fix: strip host_key prefix from Chrome 130+ cookie values (#526)

* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add decrypt_test.go with v10 round-trip encryption/decryption test - Add stripCookieHash test cases for v24+, older Chrome, empty values, short values, and host mismatch scenarios Closes #524 * fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add table-driven decrypt tests for v10/v20/DPAPI per platform - Add Windows-specific DPAPI round-trip test using CryptProtectData - Add shared testAESKey constant in testutil_test.go - Add stripCookieHash tests for v24+, older Chrome, empty values, short values, and host mismatch scenarios - Extend lint CI to run on ubuntu, windows, and macos Closes #524 * fix: remove DPAPI test from darwin/linux (returns nil on Linux) DecryptWithDPAPI returns nil error on Linux (silent no-op) but error on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip testing is properly covered in decrypt_windows_test.go. * fix: resolve Windows CI lint errors exposed by multi-platform lint - Add _ = before windows.CloseHandle calls to satisfy errcheck - Add build tag to params.go (only used on macOS/Linux, not Windows) * fix: add .gitattributes to force LF and refactor cookie tests - Add .gitattributes with `* text=auto eol=lf` to prevent CRLF conversion on Windows CI causing gofumpt false positives - Add .gitattributes to .gitignore whitelist - Refactor stripCookieHash tests into table-driven style * fix: address Copilot review on decrypt tests - Assert error on wrong key instead of ignoring it (AES-CBC returns padding error, not silent empty result) - Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic - Convert uint32 to int for make/copy slice bounds in Windows test * fix: assert specific error message in wrong key decrypt test
2026-05-19 18:58:03 +02:00 · 2026-03-29 22:40:38 +08:00
parent b3dd4ed6e4
commit 2c4e871e59
10 changed files with 249 additions and 11 deletions
@@ -0,0 +1,64 @@
+//go:build darwin || linux
+
+package chromium
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/moond4rk/hackbrowserdata/crypto"
+)
+
+// testCBCIV is the fixed IV Chrome uses on macOS/Linux (16 space bytes).
+var testCBCIV = bytes.Repeat([]byte{0x20}, 16)
+
+func TestDecryptValue_V10(t *testing.T) {
+	plaintext := []byte("test_secret_value")
+	encrypted, err := crypto.AES128CBCEncrypt(testAESKey, testCBCIV, plaintext)
+	require.NoError(t, err)
+	v10Ciphertext := append([]byte("v10"), encrypted...)
+
+	tests := []struct {
+		name       string
+		key        []byte
+		want       []byte
+		wantErrMsg string // empty = no error expected
+	}{
+		{
+			name: "decrypts correctly",
+			key:  testAESKey,
+			want: plaintext,
+		},
+		{
+			name:       "wrong key returns padding error",
+			key:        []byte("wrong_key_1234!!"),
+			wantErrMsg: "pkcs5UnPadding",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := decryptValue(tt.key, v10Ciphertext)
+			if tt.wantErrMsg != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.wantErrMsg)
+				assert.Nil(t, got)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestDecryptValue_V20(t *testing.T) {
+	// v20 App-Bound Encryption is not yet implemented.
+	// TODO: add successful decryption cases when implemented.
+	ciphertext := append([]byte("v20"), make([]byte, 32)...)
+	_, err := decryptValue(nil, ciphertext)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "v20")
+}
@@ -0,0 +1,83 @@
+//go:build windows
+
+package chromium
+
+import (
+	"fmt"
+	"syscall"
+	"testing"
+	"unsafe"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/moond4rk/hackbrowserdata/crypto"
+)
+
+// encryptWithDPAPI encrypts data using Windows DPAPI (CryptProtectData).
+// This is the reverse of crypto.DecryptWithDPAPI, used only for testing.
+func encryptWithDPAPI(plaintext []byte) ([]byte, error) {
+	crypt32 := syscall.NewLazyDLL("Crypt32.dll")
+	kernel32 := syscall.NewLazyDLL("Kernel32.dll")
+	protectDataProc := crypt32.NewProc("CryptProtectData")
+	localFreeProc := kernel32.NewProc("LocalFree")
+
+	var inBlob struct {
+		cbData uint32
+		pbData *byte
+	}
+	inBlob.cbData = uint32(len(plaintext))
+	if len(plaintext) > 0 {
+		inBlob.pbData = &plaintext[0]
+	}
+
+	var outBlob struct {
+		cbData uint32
+		pbData *byte
+	}
+
+	r, _, err := protectDataProc.Call(
+		uintptr(unsafe.Pointer(&inBlob)),
+		0, 0, 0, 0, 0,
+		uintptr(unsafe.Pointer(&outBlob)),
+	)
+	if r == 0 {
+		return nil, fmt.Errorf("CryptProtectData failed: %w", err)
+	}
+	defer localFreeProc.Call(uintptr(unsafe.Pointer(outBlob.pbData)))
+
+	size := int(outBlob.cbData)
+	result := make([]byte, size)
+	copy(result, (*[1 << 30]byte)(unsafe.Pointer(outBlob.pbData))[:size])
+	return result, nil
+}
+
+func TestDecryptValue_V10_Windows(t *testing.T) {
+	// Windows uses AES-GCM for v10 (not AES-CBC like macOS/Linux)
+	plaintext := []byte("test_secret_value")
+	nonce := []byte("123456789012") // 12-byte nonce
+
+	encrypted, err := crypto.AESGCMEncrypt(testAESKey, nonce, plaintext)
+	require.NoError(t, err)
+
+	// v10 format on Windows: "v10" + nonce(12) + encrypted
+	ciphertext := append([]byte("v10"), append(nonce, encrypted...)...)
+
+	got, err := decryptValue(testAESKey, ciphertext)
+	require.NoError(t, err)
+	assert.Equal(t, plaintext, got)
+}
+
+func TestDecryptValue_DPAPI_Windows(t *testing.T) {
+	// Round-trip: encrypt with CryptProtectData, decrypt with decryptValue
+	plaintext := []byte("dpapi_test_secret")
+
+	encrypted, err := encryptWithDPAPI(plaintext)
+	require.NoError(t, err)
+	require.NotEmpty(t, encrypted)
+
+	// No v10/v20 prefix → decryptValue routes to DPAPI path
+	got, err := decryptValue(nil, encrypted)
+	require.NoError(t, err)
+	assert.Equal(t, plaintext, got)
+}
@@ -1,6 +1,8 @@
 package chromium

