diff --git a/SECURITY_AUDIT.md b/SECURITY_AUDIT.md index 54fb445..20fa513 100644 --- a/SECURITY_AUDIT.md +++ b/SECURITY_AUDIT.md @@ -1,55 +1,13 @@ # Mole Security Reference -Version 1.27.0 | 2026-02-21 - -## Recent Fixes - -**Cleanup hardening audit, Feb 2026:** - -- `clean_deep_system()` now uses `safe_sudo_find_delete()` and `safe_sudo_remove()` for temp/log/diagnostic/report paths in `lib/clean/system.sh`. -- Removed direct `find ... -delete` from security-sensitive cleanup paths. Deletions now go through validated safe wrappers. -- `process_container_cache()` in `lib/clean/user.sh` now removes entries item-by-item with `safe_remove()`, so every delete is validated. -- `clean_application_support_logs()` now also performs item-by-item `safe_remove()` cleanup instead of direct bulk deletion. -- Group Containers cleanup now builds an explicit candidate list first, then filters protected/whitelisted items before deletion. -- `bin/clean.sh` dry-run export temp files rely on tracked temp lifecycle (`create_temp_file()` + trap cleanup) to avoid orphan temp artifacts. -- Added/updated regression coverage in `tests/clean_system_maintenance.bats`, `tests/clean_core.bats`, and `tests/clean_user_core.bats` for the new safe-deletion flow. -- Added conservative support-cache cleanup in `lib/clean/user.sh`: - - `~/Library/Application Support/CrashReporter` files older than 30 days - - `~/Library/Application Support/com.apple.idleassetsd` files older than 30 days - - `~/Library/Messages/StickerCache` and `~/Library/Messages/Caches/Previews/*` caches only -- Explicitly kept `~/Library/Messages/Attachments` and `~/Library/Metadata/CoreSpotlight` out of automatic cleanup to avoid user-data or indexing risk. -- Added low-risk cache coverage in `lib/clean/app_caches.sh`: - - `~/Library/Logs/CoreSimulator/*` - - Adobe media cache (`~/Library/Application Support/Adobe/Common/Media Cache Files/*`) - - Steam app/depot/shader/log caches and Minecraft/Lunar Client log/cache directories - - Legacy Microsoft Teams cache/log/temp directories under `~/Library/Application Support/Microsoft/Teams/*` - - `~/.cacher/logs/*` and `~/.kite/logs/*` -- Added conservative third-party system log cleanup in `lib/clean/system.sh`: - - `/Library/Logs/Adobe/*` and `/Library/Logs/CreativeCloud/*` older files only - - `/Library/Logs/adobegc.log` only when older than log retention -- Explicitly did not add high-risk cleanup defaults for: - - `/private/var/folders/*` broad deletion - - `~/Library/Application Support/MobileSync/Backup/*` - - Browser history/cookie databases (e.g., Arc History/Cookies/Web Data) - - Destructive container/image pruning commands by default - -**Uninstall audit, Jan 2026:** - -- `stop_launch_services()` now checks bundle_id is valid reverse-DNS before using it in find patterns. This stops glob injection. -- `find_app_files()` skips LaunchAgents named after common words like Music or Notes. -- Added comments explaining why `remove_file_list()` bypasses TOCTOU checks for symlinks. -- `brew_uninstall_cask()` treats exit code 124 as timeout failure, returns immediately. - -Other changes: - -- Symlink cleanup in `bin/clean.sh` goes through `safe_remove` now -- Orphaned helper cleanup in `lib/clean/apps.sh` switched to `safe_sudo_remove` -- ByHost pref cleanup checks bundle ID format first +Version 1.28.0 | 2026-02-27 ## Path Validation Every deletion goes through `lib/core/file_ops.sh`. The `validate_path_for_deletion()` function rejects empty paths, paths with `/../` in them, and anything containing control characters like newlines or null bytes. +Direct `find ... -delete` is not used for security-sensitive cleanup paths. Deletions go through validated safe wrappers like `safe_sudo_find_delete()`, `safe_sudo_remove()`, and `safe_remove()`. + **Blocked paths**, even with sudo: ```text @@ -85,10 +43,21 @@ App