mirrors/Mole
1
0
Fork 0
mirror of https://github.com/tw93/Mole.git synced 2026-02-15 18:40:05 +00:00
Code Activity

fix: enhance uninstall security per audit review

Browse Source 
- Validate bundle_id format (reverse-DNS) in stop_launch_services() to prevent glob injection attacks
    - Add common word exclusion list for LaunchAgents name search to avoid false positive matches (Music, Notes, Photos, etc.) - Add security comments explaining symlink handling in remove_file_list()
    - Improve brew_uninstall_cask() timeout handling: exit code 124 now returns failure immediately
    - Update SECURITY_AUDIT.md with remediation details
This commit is contained in:
tw93
2026-01-26 20:27:46 +08:00
parent 09f0cf9e53
commit 3919a70300
4 changed files with 46 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
SECURITY_AUDIT.md
View File

@@ -33,6 +33,11 @@
**Recent Remediations:**
- **Uninstall Audit (Jan 2026)**: Enhanced security in uninstall logic per comprehensive security review.
- `stop_launch_services()` now validates bundle_id format (reverse-DNS) before use in find patterns to prevent glob injection attacks.
- `find_app_files()` LaunchAgents search now excludes common words (Music, Notes, etc.) to prevent false positive matches.
- `remove_file_list()` symlink handling documented with detailed security comments explaining the TOCTOU protection bypass rationale.
- `brew_uninstall_cask()` timeout handling improved: exit code 124 (timeout) now returns failure immediately without verification.
- Symlink cleanup in `bin/clean.sh` now routes through `safe_remove` for target validation.
- Orphaned helper cleanup in `lib/clean/apps.sh` now uses `safe_sudo_remove`.
- ByHost preference cleanup in `lib/uninstall/batch.sh` validates bundle IDs and deletes via `safe_remove`.
@@ -199,6 +204,8 @@ When users uninstall applications via `mo uninstall`, Mole automatically removes
- Unloads services via `launchctl` before deletion (via `stop_launch_services()`)
- **Safer than orphan detection:** Only removes plists when the associated app is explicitly being uninstalled
- Prevents accumulation of orphaned startup items that persist after app removal
- **Common word exclusion:** LaunchAgent name searches exclude generic terms (Music, Notes, Photos, etc.) to prevent false positives
- **Bundle ID validation:** `stop_launch_services()` validates reverse-DNS format before find patterns
**Code:** `lib/core/app_protection.sh:find_app_files()`, `lib/uninstall/batch.sh:stop_launch_services()`