Skip to content

Harden destructive modules: reparse-safe cache cleanup + BitLocker enable confirm (v1.121.8)#76

Merged
TheAbider merged 1 commit into
masterfrom
fix/cleanup-reparse-bitlocker
Jul 1, 2026
Merged

Harden destructive modules: reparse-safe cache cleanup + BitLocker enable confirm (v1.121.8)#76
TheAbider merged 1 commit into
masterfrom
fix/cleanup-reparse-bitlocker

Conversation

@TheAbider

Copy link
Copy Markdown
Owner

Fixes from a deep audit of the destructive/data-affecting modules (BitLocker, Deduplication, Storage Migration, Disk Cleanup, Debloat).

Disk Cleanup — reparse-safe browser-cache sweeps (high)

The Chrome, Firefox, and full-cleanup (Invoke-FullEnhancedCleanup) browser-cache sweeps now skip reparse points during recursion — the same protection the Edge and temp-file sweeps already had. Without it, a junction/symlink planted inside a browser profile under %LOCALAPPDATA% could redirect an admin-context Remove-Item to files elsewhere on disk (local file-deletion / privilege-escalation vector).

  • Clear-BrowserCaches: Chrome Cache + Code Cache, and Firefox cache2 recursions now carry Where-Object { -not ($_.Attributes -band $reparseAttr) }.
  • Invoke-FullEnhancedCleanup: the shared $browserPaths delete loop gets the same filter.

BitLocker — final confirm before enable (medium)

Enabling BitLocker now asks a final Confirm-UserAction naming the exact volume and method (TPM / TPM+PIN / Password) before the one-way, hours-long encryption begins — mirroring the confirmation the Disable path already had. A mistyped volume number is caught here instead of after encryption starts. The Dry-Run queue path is its own gate and is unchanged.

Verified clean (no changes needed)

The audit confirmed Deduplication, Storage Migration, and Debloat — and BitLocker's recovery-key handling — are already correct.

Tests

  • New Section 195 (7 asserts): per-browser reparse filters (Chrome ×2, Firefox, full-loop), Edge regression, BitLocker enable-confirm presence + ordering, Disable-confirm regression.
  • Full suite: 5291/5291 passing. PSSA gate (Section 4, Error-severity + settings file) green. Monolithic rebuilt, parse check passed. Version stamps → 1.121.8.

…able confirm (v1.121.8)

Fixes from a deep audit of the destructive/data-affecting modules.

Disk Cleanup (20-DiskCleanup.ps1): the Chrome, Firefox, and full-cleanup
browser-cache sweeps now skip reparse points during recursion, matching the
Edge and temp-file sweeps. A junction planted inside a browser profile could
otherwise redirect an admin-context Remove-Item to files elsewhere on disk.

BitLocker (31-BitLocker.ps1): enabling BitLocker now asks a final confirmation
naming the exact volume and method before the one-way encryption begins,
mirroring the gate the Disable path already has.

Audit also confirmed Deduplication, Storage Migration, and Debloat, plus
BitLocker recovery-key handling, are already correct. Tests: Section 195
(7 asserts); 5291/5291 passing. Monolithic + version stamps bumped to 1.121.8.
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@TheAbider TheAbider merged commit 8cc7793 into master Jul 1, 2026
7 checks passed
@TheAbider TheAbider deleted the fix/cleanup-reparse-bitlocker branch July 1, 2026 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant