refactor: enhance pattern detection and symlink safety

- Expand sensitive data patterns (credentials, cloud configs, media folders) - Add symlink target validation in path deletion checks - Remove shared Gradle cache from Android Studio cleanup
2026-02-15 07:00:05 +00:00 · 2026-01-17 09:09:11 +08:00
parent 51abd890bc
commit 12cacaa6cc
2 changed files with 144 additions and 99 deletions
--- a/lib/core/file_ops.sh
+++ b/lib/core/file_ops.sh
@@ -39,6 +39,25 @@ validate_path_for_deletion() {
        return 1
    fi

+    # Check symlink target if path is a symbolic link
+    if [[ -L "$path" ]]; then
+        local link_target
+        link_target=$(readlink "$path" 2>/dev/null) || {
+            log_error "Cannot read symlink: $path"
+            return 1
+        }
+
+        # If symlink points to absolute path, validate target
+        if [[ "$link_target" == /* ]]; then
+            case "$link_target" in
+            /System/* | /usr/bin/* | /usr/lib/* | /bin/* | /sbin/* | /private/etc/*)
+                log_error "Symlink points to protected system path: $path -> $link_target"
+                return 1
+                ;;
+            esac
+        fi
+    fi
+
    # Check path is absolute
    if [[ "$path" != /* ]]; then
        log_error "Path validation failed: path must be absolute: $path"
--- a/lib/uninstall/batch.sh
+++ b/lib/uninstall/batch.sh
@@ -30,6 +30,32 @@ SENSITIVE_DATA_REGEX=$(
    echo "${SENSITIVE_DATA_PATTERNS[*]}"
 )

+# High-performance sensitive data detection (pure Bash, no subprocess)
+# Faster than grep for batch operations, especially when processing many apps
+has_sensitive_data() {
+    local files="$1"
+    [[ -z "$files" ]] && return 1
+
+    while IFS= read -r file; do
+        [[ -z "$file" ]] && continue
+
+        # Use Bash native pattern matching (faster than spawning grep)
+        case "$file" in
+        */.warp* | */.config/* | */themes/* | */settings/* | */User\ Data/* | \
+            */.ssh/* | */.gnupg/* | */Documents/* | */Preferences/*.plist | \
+            */Desktop/* | */Downloads/* | */Movies/* | */Music/* | */Pictures/* | \
+            */.password* | */.token* | */.auth* | */keychain* | \
+            */Passwords/* | */Accounts/* | */Cookies/* | \
+            */.aws/* | */.docker/config.json | */.kube/* | \
+            */credentials/* | */secrets/*)
+            return 0 # Found sensitive data
+            ;;
+        esac
+    done <<<"$files"
+
+    return 1 # Not found
+}
+
 # Decode and validate base64 file list (safe for set -e).
 decode_file_list() {
    local encoded="$1"
@@ -230,7 +256,7 @@ batch_uninstall_applications() {

        # Check for sensitive user data once.
        local has_sensitive_data="false"
-        if [[ -n "$related_files" ]] && echo "$related_files" | grep -qE "$SENSITIVE_DATA_REGEX"; then
+        if has_sensitive_data "$related_files"; then
            has_sensitive_data="true"
        fi