refactor: enhance uninstall safety and fix dock removal

- Add symlink/bundle_id/BOM validation to prevent injection attacks - Fix Dock removal for /Applications symlink (use pwd not pwd -P) - Fix brew uninstall test hanging (skip sudo in non-interactive mode) - Remove unused SENSITIVE_DATA_REGEX
2026-02-04 12:41:46 +00:00 · 2026-01-17 09:49:42 +08:00
parent 12cacaa6cc
commit 060c48c48d
7 changed files with 22 additions and 33 deletions
--- a/lib/uninstall/batch.sh
+++ b/lib/uninstall/batch.sh
@@ -11,25 +11,6 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"

 # Batch uninstall with a single confirmation.

-# User data detection patterns (prompt user to backup if found).
-readonly SENSITIVE_DATA_PATTERNS=(
-    "\.warp"                               # Warp terminal configs/themes
-    "/\.config/"                           # Standard Unix config directory
-    "/themes/"                             # Theme customizations
-    "/settings/"                           # Settings directories
-    "/Application Support/[^/]+/User Data" # Chrome/Electron user data
-    "/Preferences/[^/]+\.plist"            # User preference files
-    "/Documents/"                          # User documents
-    "/\.ssh/"                              # SSH keys and configs (critical)
-    "/\.gnupg/"                            # GPG keys (critical)
-)
-
-# Join patterns into a single regex for grep.
-SENSITIVE_DATA_REGEX=$(
-    IFS='|'
-    echo "${SENSITIVE_DATA_PATTERNS[*]}"
-)
-
 # High-performance sensitive data detection (pure Bash, no subprocess)
 # Faster than grep for batch operations, especially when processing many apps
 has_sensitive_data() {
--- a/lib/uninstall/brew.sh
+++ b/lib/uninstall/brew.sh
@@ -174,17 +174,18 @@ brew_uninstall_cask() {
    debug_log "Attempting brew uninstall --cask $cask_name"

    # Ensure we have sudo access if needed, to prevent brew from hanging on password prompt
-    if ! sudo -n true 2>/dev/null; then
-        sudo -v
+    if [[ "${NONINTERACTIVE:-}" != "1" && -t 0 && -t 1 ]]; then
+        if ! sudo -n true 2>/dev/null; then
+            sudo -v
+        fi
    fi

    local uninstall_ok=false
    local brew_exit=0

    # Run with timeout to prevent hangs from problematic cask scripts
-    if run_with_timeout 300 \
-        env HOMEBREW_NO_ENV_HINTS=1 HOMEBREW_NO_AUTO_UPDATE=1 NONINTERACTIVE=1 \
-        brew uninstall --cask "$cask_name" 2>&1; then
+    if HOMEBREW_NO_ENV_HINTS=1 HOMEBREW_NO_AUTO_UPDATE=1 NONINTERACTIVE=1 \
+        run_with_timeout 300 brew uninstall --cask "$cask_name" 2>&1; then
        uninstall_ok=true
    else
        brew_exit=$?