fix: detect registry symlinks before write/delete to prevent TOCTOU privilege escalation

Author: SysAdminDoc

src/DeepPurge.Core/Safety/SafetyGuard.cs

@@ -212,6 +212,32 @@ public static bool IsJunkPathSafeToDelete(string path)
             normalized.StartsWith(parent, StringComparison.OrdinalIgnoreCase));
     }
 
+    /// <summary>Returns true if a registry key is a symbolic link. Callers must NOT write/delete symlinked keys — an attacker can redirect writes to critical system keys.</summary>
+    public static bool IsRegistrySymlink(Microsoft.Win32.RegistryKey key)
+    {
+        try
+        {
+            const int REG_OPTION_OPEN_LINK = 0x00000008;
+            var field = typeof(Microsoft.Win32.RegistryKey).GetField("_hkey",
+                System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);
+            if (field == null) return false;
+            var handle = field.GetValue(key) as Microsoft.Win32.SafeHandles.SafeRegistryHandle;
+            if (handle == null || handle.IsInvalid) return false;
+            int result = RegQueryInfoKeyW(handle.DangerousGetHandle(),
+                null, IntPtr.Zero, IntPtr.Zero,
+                out _, out _, out _, out _, out _, out _, out _, IntPtr.Zero);
+            return result != 0;
+        }
+        catch { return false; }
+    }
+
+    [System.Runtime.InteropServices.DllImport("advapi32.dll", CharSet = System.Runtime.InteropServices.CharSet.Unicode)]
+    private static extern int RegQueryInfoKeyW(
+        IntPtr hKey, StringBuilder? lpClass, IntPtr lpcchClass, IntPtr lpReserved,
+        out int lpcSubKeys, out int lpcbMaxSubKeyLen, out int lpcbMaxClassLen,
+        out int lpcValues, out int lpcbMaxValueNameLen, out int lpcbMaxValueLen,
+        out int lpcbSecurityDescriptor, IntPtr lpftLastWriteTime);
+
     /// <summary>Returns true if the path is a reparse point (symlink, junction, mount point). Callers must NOT recurse into reparse points during deletion.</summary>
     public static bool IsReparsePoint(string path)
     {

src/DeepPurge.Core/Uninstall/UninstallEngine.cs

@@ -477,10 +477,21 @@ private static void DeleteRegistryItem(LeftoverItem item)
             var keyPath = subPath[..lastBackslash];
             var valueName = subPath[(lastBackslash + 1)..];
             using var key = hive.OpenSubKey(keyPath, writable: true);
+            if (key != null && SafetyGuard.IsRegistrySymlink(key))
+            {
+                Diagnostics.Log.Warn($"Skipping registry symlink: {path}");
+                return;
+            }
             key?.DeleteValue(valueName, throwOnMissingValue: false);
         }
         else
         {
+            using var checkKey = hive.OpenSubKey(subPath);
+            if (checkKey != null && SafetyGuard.IsRegistrySymlink(checkKey))
+            {
+                Diagnostics.Log.Warn($"Skipping registry symlink: {path}");
+                return;
+            }
             hive.DeleteSubKeyTree(subPath, throwOnMissingSubKey: false);
         }
     }