fix: filter clipboard data for plugin Wayland clients

[mhduiy]

The clipboard synchronization to plugin Wayland clients was passing through all MIME data formats from the host system, which could include sensitive or unsupported data types. This change filters the clipboard data to only allow "text/plain" and "text/html" formats before forwarding to the compositor. A lightweight QMimeData object is created with only the allowed formats to prevent exposing unnecessary data. This improves security and compatibility with plugin clients.

fix: 为插件 Wayland 客户端过滤剪贴板数据

之前向插件 Wayland 客户端同步剪贴板数据时，会传递宿主系统的所有 MIME 数
据格式，这可能包含敏感或不支持的数据类型。此更改在将数据转发到合成器之
前，将剪贴板数据过滤为仅允许 "text/plain" 和 "text/html" 格式。创建一个
仅包含允许格式的轻量级 QMimeData 对象，以防止暴露不必要的数据。这提高了
安全性和与插件客户端的兼容性。

PMS: BUG-357249

Summary by Sourcery

Bug Fixes:

• Restrict clipboard synchronization to only text/plain and text/html for plugin Wayland clients to avoid exposing unsupported or sensitive MIME data.

[sourcery-ai]

Reviewer's Guide

Filters clipboard data before synchronizing it to plugin Wayland clients by allowing only text/plain and text/html MIME types via a lightweight QMimeData, and refactors clipboard sync into a reusable helper lambda used both on change and at initialization.

Sequence diagram for filtered clipboard sync to plugin Wayland clients

sequenceDiagram
    participant HostApp
    participant QClipboard
    participant PluginManager
    participant syncClipboardData
    participant Compositor

    HostApp->>PluginManager: initialize()
    PluginManager->>Compositor: setRetainedSelectionEnabled(true)
    PluginManager->>QClipboard: mimeData(Clipboard)
    QClipboard-->>PluginManager: mimeData
    PluginManager->>syncClipboardData: mimeData
    syncClipboardData->>syncClipboardData: iterate formats
    syncClipboardData->>syncClipboardData: copy only text_plain and text_html
    alt has allowed formats
        syncClipboardData->>Compositor: overrideSelection(lightweightData)
    end

    QClipboard-->>PluginManager: changed(Clipboard)
    PluginManager->>QClipboard: mimeData(Clipboard)
    QClipboard-->>PluginManager: mimeData
    PluginManager->>syncClipboardData: mimeData
    syncClipboardData->>syncClipboardData: iterate formats
    syncClipboardData->>syncClipboardData: copy only text_plain and text_html
    alt has allowed formats
        syncClipboardData->>Compositor: overrideSelection(lightweightData)
    end

Loading

Flow diagram for clipboard MIME type filtering before compositor sync

flowchart TD
    A_start["Clipboard data available"] --> B_checkMime["Get QMimeData from QClipboard"]
    B_checkMime --> C_nullCheck{mimeData is null?}
    C_nullCheck -- Yes --> Z_end["Return without syncing"]
    C_nullCheck -- No --> D_initLightweight["Create lightweight QMimeData"]
    D_initLightweight --> E_initFlag["Set hasData to false"]
    E_initFlag --> F_loopFormats["For each format in mimeData.formats"]
    F_loopFormats --> G_allowedCheck{Format is text/plain or text/html?}
    G_allowedCheck -- No --> F_loopFormats
    G_allowedCheck -- Yes --> H_copyData["Copy data for format into lightweight QMimeData"]
    H_copyData --> I_setFlag["Set hasData to true"]
    I_setFlag --> F_loopFormats
    F_loopFormats --> J_afterLoop["After iterating all formats"]
    J_afterLoop --> K_hasDataCheck{hasData is true?}
    K_hasDataCheck -- No --> Z_end
    K_hasDataCheck -- Yes --> L_override["Call compositor.overrideSelection with lightweight QMimeData"]
    L_override --> Z_end

Loading

File-Level Changes

Change	Details	Files
Restrict clipboard synchronization to plugin Wayland clients to safe text formats using a lightweight QMimeData wrapper and shared sync helper.	Introduce a syncClipboardData lambda that takes a QMimeData pointer, filters its formats against an allowed list (text/plain, text/html), and copies only allowed data into a local QMimeData instance before calling overrideSelection. Change the QClipboard::changed connection to call syncClipboardData with the current clipboard mimeData instead of forwarding the full mimeData directly to the compositor. Update the initial clipboard sync at initialization to reuse syncClipboardData instead of passing the original mimeData directly. Minor whitespace cleanup in WlQtTextInputMethodHelper::send_enter block.	panels/dock/pluginmanagerextension.cpp

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Passing &lightweightData to compositor->overrideSelection() risks a dangling pointer if the compositor stores the QMimeData* beyond the call; consider ensuring overrideSelection copies the data or allocating a heap-owned QMimeData with a clear ownership model.
• Filtering strictly on "text/plain" and "text/html" MIME types may miss common variants like "text/plain;charset=utf-8"; consider using hasFormat or a more flexible match (e.g., prefix or startsWith("text/plain")) if those formats should also be supported.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Passing `&lightweightData` to `compositor->overrideSelection()` risks a dangling pointer if the compositor stores the `QMimeData*` beyond the call; consider ensuring `overrideSelection` copies the data or allocating a heap-owned `QMimeData` with a clear ownership model.
- Filtering strictly on `"text/plain"` and `"text/html"` MIME types may miss common variants like `"text/plain;charset=utf-8"`; consider using `hasFormat` or a more flexible match (e.g., prefix or `startsWith("text/plain")`) if those formats should also be supported.

