Skip to content

Commit 3e90036

Browse files
yixinsharkdeepin-bot[bot]
yixinshark
authored and
deepin-bot[bot]
committed
fix: add command whitelist validation for notification actions
Add safeCommands whitelist in dconfig with default safe commands Validate commands against whitelist before execution Log: add command whitelist validation for notification actions
1 parent 118f9c1 commit 3e90036

File tree

2 files changed

+19
-0
lines changed

2 files changed

+19
-0
lines changed

panels/notification/server/configs/org.deepin.dde.shell.notification.json

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -155,6 +155,17 @@
155155
"description[zh_CN]": "通知自动清理的天数,超过此天数的通知将被自动删除",
156156
"permissions": "readwrite",
157157
"visibility": "public"
158+
},
159+
"safeCommands": {
160+
"value": ["xdg-open","dbus-send","qdbus","deepin-defender","dde-control-center","downloader","dde-file-manager","dde-dconfig","/usr/lib/deepin-daemon/dde-bluetooth-dialog","/usr/bin/dde-hints-dialog","/usr/bin/deepin-devicemanager"],
161+
"serial": 0,
162+
"flags": [],
163+
"name": "safe commands",
164+
"name[zh_CN]": "安全指令",
165+
"description": "safe commands",
166+
"description[zh_CN]": "通知扩展的x-deepin-action-携带的指令白名单",
167+
"permissions": "readonly",
168+
"visibility": "private"
158169
}
159170
}
160171
}

panels/notification/server/notificationmanager.cpp

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -533,6 +533,14 @@ void NotificationManager::doActionInvoked(const NotifyEntity &entity, const QStr
533533
if (!args.isEmpty()) {
534534
QString cmd = args.takeFirst(); // 命令
535535

536+
QScopedPointer<DConfig> config(DConfig::create("org.deepin.dde.shell", "org.deepin.dde.shell.notification"));
537+
QStringList safeCommands = config->value("safeCommands").toStringList();
538+
539+
if (!safeCommands.contains(cmd)) {
540+
qWarning(notifyLog) << "The command is not allowed to be executed:" << cmd << safeCommands;
541+
return;
542+
}
543+
536544
QProcess pro;
537545
pro.setProgram(cmd);
538546
pro.setArguments(args);

0 commit comments

Comments
 (0)