← Back to AI Insights
Gemini Executive Synthesis

Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass.

Technical Positioning
Secure file system operations; preventing unauthorized file deletion; robust symlink handling.
SaaS Insight & Market Implications
This issue details a critical Time-of-Check to Time-of-Use (TOCTOU) vulnerability within PureMac's `CleaningEngine.cleanItems`. The system resolves symlinks for allow-list validation but then operates on the original, unresolved path for deletion. This creates a race condition where an attacker can swap an intermediate path component to a malicious symlink after the check, leading to arbitrary file deletion outside the intended allow-list. This flaw directly compromises user data security, enabling the removal of sensitive files like SSH keys or AWS credentials. The proposed fix, re-verifying the resolved path immediately before deletion, is essential. This vulnerability underscores a fundamental security oversight in file system interaction, severely impacting the product's reliability and trustworthiness as a system cleaner.
Proprietary Technical Taxonomy
TOCTOU symlinks CleaningEngine.cleanItems removeItem(atPath: item.path) allow-list check resolved URL unresolved path intermediate path component

Raw Developer Origin & Technical Request

Source Icon GitHub Issue Apr 16, 2026
Repo: momenbasel/PureMac
security: TOCTOU between symlink check and removeItem in CleaningEngine.cleanItems

### Summary
`CleaningEngine.cleanItems` resolves symlinks once for the allow-list check but calls `removeItem(atPath: item.path)` on the ORIGINAL (unresolved) path. An attacker at the same UID who wins the race swaps an intermediate path component to a symlink → `removeItem` follows it and deletes outside the allow-list. The `cb813ab` fix did not close this variant.

### Location
`PureMac/Services/CleaningEngine.swift` lines 30-42

### Evidence (runtime)
```
[check] resolved=.../Library/Caches/MyApp/sub/id_ed25519
[check] isSafe=true
[attacker] swapping intermediate component 'sub' → symlink to .../.ssh
[before] .../.ssh/id_ed25519 exists = true
[remove] removed: .../Library/Caches/MyApp/sub/id_ed25519
[after] .../.ssh/id_ed25519 exists = false ← deleted through the swapped symlink
```

### Impact
Arbitrary user-file deletion outside the allow-list — `~/.ssh/*`, `~/.aws/*`, `~/.config/*`, etc.

### Fix
Use the resolved URL at delete time and re-verify right before the call:
```swift
let itemURL = URL(fileURLWithPath: item.path)
guard fileManager.fileExists(atPath: item.path) else { continue }
let resolvedURL = itemURL.resolvingSymlinksInPath()
let resolved = resolvedURL.path
guard isSafeToDelete(resolvedPath: resolved) else { /* log + skip */; continue }

let reResolved = URL(fileURLWithPath: item.path).resolvingSymlinksInPath().path
guard reResolved == resolved else { /* log + skip */; continue }
try fileManager.removeItem(at: resolvedURL)
```
The residual race (attacker ...

Developer Debate & Comments

No active discussions extracted for this entry yet.

Adjacent Repository Pain Points

Other highly discussed features and pain points extracted from momenbasel/PureMac.

Extracted Positioning
Feature request for bulk selection and deletion of orphaned files, and clarification on scan accuracy.
Efficient and user-friendly cleanup; accurate identification of deletable files; transparent operation.
Top Replies
yanfosec • Apr 15, 2026
Just want to up-vote this. Would be a great enhancement.
oleksiibielai • Apr 16, 2026
For me Start Scan reports that 2.53 GB was freed and Scan Again reports exactly the same size. It doesn't remove anything even after Full Disk Access was explicitly granted. At least I was able to ...
telepati • Apr 16, 2026
Yeah, this enhancement would be great. But, I have also consideration how much safe the deletes all orphaned files? Because when I examined them, I saw that some files were associated with applicat...
Extracted Positioning
Ineffective or non-functional application uninstallation feature.
Comprehensive and reliable application uninstallation; clear user feedback on deletion status.
Extracted Positioning
Inconsistent version reporting between download source and application's 'About' information.
Clear and accurate product versioning; professional software presentation.
Extracted Positioning
Allow-list bypass vulnerability due to incorrect path prefix matching without trailing slash.
Secure file system operations; accurate allow-list validation; preventing unauthorized file deletion.
Extracted Positioning
Zero-click data loss vulnerability through environmental variable injection and insecure default scheduling.
Secure system interaction; preventing unauthorized data deletion; robust environment variable handling; secure default configurations.

Frequently Asked Questions

Market intelligence mapped to Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass..

What problem does Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass. solve?
Based on our AI analysis of the original developer request, its primary technical positioning is: Secure file system operations; preventing unauthorized file deletion; robust symlink handling.
What architecture is tied to Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass.?
Our proprietary extraction maps Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass. to adjacent architectural concepts including TOCTOU, symlinks, CleaningEngine.cleanItems, removeItem(atPath: item.path).

Engagement Signals

0
Replies
open
Issue Status

Cross-Market Term Frequency

Quantifies the cross-market adoption of foundational terms like TOCTOU and symlinks by tracking occurrence frequency across active SaaS architectures and enterprise developer debates.