← Back to AI Insights
Gemini Executive Synthesis

Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass.

Technical Positioning
Secure file system operations; preventing unauthorized file deletion; robust symlink handling.
SaaS Insight & Market Implications
This issue details a critical Time-of-Check to Time-of-Use (TOCTOU) vulnerability within PureMac's `CleaningEngine.cleanItems`. The system resolves symlinks for allow-list validation but then operates on the original, unresolved path for deletion. This creates a race condition where an attacker can swap an intermediate path component to a malicious symlink after the check, leading to arbitrary file deletion outside the intended allow-list. This flaw directly compromises user data security, enabling the removal of sensitive files like SSH keys or AWS credentials. The proposed fix, re-verifying the resolved path immediately before deletion, is essential. This vulnerability underscores a fundamental security oversight in file system interaction, severely impacting the product's reliability and trustworthiness as a system cleaner.
Proprietary Technical Taxonomy
TOCTOU symlinks CleaningEngine.cleanItems removeItem(atPath: item.path) allow-list check resolved URL unresolved path intermediate path component

Raw Developer Origin & Technical Request

Source Icon GitHub Issue Apr 16, 2026
Repo: momenbasel/PureMac
security: TOCTOU between symlink check and removeItem in CleaningEngine.cleanItems

### Summary
`CleaningEngine.cleanItems` resolves symlinks once for the allow-list check but calls `removeItem(atPath: item.path)` on the ORIGINAL (unresolved) path. An attacker at the same UID who wins the race swaps an intermediate path component to a symlink → `removeItem` follows it and deletes outside the allow-list. The `cb813ab` fix did not close this variant.

### Location
`PureMac/Services/CleaningEngine.swift` lines 30-42

### Evidence (runtime)
```
[check] resolved=.../Library/Caches/MyApp/sub/id_ed25519
[check] isSafe=true
[attacker] swapping intermediate component 'sub' → symlink to .../.ssh
[before] .../.ssh/id_ed25519 exists = true
[remove] removed: .../Library/Caches/MyApp/sub/id_ed25519
[after] .../.ssh/id_ed25519 exists = false ← deleted through the swapped symlink
```

### Impact
Arbitrary user-file deletion outside the allow-list — `~/.ssh/*`, `~/.aws/*`, `~/.config/*`, etc.

### Fix
Use the resolved URL at delete time and re-verify right before the call:
```swift
let itemURL = URL(fileURLWithPath: item.path)
guard fileManager.fileExists(atPath: item.path) else { continue }
let resolvedURL = itemURL.resolvingSymlinksInPath()
let resolved = resolvedURL.path
guard isSafeToDelete(resolvedPath: resolved) else { /* log + skip */; continue }

let reResolved = URL(fileURLWithPath: item.path).resolvingSymlinksInPath().path
guard reResolved == resolved else { /* log + skip */; continue }
try fileManager.removeItem(at: resolvedURL)
```
The residual race (attacker ...

Developer Debate & Comments

No active discussions extracted for this entry yet.

Adjacent Repository Pain Points

Other highly discussed features and pain points extracted from momenbasel/PureMac.

Extracted Positioning
Feature request for bulk selection and deletion of orphaned files, and clarification on scan accuracy.
Efficient and user-friendly cleanup; accurate identification of deletable files; transparent operation.
Extracted Positioning
Ineffective or non-functional application uninstallation feature.
Comprehensive and reliable application uninstallation; clear user feedback on deletion status.
Extracted Positioning
Inconsistent version reporting between download source and application's 'About' information.
Clear and accurate product versioning; professional software presentation.
Extracted Positioning
Allow-list bypass vulnerability due to incorrect path prefix matching without trailing slash.
Secure file system operations; accurate allow-list validation; preventing unauthorized file deletion.
Extracted Positioning
Zero-click data loss vulnerability through environmental variable injection and insecure default scheduling.
Secure system interaction; preventing unauthorized data deletion; robust environment variable handling; secure default configurations.

Frequently Asked Questions

Market intelligence mapped to Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass..

What problem does Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass. solve?
Based on our AI analysis of the original developer request, its primary technical positioning is: Secure file system operations; preventing unauthorized file deletion; robust symlink handling.
Which technical concepts are associated with Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass.?
Our proprietary extraction maps Time-of-check to time-of-use (TOCTOU) vulnerability in file deletion logic, allowing symlink-based allow-list bypass. to adjacent architectural concepts including TOCTOU, symlinks, CleaningEngine.cleanItems, removeItem(atPath: item.path).

Engagement Signals

0
Replies
open
Issue Status

Cross-Market Term Frequency

Quantifies the cross-market adoption of foundational terms like TOCTOU and symlinks by tracking occurrence frequency across active SaaS architectures and enterprise developer debates.