 import (
+	"bytes"
+	"crypto/sha256"
 	"database/sql"
 	"sort"

@@ -30,6 +32,7 @@ func extractCookies(masterKey []byte, path string) ([]types.CookieEntry, error)
 			}

 			value, _ := decryptValue(masterKey, encryptedValue)
+			value = stripCookieHash(value, host)
 			return types.CookieEntry{
 				Name:       name,
 				Host:       host,
@@ -50,3 +53,19 @@ func extractCookies(masterKey []byte, path string) ([]types.CookieEntry, error)
 	})
 	return cookies, nil
 }
+
+// stripCookieHash removes the SHA256(host_key) prefix from a decrypted cookie value.
+// Chrome 130+ (Cookie DB schema version 24) prepends SHA256(domain) to the cookie
+// value before encryption to prevent cross-domain cookie replay attacks.
+// If the first 32 bytes don't match SHA256(hostKey), the value is returned unchanged,
+// which handles both older Chrome versions and tampered data.
+func stripCookieHash(value []byte, hostKey string) []byte {
+	if len(value) < sha256.Size {
+		return value
+	}
+	hash := sha256.Sum256([]byte(hostKey))
+	if bytes.Equal(value[:sha256.Size], hash[:]) {
+		return value[sha256.Size:] // empty slice if value was exactly 32 bytes
+	}
+	return value
+}
@@ -1,6 +1,7 @@
 package chromium

 import (
+	"crypto/sha256"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -25,11 +26,63 @@ func TestExtractCookies(t *testing.T) {
 	assert.Equal(t, "token", got[0].Name)
 	assert.Equal(t, "/api", got[0].Path)
 	assert.True(t, got[0].IsSecure)
-	assert.False(t, got[0].IsHTTPOnly) // httpOnly=0
+	assert.False(t, got[0].IsHTTPOnly)
 	assert.False(t, got[0].CreatedAt.IsZero())
-	assert.False(t, got[0].ExpireAt.IsZero())
 	assert.True(t, got[0].ExpireAt.After(got[0].CreatedAt))
-
-	// Verify second cookie flags
-	assert.True(t, got[1].IsHTTPOnly) // httpOnly=1
+	assert.True(t, got[1].IsHTTPOnly)
+}
+
+func TestStripCookieHash(t *testing.T) {
+	googleHash := sha256.Sum256([]byte(".google.com"))
+	shopifyHash := sha256.Sum256([]byte(".shopify.com"))
+
+	tests := []struct {
+		name    string
+		value   []byte
+		hostKey string
+		want    string
+	}{
+		{
+			name:    "Chrome 130+ strips SHA256 prefix",
+			value:   append(googleHash[:], []byte("GA1.3.240937927.1770097858")...),
+			hostKey: ".google.com",
+			want:    "GA1.3.240937927.1770097858",
+		},
+		{
+			name:    "Chrome 130+ empty original value",
+			value:   shopifyHash[:],
+			hostKey: ".shopify.com",
+			want:    "",
+		},
+		{
+			name:    "older Chrome no prefix",
+			value:   []byte("plain_cookie_value"),
+			hostKey: ".example.com",
+			want:    "plain_cookie_value",
+		},
+		{
+			name:    "short value unchanged",
+			value:   []byte("short"),
+			hostKey: ".example.com",
+			want:    "short",
+		},
+		{
+			name:    "host mismatch not stripped",
+			value:   append(googleHash[:], []byte("value")...),
+			hostKey: ".other.com",
+			want:    string(append(googleHash[:], []byte("value")...)),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := stripCookieHash(tt.value, tt.hostKey)
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
+
+func TestStripCookieHash_NilValue(t *testing.T) {
+	got := stripCookieHash(nil, ".example.com")
+	assert.Nil(t, got)
 }
@@ -12,6 +12,14 @@ import (
 	_ "modernc.org/sqlite"
 )

+// ---------------------------------------------------------------------------
+// Shared test constants for Chromium encryption.
+// Reusable across decrypt, cookie, password, and creditcard tests.
+// ---------------------------------------------------------------------------
+
+// testAESKey is a 16-byte AES-128 key for constructing test ciphertext.
+var testAESKey = []byte("0123456789abcdef")
+
 // ---------------------------------------------------------------------------
 // Real Chrome table schemas — extracted via `sqlite3 <db> ".schema <table>"`.
 // Using complete schemas ensures our SQL queries work against real browser data.