release

[18202781743]

• fix: add DTK preference override configuration
• fix: add command whitelist validation for notification actions

Summary by Sourcery

Enforce a whitelist for notification action commands and wire up DTK preference override configuration for the shell.

Bug Fixes:

• Validate notification action commands against a configured whitelist before executing them to prevent unauthorized command execution.

Build:

• Register DTK preference override files for org.deepin.dde.shell in the build configuration and include the corresponding override JSON.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adds a DTK preference override config for dde-shell and introduces a whitelist-based validation for notification action commands, ensuring only configured safe commands are executed while wiring the new override file into the build/install system.

Sequence diagram for whitelist validation of notification action commands

sequenceDiagram
    actor User
    participant NotificationCenter
    participant NotificationManager
    participant DConfig
    participant QProcess
    participant TargetApplication

    User ->> NotificationCenter: click notification_action
    NotificationCenter ->> NotificationManager: doActionInvoked(entity, actionId)

    NotificationManager ->> NotificationManager: parse entity to get args
    NotificationManager ->> NotificationManager: cmd = args.takeFirst()

    NotificationManager ->> DConfig: create(appId=org.deepin.dde.shell, configName=org.deepin.dde.shell.notification)
    DConfig -->> NotificationManager: DConfig_instance
    NotificationManager ->> DConfig: value(key=safeCommands)
    DConfig -->> NotificationManager: safeCommands_list

    alt command_is_whitelisted
        NotificationManager ->> QProcess: construct and configure
        QProcess ->> QProcess: setProgram(cmd)
        QProcess ->> QProcess: setArguments(args)
        QProcess ->> QProcess: start()
        QProcess ->> TargetApplication: execute cmd with args
    else command_not_allowed
        NotificationManager ->> NotificationManager: log warning and return
    end

Loading

Updated class diagram for NotificationManager command execution flow

classDiagram
    class NotificationManager {
        +void doActionInvoked(NotifyEntity entity, QString actionId)
        -void executeCommand(QString command, QStringList arguments)
    }

    class DConfig {
        +static DConfig* create(QString appId, QString configName)
        +QVariant value(QString key)
    }

    class QProcess {
        +void setProgram(QString program)
        +void setArguments(QStringList arguments)
        +void start()
    }

    class NotifyEntity {
        +QStringList actions
        +QStringList hints
    }

    NotificationManager ..> DConfig : uses_for_safeCommands
    NotificationManager ..> QProcess : uses_for_execution
    NotificationManager ..> NotifyEntity : reads_action_args

Loading

File-Level Changes

Change	Details	Files
Enforce whitelist validation for commands executed from notification actions.	Load DConfig for org.deepin.dde.shell.notification within doActionInvoked to read the safeCommands setting. Extract safeCommands as a string list from configuration before executing a notification action command. Block execution and log a warning if the invoked command is not included in safeCommands, otherwise proceed with QProcess execution.	panels/notification/server/notificationmanager.cpp panels/notification/server/configs/org.deepin.dde.shell.notification.json
Add DTK preference override configuration for dde-shell and integrate it into the build and packaging.	Register DTK config override files for org.deepin.dde.shell with CMake using dtk_add_config_override_files, referencing org.deepin.dtk.preference. Introduce overrides/org.deepin.dtk.preference.json with dde-shell-specific preference overrides. Ensure the new override file is installed via Debian packaging rules alongside existing shell binaries and service units.	shell/CMakeLists.txt shell/overrides/org.deepin.dtk.preference.json debian/dde-shell.install

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Creating a new DConfig instance on every action invocation may be unnecessarily expensive; consider caching the config object or the safeCommands list at a higher scope and reusing it.
• DConfig::create() can potentially fail; add a null check and a sensible fallback (e.g., deny all commands or allow a minimal default list) rather than dereferencing config unconditionally.
• If the safeCommands list is missing or empty in configuration, the current logic will block all commands; make it explicit whether this behavior is intended and guard against misconfiguration if not.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Creating a new DConfig instance on every action invocation may be unnecessarily expensive; consider caching the config object or the safeCommands list at a higher scope and reusing it.
- DConfig::create() can potentially fail; add a null check and a sensible fallback (e.g., deny all commands or allow a minimal default list) rather than dereferencing config unconditionally.
- If the safeCommands list is missing or empty in configuration, the current logic will block all commands; make it explicit whether this behavior is intended and guard against misconfiguration if not.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

deepin pr auto review

我来对这个diff进行详细审查：

1. 安全性改进：

• 在notification系统中新增了"safeCommands"白名单机制，这是一个很好的安全实践
• 通过DConfig配置系统管理可执行命令列表，便于维护和更新
• 在执行命令前进行白名单检查，有效防止了任意命令执行漏洞
• 建议在safeCommands中避免使用通配符，确保每个命令都是绝对路径

2. 代码质量：

• 使用QScopedPointer管理DConfig对象，确保资源正确释放
• 日志记录完善，便于问题追踪
• 配置文件结构清晰，包含多语言支持
• 代码注释充分，便于维护

3. 性能考虑：

• DConfig对象在每次action调用时都会创建，可能存在性能开销
• 建议将DConfig对象作为类成员变量，在初始化时创建并缓存

4. 配置管理：

• 新增了配置覆盖机制，允许系统级别的配置覆盖
• 主题配置的默认值和选项定义明确
• 配置项的权限和可见性设置合理

5. 改进建议：

class NotificationManager {
private:
    QScopedPointer<DConfig> m_config; // 作为类成员
    QStringList m_safeCommands;       // 缓存安全命令列表
    
public:
    NotificationManager() {
        m_config.reset(DConfig::create("org.deepin.dde.shell", "org.deepin.dde.shell.notification"));
        m_safeCommands = m_config->value("safeCommands").toStringList();
    }
    
    void doActionInvoked(const NotifyEntity &entity, const QString &actionKey) {
        // ...其他代码...
        if (!m_safeCommands.contains(cmd)) {
            qWarning(notifyLog) << "The command is not allowed to be executed:" << cmd;
            return;
        }
        // ...执行命令...
    }
};

6. 其他建议：

• 考虑添加配置变更监听，当safeCommands配置更新时自动刷新缓存
• 可以考虑对命令参数进行额外的安全检查，防止参数注入
• 建议在配置文件中添加版本号，便于配置升级管理

总体来说，这是一个很好的安全改进，通过白名单机制有效提升了系统的安全性。代码实现基本合理，但在性能优化方面还有提升空间。