mirrors/Mole
1
0
Fork 0
mirror of https://github.com/tw93/Mole.git synced 2026-03-22 18:30:08 +00:00
Code Activity

chore(release): bump to 1.28.0 and refresh security audit

Browse Source
This commit is contained in:
tw93
2026-02-27 10:07:49 +08:00
parent bbe3d3f284
commit 194fe871e5
2 changed files with 27 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
SECURITY_AUDIT.md
View File

@@ -1,55 +1,13 @@
# Mole Security Reference
Version 1.27.0 | 2026-02-21
## Recent Fixes
**Cleanup hardening audit, Feb 2026:**
- `clean_deep_system()` now uses `safe_sudo_find_delete()` and `safe_sudo_remove()` for temp/log/diagnostic/report paths in `lib/clean/system.sh`.
- Removed direct `find ... -delete` from security-sensitive cleanup paths. Deletions now go through validated safe wrappers.
- `process_container_cache()` in `lib/clean/user.sh` now removes entries item-by-item with `safe_remove()`, so every delete is validated.
- `clean_application_support_logs()` now also performs item-by-item `safe_remove()` cleanup instead of direct bulk deletion.
- Group Containers cleanup now builds an explicit candidate list first, then filters protected/whitelisted items before deletion.
- `bin/clean.sh` dry-run export temp files rely on tracked temp lifecycle (`create_temp_file()` + trap cleanup) to avoid orphan temp artifacts.
- Added/updated regression coverage in `tests/clean_system_maintenance.bats`, `tests/clean_core.bats`, and `tests/clean_user_core.bats` for the new safe-deletion flow.
- Added conservative support-cache cleanup in `lib/clean/user.sh`:
- `~/Library/Application Support/CrashReporter` files older than 30 days
- `~/Library/Application Support/com.apple.idleassetsd` files older than 30 days
- `~/Library/Messages/StickerCache` and `~/Library/Messages/Caches/Previews/*` caches only
- Explicitly kept `~/Library/Messages/Attachments` and `~/Library/Metadata/CoreSpotlight` out of automatic cleanup to avoid user-data or indexing risk.
- Added low-risk cache coverage in `lib/clean/app_caches.sh`:
- `~/Library/Logs/CoreSimulator/*`
- Adobe media cache (`~/Library/Application Support/Adobe/Common/Media Cache Files/*`)
- Steam app/depot/shader/log caches and Minecraft/Lunar Client log/cache directories
- Legacy Microsoft Teams cache/log/temp directories under `~/Library/Application Support/Microsoft/Teams/*`
- `~/.cacher/logs/*` and `~/.kite/logs/*`
- Added conservative third-party system log cleanup in `lib/clean/system.sh`:
- `/Library/Logs/Adobe/*` and `/Library/Logs/CreativeCloud/*` older files only
- `/Library/Logs/adobegc.log` only when older than log retention
- Explicitly did not add high-risk cleanup defaults for:
- `/private/var/folders/*` broad deletion
- `~/Library/Application Support/MobileSync/Backup/*`
- Browser history/cookie databases (e.g., Arc History/Cookies/Web Data)
- Destructive container/image pruning commands by default
**Uninstall audit, Jan 2026:**
- `stop_launch_services()` now checks bundle_id is valid reverse-DNS before using it in find patterns. This stops glob injection.
- `find_app_files()` skips LaunchAgents named after common words like Music or Notes.
- Added comments explaining why `remove_file_list()` bypasses TOCTOU checks for symlinks.
- `brew_uninstall_cask()` treats exit code 124 as timeout failure, returns immediately.
Other changes:
- Symlink cleanup in `bin/clean.sh` goes through `safe_remove` now
- Orphaned helper cleanup in `lib/clean/apps.sh` switched to `safe_sudo_remove`
- ByHost pref cleanup checks bundle ID format first
Version 1.28.0 | 2026-02-27
## Path Validation
Every deletion goes through `lib/core/file_ops.sh`. The `validate_path_for_deletion()` function rejects empty paths, paths with `/../` in them, and anything containing control characters like newlines or null bytes.
Direct `find ... -delete` is not used for security-sensitive cleanup paths. Deletions go through validated safe wrappers like `safe_sudo_find_delete()`, `safe_sudo_remove()`, and `safe_remove()`.
