fix: Use dde-am to execute command in notifications

[yixinshark]

use dde-am -c cmd -- args

Log: Use dde-am to execute command in notifications
Issues: linuxdeepin/developer-center#12695

Summary by Sourcery

Bug Fixes:

• Fix notification action execution by using dde-am with explicit command and argument separation.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Routes notification action commands through dde-am instead of executing them directly, wrapping the original command and its arguments into dde-am’s CLI format while preserving the environment tweak that removes DSG_APP_ID.

Sequence diagram for executing notification action via dde_am

sequenceDiagram
    participant User
    participant NotificationManager
    participant QProcess
    participant dde_am as dde_am_process
    participant TargetApp

    User->>NotificationManager: Clicks notification action
    NotificationManager->>NotificationManager: Extract cmd and args from NotifyEntity
    NotificationManager->>NotificationManager: Build amArgs = ["-c", cmd, "--", args]
    NotificationManager->>QProcess: Configure program "/usr/bin/dde-am" and arguments amArgs
    NotificationManager->>QProcess: Get system environment
    NotificationManager->>QProcess: Remove DSG_APP_ID from environment
    NotificationManager->>QProcess: Start process
    QProcess->>dde_am: Launch /usr/bin/dde-am -c cmd -- args
    dde_am->>TargetApp: Execute original command cmd with args
    TargetApp-->>dde_am: Command completes
    dde_am-->>QProcess: Exit status
    QProcess-->>NotificationManager: Process finished

Loading

File-Level Changes

Change	Details	Files
Execute notification action commands via /usr/bin/dde-am with proper argument wrapping instead of running the command binary directly.	Extract the first element of the action args as the base command and keep the remaining list as its arguments. Construct a new argument list for the application manager, adding -c and, when additional arguments exist, appending them after a literal -- separator. Switch QProcess to run /usr/bin/dde-am with the constructed argument list while keeping the existing logic that removes DSG_APP_ID from the child process environment.	panels/notification/server/notificationmanager.cpp

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Consider avoiding the hardcoded "/usr/bin/dde-am" path and instead either rely on the executable being in PATH or centralize the path in a configurable/constant location to improve portability and maintainability.
• It may be worth checking and handling the QProcess start/exit status (e.g., via startDetached or signals) so that failures to launch dde-am for notification actions can be detected or logged more clearly.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider avoiding the hardcoded "/usr/bin/dde-am" path and instead either rely on the executable being in PATH or centralize the path in a configurable/constant location to improve portability and maintainability.
- It may be worth checking and handling the QProcess start/exit status (e.g., via startDetached or signals) so that failures to launch `dde-am` for notification actions can be detected or logged more clearly.

## Individual Comments

### Comment 1
<location> `panels/notification/server/notificationmanager.cpp:543` </location>
<code_context>
                 QProcess pro;
-                pro.setProgram(cmd);
-                pro.setArguments(args);
+                pro.setProgram("/usr/bin/dde-am");
+                pro.setArguments(amArgs);
                 QProcessEnvironment proEnv = QProcessEnvironment::systemEnvironment();
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Avoid hardcoding the absolute path to `dde-am` to reduce fragility across environments.

This path ties the code to one filesystem layout and may fail silently if `dde-am` is installed elsewhere or provided via a symlink/alternative prefix. Prefer resolving the path at runtime (e.g., from configuration, a helper that locates `dde-am`, or by relying on `PATH` and using just `"dde-am"`) to keep it portable across different installations.

Suggested implementation:

```cpp
                QProcess pro;
                // Use command name and rely on PATH instead of hardcoded absolute path
                pro.setProgram(QStringLiteral("dde-am"));
                pro.setArguments(amArgs);

```

If the project has a configuration system or a central helper for resolving tool paths, you may want to:
1. Replace the string literal `"dde-am"` with a configurable value (e.g., read from settings) or a utility function like `AppLocator::ddeAmPath()`.
2. Ensure that the environment in which this process runs has `dde-am` available on `PATH` or that any wrapper scripts/symlinks are set up appropriately.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

这段代码的修改主要目的是将通知动作的执行方式从直接执行命令改为通过 dde-am (Deepin Application Manager) 代理执行。以下是针对该 diff 的详细审查意见，涵盖语法逻辑、代码质量、性能和安全四个方面：

