mirror of
https://github.com/moonD4rk/HackBrowserData.git
synced 2026-07-06 21:37:47 +02:00
fix: strip host_key prefix from Chrome 130+ cookie values (#526)
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add decrypt_test.go with v10 round-trip encryption/decryption test - Add stripCookieHash test cases for v24+, older Chrome, empty values, short values, and host mismatch scenarios Closes #524 * fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add table-driven decrypt tests for v10/v20/DPAPI per platform - Add Windows-specific DPAPI round-trip test using CryptProtectData - Add shared testAESKey constant in testutil_test.go - Add stripCookieHash tests for v24+, older Chrome, empty values, short values, and host mismatch scenarios - Extend lint CI to run on ubuntu, windows, and macos Closes #524 * fix: remove DPAPI test from darwin/linux (returns nil on Linux) DecryptWithDPAPI returns nil error on Linux (silent no-op) but error on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip testing is properly covered in decrypt_windows_test.go. * fix: resolve Windows CI lint errors exposed by multi-platform lint - Add _ = before windows.CloseHandle calls to satisfy errcheck - Add build tag to params.go (only used on macOS/Linux, not Windows) * fix: add .gitattributes to force LF and refactor cookie tests - Add .gitattributes with `* text=auto eol=lf` to prevent CRLF conversion on Windows CI causing gofumpt false positives - Add .gitattributes to .gitignore whitelist - Refactor stripCookieHash tests into table-driven style * fix: address Copilot review on decrypt tests - Assert error on wrong key instead of ignoring it (AES-CBC returns padding error, not silent empty result) - Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic - Convert uint32 to int for make/copy slice bounds in Windows test * fix: assert specific error message in wrong key decrypt test
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
package chromium
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
@@ -25,11 +26,63 @@ func TestExtractCookies(t *testing.T) {
|
||||
assert.Equal(t, "token", got[0].Name)
|
||||
assert.Equal(t, "/api", got[0].Path)
|
||||
assert.True(t, got[0].IsSecure)
|
||||
assert.False(t, got[0].IsHTTPOnly) // httpOnly=0
|
||||
assert.False(t, got[0].IsHTTPOnly)
|
||||
assert.False(t, got[0].CreatedAt.IsZero())
|
||||
assert.False(t, got[0].ExpireAt.IsZero())
|
||||
assert.True(t, got[0].ExpireAt.After(got[0].CreatedAt))
|
||||
|
||||
// Verify second cookie flags
|
||||
assert.True(t, got[1].IsHTTPOnly) // httpOnly=1
|
||||
assert.True(t, got[1].IsHTTPOnly)
|
||||
}
|
||||
|
||||
func TestStripCookieHash(t *testing.T) {
|
||||
googleHash := sha256.Sum256([]byte(".google.com"))
|
||||
shopifyHash := sha256.Sum256([]byte(".shopify.com"))
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
value []byte
|
||||
hostKey string
|
||||
want string
|
||||
}{
|
||||
{
|
||||
name: "Chrome 130+ strips SHA256 prefix",
|
||||
value: append(googleHash[:], []byte("GA1.3.240937927.1770097858")...),
|
||||
hostKey: ".google.com",
|
||||
want: "GA1.3.240937927.1770097858",
|
||||
},
|
||||
{
|
||||
name: "Chrome 130+ empty original value",
|
||||
value: shopifyHash[:],
|
||||
hostKey: ".shopify.com",
|
||||
want: "",
|
||||
},
|
||||
{
|
||||
name: "older Chrome no prefix",
|
||||
value: []byte("plain_cookie_value"),
|
||||
hostKey: ".example.com",
|
||||
want: "plain_cookie_value",
|
||||
},
|
||||
{
|
||||
name: "short value unchanged",
|
||||
value: []byte("short"),
|
||||
hostKey: ".example.com",
|
||||
want: "short",
|
||||
},
|
||||
{
|
||||
name: "host mismatch not stripped",
|
||||
value: append(googleHash[:], []byte("value")...),
|
||||
hostKey: ".other.com",
|
||||
want: string(append(googleHash[:], []byte("value")...)),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got := stripCookieHash(tt.value, tt.hostKey)
|
||||
assert.Equal(t, tt.want, string(got))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestStripCookieHash_NilValue(t *testing.T) {
|
||||
got := stripCookieHash(nil, ".example.com")
|
||||
assert.Nil(t, got)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user