsonUtils.isValidJson()` which accepts *any* valid JSON value — including plain strings (`"hello"`), numbers (`42`), booleans, and objects. However, the UI (`TagsTask.tsx`) and the backend task resolution (`resolveTagTaskMessage` → `JsonUtils.readObjects`) both expect these fields to be JSON arrays of `TagLabel` objects.
   
   A payload like `{"suggestion": "42"}` or `{"suggestion": ""hello""}` would pass the new validation but still cause a deserialization error on task resolution or produce unexpected behavior in the UI (the `try/catch` would silently swallow the error and show an empty tag list).
   
   Consider validating that the value is a JSON array specifically, e.g. by attempting to deserialize it as a list of `TagLabel`.

   Suggested fix:
   // Replace isValidJson with a stricter check:
   if (suggestion != null) {
     try {
       JsonUtils.readObjects(suggestion, TagLabel.class);
     } catch (Exception e) {
       throw new IllegalArgumentException(
           "taskDetails.suggestion must be a valid JSON array of tags for task type " + taskType);
     }
   }
   // Same for oldValue

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[gitar-bot]

⚠️ Bug: isValidJson allows non-array JSON, UI expects TagLabel[]

The new validateTaskDetails() calls JsonUtils.isValidJson() which accepts any valid JSON value — including plain strings ("hello"), numbers (42), booleans, and objects. However, the UI (TagsTask.tsx) and the backend task resolution (resolveTagTaskMessage → JsonUtils.readObjects) both expect these fields to be JSON arrays of TagLabel objects.

A payload like {"suggestion": "42"} or {"suggestion": ""hello""} would pass the new validation but still cause a deserialization error on task resolution or produce unexpected behavior in the UI (the try/catch would silently swallow the error and show an empty tag list).

Consider validating that the value is a JSON array specifically, e.g. by attempting to deserialize it as a list of TagLabel.

Suggested fix:

// Replace isValidJson with a stricter check:
if (suggestion != null) {
  try {
    JsonUtils.readObjects(suggestion, TagLabel.class);
  } catch (Exception e) {
    throw new IllegalArgumentException(
        "taskDetails.suggestion must be a valid JSON array of tags for task type " + taskType);
  }
}
// Same for oldValue

_{Was this helpful? React with 👍 / 👎 | Reply gitar fix to apply this suggestion}