**Blocked paths**, even with sudo:
```text
@@ -85,10 +43,21 @@ App names need at least 3 characters. Otherwise "Go" would match "Google" and th
Cache dirs like `~/.cargo/registry/cache` or `~/.gradle/caches` get cleaned. But `~/.cargo/bin`, `~/.mix/archives`, `~/.rustup` toolchains, `~/.stack/programs` stay untouched.
**Application Support and Caches:**
- Cache entries are evaluated and removed safely on an item-by-item basis using `safe_remove()` (e.g., `process_container_cache`, `clean_application_support_logs`).
- Group Containers strictly filter against whitelists before deletion.
- Targets safe, age-gated resources natively (e.g., CrashReporter > 30 days, cached Steam/Simulator/Adobe/Teams log rot).
- Explicitly protects high-risk locations: `/private/var/folders/*` sweeping, iOS Backups (`MobileSync`), browser history/cookies, and destructive container/image pruning.
**LaunchAgent removal:**
Only removed when uninstalling the app that owns them. All `com.apple.*` items are skipped. Services get stopped via `launchctl` first. Generic names like Music, Notes, Photos are excluded from the search.
`stop_launch_services()` checks bundle_id is valid reverse-DNS before using it in find patterns, stopping glob injection. `find_app_files()` skips LaunchAgents named after common words like Music or Notes.
`unregister_app_bundle` explicitly drops uninstalled applications from LaunchServices via `lsregister -u`. `refresh_launch_services_after_uninstall` triggers asynchronous database compacting and rebuilds to ensure complete removal of stale app references without blocking workflows.
See `lib/core/app_protection.sh:find_app_files()`.
## Protected Categories
@@ -99,6 +68,8 @@ VPN and proxy tools are skipped: Shadowsocks, V2Ray, Tailscale, Clash.
AI tools are protected: Cursor, Claude, ChatGPT, Ollama, LM Studio.
`~/Library/Messages/Attachments` and `~/Library/Metadata/CoreSpotlight` are kept out of automatic cleanup to avoid user-data or indexing risk.
Time Machine backups running? Won't clean. Status unclear? Also won't clean.
`com.apple.*` LaunchAgents/Daemons are never touched.
@@ -120,6 +91,12 @@ Code at `cmd/analyze/*.go`.
Network volume checks timeout after 5s (NFS/SMB/AFP can hang forever). mdfind searches get 10s. SQLite vacuum gets 20s, skipped if Mail/Safari/Messages is open. dyld cache rebuild gets 180s, skipped if done in the last 24h.
`brew_uninstall_cask()` treats exit code 124 as timeout failure, returns immediately.
`app_support_item_size_bytes` calculation leverages direct `stat -f%z` checks and uses `du` only for directories, combined with strict timeout protections to avoid process hangs.
Font cache rebuilding (`opt_font_cache_rebuild`) safely aborts if explicit browser processes (Safari, Chrome, Firefox, Arc, etc.) are detected, preventing GPU cache corruption and rendering bugs.
See `lib/core/timeout.sh:run_with_timeout()`.
## User Config
@@ -145,6 +122,10 @@ Security-sensitive cleanup paths are covered by BATS regression tests, including
- `tests/clean_dev_caches.bats`
- `tests/clean_system_maintenance.bats`
**System Memory Reports** computation uses bulk `find -exec stat` to avoid bash loop child-process limits on corrupted systems.
`bin/clean.sh` dry-run export temp files rely on tracked temp lifecycle (`create_temp_file()` + trap cleanup) to avoid orphan temp artifacts.
Background spinner logic interacts directly with `/dev/tty` and guarantees robust termination signals handling via trap mechanisms.
Latest local verification for this release branch:
- `bats tests/clean_core.bats` passed (12/12)

2
mole
View File

@@ -13,7 +13,7 @@ source "$SCRIPT_DIR/lib/core/commands.sh"
trap cleanup_temp_files EXIT INT TERM
# Version and update helpers
VERSION="1.27.0"
VERSION="1.28.0"
MOLE_TAGLINE="Deep clean and optimize your Mac."
is_touchid_configured() {