names need at least 3 characters. Otherwise "Go" would match "Google" and th Cache dirs like `~/.cargo/registry/cache` or `~/.gradle/caches` get cleaned. But `~/.cargo/bin`, `~/.mix/archives`, `~/.rustup` toolchains, `~/.stack/programs` stay untouched. +**Application Support and Caches:** + +- Cache entries are evaluated and removed safely on an item-by-item basis using `safe_remove()` (e.g., `process_container_cache`, `clean_application_support_logs`). +- Group Containers strictly filter against whitelists before deletion. +- Targets safe, age-gated resources natively (e.g., CrashReporter > 30 days, cached Steam/Simulator/Adobe/Teams log rot). +- Explicitly protects high-risk locations: `/private/var/folders/*` sweeping, iOS Backups (`MobileSync`), browser history/cookies, and destructive container/image pruning. + **LaunchAgent removal:** Only removed when uninstalling the app that owns them. All `com.apple.*` items are skipped. Services get stopped via `launchctl` first. Generic names like Music, Notes, Photos are excluded from the search. +`stop_launch_services()` checks bundle_id is valid reverse-DNS before using it in find patterns, stopping glob injection. `find_app_files()` skips LaunchAgents named after common words like Music or Notes. + +`unregister_app_bundle` explicitly drops uninstalled applications from LaunchServices via `lsregister -u`. `refresh_launch_services_after_uninstall` triggers asynchronous database compacting and rebuilds to ensure complete removal of stale app references without blocking workflows. + See `lib/core/app_protection.sh:find_app_files()`. ## Protected Categories @@ -99,6 +68,8 @@ VPN and proxy tools are skipped: Shadowsocks, V2Ray, Tailscale, Clash. AI tools are protected: Cursor, Claude, ChatGPT, Ollama, LM Studio. +`~/Library/Messages/Attachments` and `~/Library/Metadata/CoreSpotlight` are kept out of automatic cleanup to avoid user-data or indexing risk. + Time Machine backups running? Won't clean. Status unclear? Also won't clean. `com.apple.*` LaunchAgents/Daemons are never touched. @@ -120,6 +91,12 @@ Code at `cmd/analyze/*.go`. Network volume checks timeout after 5s (NFS/SMB/AFP can hang forever). mdfind searches get 10s. SQLite vacuum gets 20s, skipped if Mail/Safari/Messages is open. dyld cache rebuild gets 180s, skipped if done in the last 24h. +`brew_uninstall_cask()` treats exit code 124 as timeout failure, returns immediately. + +`app_support_item_size_bytes` calculation leverages direct `stat -f%z` checks and uses `du` only for directories, combined with strict timeout protections to avoid process hangs. + +Font cache rebuilding (`opt_font_cache_rebuild`) safely aborts if explicit browser processes (Safari, Chrome, Firefox, Arc, etc.) are detected, preventing GPU cache corruption and rendering bugs. + See `lib/core/timeout.sh:run_with_timeout()`. ## User Config @@ -145,6 +122,10 @@ Security-sensitive cleanup paths are covered by BATS regression tests, including - `tests/clean_dev_caches.bats` - `tests/clean_system_maintenance.bats` +**System Memory Reports** computation uses bulk `find -exec stat` to avoid bash loop child-process limits on corrupted systems. +`bin/clean.sh` dry-run export temp files rely on tracked temp lifecycle (`create_temp_file()` + trap cleanup) to avoid orphan temp artifacts. +Background spinner logic interacts directly with `/dev/tty` and guarantees robust termination signals handling via trap mechanisms. + Latest local verification for this release branch: - `bats tests/clean_core.bats` passed (12/12) diff --git a/mole b/mole index ccdd3e6..a30ae72 100755 --- a/mole +++ b/mole @@ -13,7 +13,7 @@ source "$SCRIPT_DIR/lib/core/commands.sh" trap cleanup_temp_files EXIT INT TERM # Version and update helpers -VERSION="1.27.0" +VERSION="1.28.0" MOLE_TAGLINE="Deep clean and optimize your Mac." is_touchid_configured() {