From b037c009a3a61a176b6ffa50386291fe569b4d73 Mon Sep 17 00:00:00 2001
From: zhaoyingzhen <zhaoyingzhen@uniontech.com>
Date: Mon, 5 Jan 2026 17:57:55 +0800
Subject: [PATCH] fix: add command whitelist validation for notification
 actions

Add safeCommands whitelist in dconfig with default safe commands
Validate commands against whitelist before execution

Log: add command whitelist validation for notification actions
---
 .../configs/org.deepin.dde.shell.notification.json    | 11 +++++++++++
 panels/notification/server/notificationmanager.cpp    |  8 ++++++++
 2 files changed, 19 insertions(+)

diff --git a/panels/notification/server/configs/org.deepin.dde.shell.notification.json b/panels/notification/server/configs/org.deepin.dde.shell.notification.json
index d56239c4d..65f2b8b25 100644
--- a/panels/notification/server/configs/org.deepin.dde.shell.notification.json
+++ b/panels/notification/server/configs/org.deepin.dde.shell.notification.json
@@ -155,6 +155,17 @@
       "description[zh_CN]": "通知自动清理的天数，超过此天数的通知将被自动删除",
       "permissions": "readwrite",
       "visibility": "public"
+    },
+    "safeCommands": {
+      "value": ["xdg-open","dbus-send","qdbus","deepin-defender","dde-control-center","downloader","dde-file-manager","dde-dconfig","/usr/lib/deepin-daemon/dde-bluetooth-dialog","/usr/bin/dde-hints-dialog","/usr/bin/deepin-devicemanager"],
+      "serial": 0,
+      "flags": [],
+      "name": "safe commands",
+      "name[zh_CN]": "安全指令",
+      "description": "safe commands",
+      "description[zh_CN]": "通知扩展的x-deepin-action-携带的指令白名单",
+      "permissions": "readonly",
+      "visibility": "private"
     }
   }
 }
diff --git a/panels/notification/server/notificationmanager.cpp b/panels/notification/server/notificationmanager.cpp
index 73c7fcc1b..656cd8338 100644
--- a/panels/notification/server/notificationmanager.cpp
+++ b/panels/notification/server/notificationmanager.cpp
@@ -533,6 +533,14 @@ void NotificationManager::doActionInvoked(const NotifyEntity &entity, const QStr
             if (!args.isEmpty()) {
                 QString cmd = args.takeFirst(); // 命令
 
+                QScopedPointer<DConfig> config(DConfig::create("org.deepin.dde.shell", "org.deepin.dde.shell.notification"));
+                QStringList safeCommands = config->value("safeCommands").toStringList();
+
+                if (!safeCommands.contains(cmd)) {
+                    qWarning(notifyLog) << "The command is not allowed to be executed:" << cmd << safeCommands;
+                    return;
+                }
+
                 QProcess pro;
                 pro.setProgram(cmd);
                 pro.setArguments(args);