mirrors/Mole
1
0
Fork 0
mirror of https://github.com/tw93/Mole.git synced 2026-02-04 15:39:42 +00:00
Code Activity

security: restrict BOM whitelist to prevent shared component deletion

Browse Source 
- Removes shared directories (Frameworks, Plugins, etc) from receipt scanning whitelist
- Ensures that uninstalling an app won't accidentally delete shared system libraries
- Updates SECURITY_AUDIT.md to reflect stricter receipt scanning policy
This commit is contained in:
Tw93
2026-01-16 09:54:36 +08:00
parent 93953abad6
commit 06342de24f
2 changed files with 1 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SECURITY_AUDIT.md
View File

@@ -166,7 +166,7 @@ For user-selected app removal:
- **Safety Limit:** 3-char minimum (prevents "Go" matching "Google")
- **Disabled:** Fuzzy matching and wildcard expansion for short names.
- **User Confirmation:** Required before deletion.
- **Receipt Scans:** BOM-derived files are limited to safe system prefixes and filtered by `should_protect_path()`.
- **Receipt Scans:** BOM-derived files are restricted to app-specific prefixes (e.g., `/Applications`, `/Library/Application Support`). Shared directories like `/Library/Frameworks` are **excluded** to prevent collateral damage.
**Code:** `lib/clean/apps.sh:uninstall_app()`

7
lib/core/app_protection.sh
View File

@@ -950,13 +950,6 @@ find_app_receipt_files() {
/Library/LaunchAgents/*) is_safe=true ;;
/Library/LaunchDaemons/*) is_safe=true ;;
/Library/PrivilegedHelperTools/*) is_safe=true ;;
/Library/Internet\ Plug-Ins/*) is_safe=true ;;
/Library/Audio/Plug-Ins/*) is_safe=true ;;
/Library/Frameworks/*) is_safe=true ;;
/Library/Input\ Methods/*) is_safe=true ;;
/Library/QuickLook/*) is_safe=true ;;
/Library/PreferencePanes/*) is_safe=true ;;
/Library/Screen\ Savers/*) is_safe=true ;;
/Library/Extensions/*) is_safe=false ;;
*) is_safe=false ;;
esac