Issue #393 reported mo clean hanging on 'Scanning sandboxed apps'
and 'Scanning orphaned app resources'.
Root cause: should_protect_data() was looping through 332 patterns
(28 SYSTEM_CRITICAL_BUNDLES_FAST + 304 DATA_PROTECTED_BUNDLES).
For 662 sandboxed containers, this resulted in 220,000+ pattern matches.
Solution: Replace loops with fast case statement for common prefixes:
- com.apple.* (system apps) - instant return
- com.microsoft.*, com.jetbrains.* (IDEs) - instant return
- Password managers, VPNs, Docker etc. - instant return
- Other apps - instant return (no protection needed)
- Only check detailed list for special wildcards (com.tencent.* etc.)
Performance: Clean command maintains 35s (same as previous optimization)
Functionality: All 9 protection tests pass
- Replace time.After() with reusable timer to reduce GC pressure
- Use pre-compiled regex for app bundle matching (O(1) vs O(N))
- Fix Bash 3.2 compatibility (remove local -n usage)
- Validate bundle_id format (reverse-DNS) in stop_launch_services() to prevent glob injection attacks
- Add common word exclusion list for LaunchAgents name search to avoid false positive matches (Music, Notes, Photos, etc.) - Add security comments explaining symlink handling in remove_file_list()
- Improve brew_uninstall_cask() timeout handling: exit code 124 now returns failure immediately
- Update SECURITY_AUDIT.md with remediation details
Previously, apps matching DATA_PROTECTED_BUNDLES patterns (VPNs, dev tools, etc.)
could not be uninstalled because should_protect_path blocked their deletion.
Now use MOLE_UNINSTALL_MODE to distinguish between cleanup and explicit uninstall,
allowing users to remove these apps when they choose to while still protecting
their data during normal cleanup operations.
Also allow deletion of installer receipts in /private/var/db/receipts/.
CRITICAL SECURITY FIX
Enhanced the receipt file parsing in uninstall operations to prevent
accidental deletion of critical system files while maintaining deep
cleanup capabilities.
Changes:
- Tightened whitelist in find_app_receipt_files() to exclude /Users/*,
/usr/*, and /opt/* broad patterns
- Added explicit blacklist for /private/* with safe exceptions for
logs, temp files, and diagnostic data
- Integrated should_protect_path() check for additional protection
- Added file deduplication with sort -u to prevent duplicate deletions
- Removed dry-run feature from batch uninstall (unused entry point)
Path Protection:
✅ Blocked: /etc/passwd, /var/db/*, /private/etc/*, all system binaries
✅ Allowed: /Applications/*, specific /Library/* subdirs, safe /private/* paths
✅ Additional: Keychain files, system preferences via should_protect_path()
This fixes a critical security issue where parsing .bom receipt files
could result in deletion of system files like /etc/passwd and /var/db/*,
leading to system corruption and data loss.
Affects: V1.12.14 and later versions
Testing: Validated against critical system paths, all blocked correctly
Fixes#307
- Add Firefox to DATA_PROTECTED_BUNDLES to prevent cleaning
- Protects IndexedDB, localStorage, and other complex storage
- Prevents Gmail and other web apps from breaking after clean
- Add '/Library/Input Methods' to application scan paths
- Unprotect Sogou, QQ, and Baidu input methods from system critical list
- Enhance file cleanup logic to detect input method plugins and caches
- Allow clean uninstallation and deep cleaning of WeType, Sogou, etc.
- Protect Dropbox, OneDrive, Google Drive, Backblaze, Box (Issue #204)
- Add homebrew.mxcl.* services protection
- Document mo optimize --dry-run in help and README
- Bump version to 1.16.2
compatibility and cleanup improvements
- Fix field count
mismatch and base64 BSD/GNU compatibility
- Add sensitive data detection and macOS defaults cleanup
- Improve error handling and add compatibility tests
