CalvinBackup/HackBrowserData
1
0
Fork 0
mirror of https://github.com/moonD4rk/HackBrowserData.git synced 2026-05-23 19:14:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: strip host_key prefix from Chrome 130+ cookie values (#526)

Browse Source 
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values

Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie
values before encryption to prevent cross-domain replay attacks.
After decryption, this 32-byte hash must be verified and stripped.

Changes:
- Add stripCookieHash() that verifies SHA256(host_key) and strips
  the prefix only when it matches (auto-compatible with older Chrome)
- Fix edge case: cookies with empty values (exactly 32 bytes = hash only)
- Add decrypt_test.go with v10 round-trip encryption/decryption test
- Add stripCookieHash test cases for v24+, older Chrome, empty values,
  short values, and host mismatch scenarios

Closes #524

* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values

Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie
values before encryption to prevent cross-domain replay attacks.
After decryption, this 32-byte hash must be verified and stripped.

Changes:
- Add stripCookieHash() that verifies SHA256(host_key) and strips
  the prefix only when it matches (auto-compatible with older Chrome)
- Fix edge case: cookies with empty values (exactly 32 bytes = hash only)
- Add table-driven decrypt tests for v10/v20/DPAPI per platform
- Add Windows-specific DPAPI round-trip test using CryptProtectData
- Add shared testAESKey constant in testutil_test.go
- Add stripCookieHash tests for v24+, older Chrome, empty values,
  short values, and host mismatch scenarios
- Extend lint CI to run on ubuntu, windows, and macos

Closes #524

* fix: remove DPAPI test from darwin/linux (returns nil on Linux)

DecryptWithDPAPI returns nil error on Linux (silent no-op) but error
on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip
testing is properly covered in decrypt_windows_test.go.

* fix: resolve Windows CI lint errors exposed by multi-platform lint

- Add _ = before windows.CloseHandle calls to satisfy errcheck
- Add build tag to params.go (only used on macOS/Linux, not Windows)

* fix: add .gitattributes to force LF and refactor cookie tests

- Add .gitattributes with `* text=auto eol=lf` to prevent CRLF
  conversion on Windows CI causing gofumpt false positives
- Add .gitattributes to .gitignore whitelist
- Refactor stripCookieHash tests into table-driven style

* fix: address Copilot review on decrypt tests

- Assert error on wrong key instead of ignoring it (AES-CBC returns
  padding error, not silent empty result)
- Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic
- Convert uint32 to int for make/copy slice bounds in Windows test

* fix: assert specific error message in wrong key decrypt test
This commit is contained in:
Roger
2026-03-29 22:40:38 +08:00
committed by moonD4rk
parent b3dd4ed6e4
commit 2c4e871e59
10 changed files with 249 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browser/chromium/decrypt_test.go
+64
View File
@@ -0,0 +1,64 @@
//go:build darwin || linux
package chromium
import (
"bytes"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/moond4rk/hackbrowserdata/crypto"
)
// testCBCIV is the fixed IV Chrome uses on macOS/Linux (16 space bytes).
var testCBCIV = bytes.Repeat([]byte{0x20}, 16)
func TestDecryptValue_V10(t *testing.T) {
plaintext := []byte("test_secret_value")
encrypted, err := crypto.AES128CBCEncrypt(testAESKey, testCBCIV, plaintext)
require.NoError(t, err)
v10Ciphertext := append([]byte("v10"), encrypted...)
tests := []struct {
name string
key []byte
want []byte
wantErrMsg string // empty = no error expected
}{
{
name: "decrypts correctly",
key: testAESKey,
want: plaintext,
},
{
name: "wrong key returns padding error",
key: []byte("wrong_key_1234!!"),
wantErrMsg: "pkcs5UnPadding",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := decryptValue(tt.key, v10Ciphertext)
if tt.wantErrMsg != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tt.wantErrMsg)
assert.Nil(t, got)
return
}
require.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}
}
func TestDecryptValue_V20(t *testing.T) {
// v20 App-Bound Encryption is not yet implemented.
// TODO: add successful decryption cases when implemented.
ciphertext := append([]byte("v20"), make([]byte, 32)...)
_, err := decryptValue(nil, ciphertext)
require.Error(t, err)
assert.Contains(t, err.Error(), "v20")
}