1. 语法逻辑

• 基本正确性：代码逻辑在语法上是正确的。它正确地提取了原始命令和参数，并将其重新封装为 dde-am 的参数格式（-c 后跟命令，-- 后跟参数）。
• 参数处理：
  • QString cmd = args.takeFirst();：正确地从列表头部移除并获取命令。
  • amArgs << "--" << args;：这里使用了 QStringList 的流操作符，能够将 args 列表中的所有元素追加到 amArgs 中，逻辑正确。
• 进程环境变量：移除 DSG_APP_ID 的逻辑保持不变，这对于防止环境变量污染是必要的。

2. 代码质量

• 可读性与维护性：
  • 变量命名清晰（cmd, args, amArgs）。
  • 逻辑分层明确：先处理参数，再设置进程。
• 潜在的资源泄漏风险 (重要)：
  • 代码中声明了 QProcess pro;，这是一个局部变量。当 doActionInvoked 函数结束时，pro 对象会被销毁。
  • 问题：如果 pro.start()（虽然 diff 中未显示，但推测随后会有）启动的是异步进程，且 doActionInvoked 函数很快结束，那么 QProcess 对象可能会在子进程尚未完全启动或执行完毕前就被析构，这通常会导致子进程被意外杀死或产生僵尸进程。
  • 改进建议：如果需要异步执行，QProcess 对象应当分配在堆上（使用 new），并设置 QObject::deleteLater() 或者在类成员中持有该对象。如果是同步执行（使用了 pro.waitFor...()），则目前的写法是可以的，但需注意阻塞主线程的风险。

3. 代码性能

• 进程启动开销：
  • 原代码直接启动目标程序，新代码先启动 dde-am，再由 dde-am 启动目标程序。这增加了一层中间层，理论上会略微增加进程启动的 CPU 和内存开销。
  • 评估：对于通知点击这种低频操作，这点性能损耗通常可以忽略不计。考虑到 dde-am 可能带来的权限管理或沙箱隔离等安全/管理收益，这个代价是值得的。

4. 代码安全

• 命令注入风险 (关键改进)：
  • 原代码：pro.setProgram(cmd); pro.setArguments(args); 这种方式是安全的。Qt 的 QProcess 会将参数直接传递给 execve 系统调用，不经过 Shell 解析。因此，即使参数中包含 shell 元字符（如 ;, |, &, $() 等），也不会被执行为命令。
  • 新代码：通过 dde-am 代理执行。安全性现在依赖于 dde-am 的实现。
    • 如果 dde-am 内部也是直接调用 execve 或类似的 API 而不经过 Shell，那么安全性得以保持。
    • 如果 dde-am 内部错误地拼接字符串并传给 /bin/sh -c，则可能引入命令注入漏洞。
  • 建议：需要确认 dde-am 的参数解析机制是否也是基于数组/列表传递而非字符串拼接，以确保没有引入新的安全风险。
• 环境变量隔离：
  • proEnv.remove("DSG_APP_ID"); 保留了移除特定环境变量的逻辑，这有助于防止应用 ID 信息泄露给被调用的进程，是一个良好的安全实践。

总结与改进建议

这段代码在逻辑上是可行的，将执行入口统一收归到 dde-am 有助于统一管理应用启动行为。但存在一个关于 QProcess 生命周期的严重隐患。

建议修改后的代码示例（假设需要异步执行）：

void NotificationManager::doActionInvoked(const NotifyEntity &entity, const QString &actionKey)
{
    // ... 前面的逻辑 ...

    if (!args.isEmpty()) {
        QString cmd = args.takeFirst(); // 命令

        QStringList amArgs;
        amArgs << "-c" << cmd;
        if (!args.isEmpty()) {
            amArgs << "--" << args;
        }

        // 改进点 1: 使用 QPointer 或者在类中管理 QProcess 指针，防止野指针
        // 改进点 2: 分配在堆上，防止函数结束后对象被销毁导致子进程被杀
        QProcess *pro = new QProcess();
        
        // 连接 finished 信号，确保进程结束后自动删除对象，防止内存泄漏
        connect(pro, QOverload<int, QProcess::ExitStatus>::of(&QProcess::finished),
                pro, &QProcess::deleteLater);

        pro->setProgram("dde-am");
        pro->setArguments(amArgs);
        
        QProcessEnvironment proEnv = QProcessEnvironment::systemEnvironment();
        proEnv.remove("DSG_APP_ID");
        pro->setProcessEnvironment(proEnv);

        // 启动进程
        pro->start();
    }
    // ...
}

如果必须保持栈对象（同步执行），请确保代码中包含了 pro.waitForStarted() 和 pro.waitForFinished()，并在注释中说明此处会阻塞。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: BLumia, yixinshark

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yixinshark]

/forcemerge

[deepin-bot]

This pr force merged! (status: blocked)