support $(command) substitution in labels

[dylanmtaylor]

Adds support for $(command) in label text. The command runs at menu render time and the output replaces the expression. For example a label set to "---$(hostname)" shows the machine hostname as a section header. Works in regular items and labeled separators.

[dylanmtaylor]

Example above shows hostname and uname -r output in the menu. Note that this does technically allow arbitrary code execution every time the menu is opened. Commands entered into menu entries should be chosen carefully.

[castrojo]

Dylan sent the PR before I could file the issue! We'd love to ship this as the menu in projectbluefin.io - but thought it'd be awesome to have the user's hostname in there subtly.

Right now we'd have to ship a custom service unit to update the hostname so we'd figure we'd pitch the idea directly since there's probably nice clever things people can put in there. Thanks for your consideration!

[StorageB]

This is a great idea, and I'd be happy to incorporate it into this extension and thrilled to see it shipped with Bluefin!

Thank you for the pull request and code.

After a quick review and some testing, I have a few thoughts. I think there needs to be some safeguards to prevent the user from entering something that would break their system.

• GLib.spawn_command_line_sync is being used which blocks everything else until the command finishes. Entering a command like ping 8.8.8.8 that has no exit, GNOME completely locks up. I had to boot into recovery and delete the extension before I could boot into the normal OS again.
• I think there should be a timeout so a command doesn't run indefinitely in the background.
• Entering something with a long output or multiple lines like ls -l enters everything into the label. I think this is probablly fine (and actually kind of cool) as it shouldn't break anything, but just wanted to note that.

Let me know your thoughts!

[dylanmtaylor]

This is a great idea, and I'd be happy to incorporate it into this extension and thrilled to see it shipped with Bluefin!

Thank you for the pull request and code.

After a quick review and some testing, I have a few thoughts. I think there needs to be some safeguards to prevent the user from entering something that would break their system.

• GLib.spawn_command_line_sync is being used which blocks everything else until the command finishes. Entering a command like ping 8.8.8.8 that has no exit, GNOME completely locks up. I had to boot into recovery and delete the extension before I could boot into the normal OS again.
• I think there should be a timeout so a command doesn't run indefinitely in the background.
• Entering something with a long output or multiple lines like ls -l enters everything into the label. I think this is probablly fine (and actually kind of cool) as it shouldn't break anything, but just wanted to note that.

Let me know your thoughts!

This is a very good point. Let me try to make it timeout after ~1 second. This really should be things that come back nearly immediately. I did say "Commands entered into menu entries should be chosen carefully" ;)

[dylanmtaylor]

By prefixing the command with timeout 1, the timeout utility (from coreutils, so we can assume it's on all Linux distros) will kill the child process after 1 second.

[dylanmtaylor]

As hilariously bad of an idea as it is to put ping here, it does, in fact, not break anymore.

[StorageB]

Great, I'll give a try when I'm at my computer.

Commands entered into menu entries should be chosen carefully" ;)

Haha very true. I try to never underestimate the user's "creativity" though.

And yes, ping was a comical example, but I can see someone trying to pull data from a webpage or server, or technically you could even run a custom script from there...

I would agree that's not the intent for this, but I wouldn't want a user thinking your menu is broken (if they try something creative).

An alternative to a 1 second timeout would be use GLib.spawn_async_with_pipes and let it load in the background and update the label when it's done, with a 5 or 10 second timeout in case it doesn't load. I do something similar in my other extension to read command output. But that may be overly complicated for what you're trying to do.

Your call on how to handle it. We can always just note in the readme how it's meant to be used.

[dylanmtaylor]

Great, I'll give a try when I'm at my computer.

Commands entered into menu entries should be chosen carefully" ;)

Haha very true. I try to never underestimate the user's "creativity" though.

And yes, ping was a comical example, but I can see someone trying to pull data from a webpage or server, or technically you could even run a custom script from there...

I would agree that's not the intent for this, but I wouldn't want a user thinking your menu is broken (if they try something creative).

An alternative to a 1 second timeout would be use GLib.spawn_async_with_pipes and let it load in the background and update the label when it's done, with a 5 or 10 second timeout in case it doesn't load. I do something similar in my other extension to read command output. But that may be overly complicated for what you're trying to do.

Your call on how to handle it. We can always just note in the readme how it's meant to be used.

I think the 1s timeout is reasonable for a first pass.