fix(uninstall): enhance receipt file processing safety and prevent system file deletion

CRITICAL SECURITY FIX Enhanced the receipt file parsing in uninstall operations to prevent accidental deletion of critical system files while maintaining deep cleanup capabilities. Changes: - Tightened whitelist in find_app_receipt_files() to exclude /Users/*, /usr/*, and /opt/* broad patterns - Added explicit blacklist for /private/* with safe exceptions for logs, temp files, and diagnostic data - Integrated should_protect_path() check for additional protection - Added file deduplication with sort -u to prevent duplicate deletions - Removed dry-run feature from batch uninstall (unused entry point) Path Protection: ✅ Blocked: /etc/passwd, /var/db/*, /private/etc/*, all system binaries ✅ Allowed: /Applications/*, specific /Library/* subdirs, safe /private/* paths ✅ Additional: Keychain files, system preferences via should_protect_path() This fixes a critical security issue where parsing .bom receipt files could result in deletion of system files like /etc/passwd and /var/db/*, leading to system corruption and data loss. Affects: V1.12.14 and later versions Testing: Validated against critical system paths, all blocked correctly
2026-02-04 15:04:42 +00:00 · 2026-01-15 21:01:11 +08:00
parent 30547c9c4c
commit 7dc854cf30
3 changed files with 82 additions and 30 deletions
--- a/lib/core/file_ops.sh
+++ b/lib/core/file_ops.sh
@@ -66,14 +66,50 @@ validate_path_for_deletion() {
            ;;
    esac

+    # Allow known safe paths under /private
+    case "$path" in
+        /private/tmp | /private/tmp/* | \
+            /private/var/tmp | /private/var/tmp/* | \
+            /private/var/log | /private/var/log/* | \
+            /private/var/folders | /private/var/folders/* | \
+            /private/var/db/diagnostics | /private/var/db/diagnostics/* | \
+            /private/var/db/DiagnosticPipeline | /private/var/db/DiagnosticPipeline/* | \
+            /private/var/db/powerlog | /private/var/db/powerlog/* | \
+            /private/var/db/reportmemoryexception | /private/var/db/reportmemoryexception/*)
+            return 0
+            ;;
+    esac
+
    # Check path isn't critical system directory
    case "$path" in
-        / | /bin | /sbin | /usr | /usr/bin | /usr/sbin | /etc | /var | /System | /System/* | /Library/Extensions)
+        / | /bin | /bin/* | /sbin | /sbin/* | /usr | /usr/bin | /usr/bin/* | /usr/sbin | /usr/sbin/* | /usr/lib | /usr/lib/* | /System | /System/* | /Library/Extensions)
            log_error "Path validation failed: critical system directory: $path"
            return 1
            ;;
+        /private)
+            log_error "Path validation failed: critical system directory: $path"
+            return 1
+            ;;
+        /etc | /etc/* | /private/etc | /private/etc/*)
+            log_error "Path validation failed: /etc contains critical system files: $path"
+            return 1
+            ;;
+        /var | /var/db | /var/db/* | /private/var | /private/var/db | /private/var/db/*)
+            log_error "Path validation failed: /var/db contains system databases: $path"
+            return 1
+            ;;
    esac

+    # Check if path is protected (keychains, system settings, etc)
+    if declare -f should_protect_path > /dev/null 2>&1; then
+        if should_protect_path "$path"; then
+            if [[ "${MO_DEBUG:-0}" == "1" ]]; then
+                log_warning "Path validation: protected path skipped: $path"
+            fi
+            return 1
+        fi
+    fi
+
    return 0
 }