Safer cleaning and enhancement capabilities

bin/clean.sh

@@ -25,11 +25,6 @@ DRY_RUN=false
 PROTECT_FINDER_METADATA=false
 IS_M_SERIES=$([[ "$(uname -m)" == "arm64" ]] && echo "true" || echo "false")
 
-# Constants
-readonly MAX_PARALLEL_JOBS=15 # Maximum parallel background jobs
-readonly TEMP_FILE_AGE_DAYS=7 # Age threshold for temp file cleanup
-readonly ORPHAN_AGE_DAYS=60   # Age threshold for orphaned data
-
 # Protected Service Worker domains (web-based editing tools)
 readonly PROTECTED_SW_DOMAINS=(
     "capcut.com"
@@ -64,6 +59,12 @@ if [[ -f "$HOME/.config/mole/whitelist" ]]; then
         # Expand tilde to home directory
         [[ "$line" == ~* ]] && line="${line/#~/$HOME}"
 
+        # Security: reject path traversal attempts
+        if [[ "$line" =~ \.\. ]]; then
+            WHITELIST_WARNINGS+=("Path traversal not allowed: $line")
+            continue
+        fi
+
         # Path validation with support for spaces and wildcards
         # Allow: letters, numbers, /, _, ., -, @, spaces, and * anywhere in path
         if [[ ! "$line" =~ ^[a-zA-Z0-9/_.@\ *-]+$ ]]; then
@@ -71,6 +72,12 @@ if [[ -f "$HOME/.config/mole/whitelist" ]]; then
             continue
         fi
 
+        # Require absolute paths (must start with /)
+        if [[ "$line" != /* ]]; then
+            WHITELIST_WARNINGS+=("Must be absolute path: $line")
+            continue
+        fi
+
         # Reject paths with consecutive slashes (e.g., //)
         if [[ "$line" =~ // ]]; then
             WHITELIST_WARNINGS+=("Consecutive slashes: $line")
@@ -79,7 +86,7 @@ if [[ -f "$HOME/.config/mole/whitelist" ]]; then
 
         # Prevent critical system directories
         case "$line" in
-            /System/* | /bin/* | /sbin/* | /usr/bin/* | /usr/sbin/* | /etc/* | /var/db/*)
+            / | /System | /System/* | /bin | /bin/* | /sbin | /sbin/* | /usr/bin | /usr/bin/* | /usr/sbin | /usr/sbin/* | /etc | /etc/* | /var/db | /var/db/*)
                 WHITELIST_WARNINGS+=("Protected system path: $line")
                 continue
                 ;;
@@ -322,7 +329,7 @@ safe_clean() {
             pids+=($!)
             ((idx++))
 
-            if ((${#pids[@]} >= MAX_PARALLEL_JOBS)); then
+            if ((${#pids[@]} >= MOLE_MAX_PARALLEL_JOBS)); then
                 wait "${pids[0]}" 2> /dev/null || true
                 pids=("${pids[@]:1}")
                 ((completed++))
@@ -351,7 +358,7 @@ safe_clean() {
                         if [[ -L "$path" ]]; then
                             rm "$path" 2> /dev/null || true
                         else
-                            rm -rf "$path" 2> /dev/null || true
+                            safe_remove "$path" true || true
                         fi
                     fi
                     ((total_size_bytes += size))
@@ -380,7 +387,7 @@ safe_clean() {
                     if [[ -L "$path" ]]; then
                         rm "$path" 2> /dev/null || true
                     else
-                        rm -rf "$path" 2> /dev/null || true
+                        safe_remove "$path" true || true
                     fi
                 fi
                 ((total_size_bytes += size_bytes))
@@ -606,9 +613,9 @@ perform_cleanup() {
     clean_virtualization_tools
     end_section
 
-    # ===== 11. Application Support logs cleanup =====
-    start_section "Application Support logs"
-    # Application Support logs cleanup (delegated to clean_user_data module)
+    # ===== 11. Application Support logs and caches cleanup =====
+    start_section "Application Support"
+    # Clean logs, Service Worker caches, Code Cache, Crashpad, stale updates, Group Containers
     clean_application_support_logs
     end_section
 

bin/optimize.sh

@@ -190,10 +190,10 @@ cleanup_path() {
     fi
 
     local removed=false
-    if rm -rf "$expanded_path" 2> /dev/null; then
+    if safe_remove "$expanded_path" true; then
         removed=true
     elif request_sudo_access "Removing $label requires admin access"; then
-        if sudo rm -rf "$expanded_path" 2> /dev/null; then
+        if safe_sudo_remove "$expanded_path"; then
             removed=true
         fi
     fi

bin/uninstall.sh

@@ -522,7 +522,7 @@ uninstall_applications() {
             done
 
             # Remove the application
-            if rm -rf "$app_path" 2> /dev/null; then
+            if safe_remove "$app_path" true; then
                 echo -e "  ${GREEN}${ICON_SUCCESS}${NC} Removed application"
             else
                 echo -e "  ${RED}${ICON_ERROR}${NC} Failed to remove $app_path"
@@ -538,7 +538,7 @@ uninstall_applications() {
                             echo -e "  ${GREEN}${ICON_SUCCESS}${NC} Removed $(echo "$file" | sed "s|$HOME|~|" | xargs basename)"
                         fi
                     else
-                        if rm -rf "$file" 2> /dev/null; then
+                        if safe_remove "$file" true; then
                             echo -e "  ${GREEN}${ICON_SUCCESS}${NC} Removed $(echo "$file" | sed "s|$HOME|~|" | xargs basename)"
                         fi
                     fi
@@ -558,7 +558,7 @@ uninstall_applications() {
                                 echo -e "  ${YELLOW}${ICON_ERROR}${NC} Failed to remove: $file"
                             fi
                         else
-                            if sudo rm -rf "$file" 2> /dev/null; then
+                            if safe_sudo_remove "$file"; then
                                 echo -e "  ${GREEN}${ICON_SUCCESS}${NC} Removed $(basename "$file")"
                             else
                                 echo -e "  ${YELLOW}${ICON_ERROR}${NC} Failed to remove: $file"