## Individual Comments

### Comment 1
<location path="panels/dock/pluginmanagerextension.cpp" line_range="523-532" />
<code_context>
-            if (mode == QClipboard::Clipboard) {
-                if (const QMimeData *mimeData = QGuiApplication::clipboard()->mimeData(mode)) {
-                    compositor->overrideSelection(mimeData);
+        auto syncClipboardData = [compositor](const QMimeData *mimeData) {
+            if (!mimeData) return;
+            QMimeData lightweightData;
+            static QStringList allowedFormats = {"text/plain", "text/html"};
+            bool hasData = false;
+            
+            for (const QString &format : mimeData->formats()) {
+                if (allowedFormats.contains(format)) {
+                    lightweightData.setData(format, mimeData->data(format));
+                    hasData = true;
                 }
             }
+
+            if (hasData) {
+                compositor->overrideSelection(&lightweightData);
+            }
+        };
</code_context>
<issue_to_address>
**issue (bug_risk):** Avoid passing a pointer to a stack-allocated QMimeData into overrideSelection.

`lightweightData` is a stack object whose address is passed to `overrideSelection`. This is only safe if `overrideSelection` is strictly synchronous and never stores the pointer. To avoid lifetime issues, either change `overrideSelection` to take `QMimeData` by value/const reference and copy as needed, or allocate `lightweightData` on the heap with well-defined ownership.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

这段代码修改主要优化了剪贴板数据同步的逻辑，引入了数据过滤机制。以下是对该diff的详细审查和改进建议：

1. 语法逻辑审查

优点：

• 代码逻辑清晰，通过syncClipboardDataLambda函数封装了剪贴板数据处理逻辑，提高了代码可读性。
• 使用了static QStringList allowedFormats来限制同步的剪贴板格式，这是一个好的安全实践。

潜在问题：

• static QStringList allowedFormats虽然高效，但它是不可变的。如果未来需要动态配置允许的格式，这种方式就不灵活了。
• 在syncClipboardData中，lightweightData是一个局部变量，通过指针传递给overrideSelection。需要确保overrideSelection不会在函数返回后继续访问这个指针（通常情况下，overrideSelection应该是立即复制数据，但需要确认）。

2. 代码质量审查

优点：

• 使用了Lambda表达式和std::function风格的回调，代码更简洁。
• 添加了空指针检查if (!mimeData) return;，提高了健壮性。

改进建议：

• allowedFormats的定义可以更明确，例如使用constexpr或const来强调其不可变性：

  static const QStringList allowedFormats = {"text/plain", "text/html"};

• 可以考虑将allowedFormats提取为类的静态成员或配置项，便于维护和扩展。

3. 代码性能审查

优点：

• 通过过滤剪贴板格式，减少了不必要的数据复制和传输，提高了性能。

潜在问题：

• mimeData->formats()会返回所有可用格式的列表，如果剪贴板中包含大量格式（例如某些富文本编辑器），这可能会带来一定的性能开销。可以考虑提前检查是否包含所需格式：

  if (mimeData->hasText() || mimeData->hasHtml()) {
      // 处理逻辑
  }

4. 代码安全审查

优点：

• 限制了同步的剪贴板格式为text/plain和text/html，避免了同步敏感数据（如密码、图片等）。

改进建议：

• 可以考虑添加更多的安全检查，例如：
  • 检查剪贴板数据的大小，防止同步过大的数据导致性能问题或内存耗尽。
  • 对text/html内容进行清理，防止潜在的XSS攻击（如果这些数据会被渲染为HTML）。

5. 其他建议

• 如果overrideSelection会复制数据，那么当前的实现是安全的。但如果它只是存储了指针，那么lightweightData的销毁会导致悬空指针。建议确认overrideSelection的实现。
• 可以考虑添加日志记录，记录剪贴板同步的详细信息，便于调试和审计。

改进后的代码示例

void PluginManager::initialize()
{
    compositor->setRetainedSelectionEnabled(true);
    if (auto *clipboard = QGuiApplication::clipboard()) {
        // 使用const和更明确的命名
        static const QStringList allowedFormats = {"text/plain", "text/html"};
        
        auto syncClipboardData = [compositor](const QMimeData *mimeData) {
            if (!mimeData) return;
            
            // 提前检查是否有需要的数据
            if (!mimeData->hasText() && !mimeData->hasHtml()) {
                return;
            }
            
            QMimeData lightweightData;
            bool hasData = false;
            
            // 遍历允许的格式
            for (const QString &format : allowedFormats) {
                if (mimeData->hasFormat(format)) {
                    lightweightData.setData(format, mimeData->data(format));
                    hasData = true;
                }
            }

            if (hasData) {
                compositor->overrideSelection(&lightweightData);
            }
        };

        QObject::connect(clipboard, &QClipboard::changed, this, [clipboard, syncClipboardData](QClipboard::Mode mode) {
            if (mode == QClipboard::Clipboard) {
                syncClipboardData(clipboard->mimeData(mode));
            }
        });

        syncClipboardData(clipboard->mimeData(QClipboard::Clipboard));
    }
}

总结

这段代码修改在安全性和性能上都有所提升，但可以通过进一步优化代码结构和添加安全检查来提高代码质量。建议确认overrideSelection的实现细节，以确保内存安全。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, mhduiy

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mhduiy]

/forcemerge

[deepin-bot]

This pr force merged! (status: blocked)