* feat: add Firefox extract methods and complete data model fields
Firefox extract methods:
- extractPasswords: JSON + ASN1PBE decryption via decryptPBE helper
- extractCookies: SQLite, plaintext (no encryption), journalOff
- extractHistories: SQLite, visit count ASC sort (matches old behavior)
- extractDownloads: SQLite, moz_annos JOIN with JSON content parsing
- extractBookmarks: SQLite, moz_bookmarks JOIN moz_places
- extractExtensions: JSON, filter by location=app-profile
- extractLocalStorage: SQLite webappsstore2, reversed originKey parsing
Complete data model fields (union of Chromium and Firefox):
- CookieEntry: add HasExpire, IsPersistent
- DownloadEntry: add MimeType
- CreditCardEntry: add NickName, Address
- ExtensionEntry: add HomepageURL, Enabled
Update Chromium extractors to populate new fields:
- extract_cookie.go: fill HasExpire, IsPersistent
- extract_download.go: SELECT and fill mime_type
- extract_creditcard.go: SELECT nickname, billing_address_id
- extract_extension.go: fill HomepageURL, Enabled (state==1)
Tests:
- Full test coverage for all 7 Firefox extract functions
- Password test uses known ASN1PBE test vectors from crypto package
- Table-driven tests for parseOriginKey
- Updated Chromium tests for new fields
* fix: add COALESCE for nullable bookmark title in Firefox query
Firefox moz_bookmarks.title can be NULL (PR #500 fixed this in old code).
Add COALESCE to handle NULL gracefully in SQL instead of relying on
driver-specific NULL→string conversion behavior.
* fix: enable journalOff for all Firefox SQLite extractors and populate cookie flags
- Set journalOff=true for extract_history, extract_download, extract_bookmark
(Firefox databases require PRAGMA journal_mode=off to avoid lock errors)
- Populate HasExpire and IsPersistent for Firefox cookies (derived from expiry>0)
- Add test assertions for HasExpire/IsPersistent in both Chromium and Firefox
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values
Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie
values before encryption to prevent cross-domain replay attacks.
After decryption, this 32-byte hash must be verified and stripped.
Changes:
- Add stripCookieHash() that verifies SHA256(host_key) and strips
the prefix only when it matches (auto-compatible with older Chrome)
- Fix edge case: cookies with empty values (exactly 32 bytes = hash only)
- Add decrypt_test.go with v10 round-trip encryption/decryption test
- Add stripCookieHash test cases for v24+, older Chrome, empty values,
short values, and host mismatch scenarios
Closes#524
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values
Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie
values before encryption to prevent cross-domain replay attacks.
After decryption, this 32-byte hash must be verified and stripped.
Changes:
- Add stripCookieHash() that verifies SHA256(host_key) and strips
the prefix only when it matches (auto-compatible with older Chrome)
- Fix edge case: cookies with empty values (exactly 32 bytes = hash only)
- Add table-driven decrypt tests for v10/v20/DPAPI per platform
- Add Windows-specific DPAPI round-trip test using CryptProtectData
- Add shared testAESKey constant in testutil_test.go
- Add stripCookieHash tests for v24+, older Chrome, empty values,
short values, and host mismatch scenarios
- Extend lint CI to run on ubuntu, windows, and macos
Closes#524
* fix: remove DPAPI test from darwin/linux (returns nil on Linux)
DecryptWithDPAPI returns nil error on Linux (silent no-op) but error
on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip
testing is properly covered in decrypt_windows_test.go.
* fix: resolve Windows CI lint errors exposed by multi-platform lint
- Add _ = before windows.CloseHandle calls to satisfy errcheck
- Add build tag to params.go (only used on macOS/Linux, not Windows)
* fix: add .gitattributes to force LF and refactor cookie tests
- Add .gitattributes with `* text=auto eol=lf` to prevent CRLF
conversion on Windows CI causing gofumpt false positives
- Add .gitattributes to .gitignore whitelist
- Refactor stripCookieHash tests into table-driven style
* fix: address Copilot review on decrypt tests
- Assert error on wrong key instead of ignoring it (AES-CBC returns
padding error, not silent empty result)
- Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic
- Convert uint32 to int for make/copy slice bounds in Windows test
* fix: assert specific error message in wrong key decrypt test
* feat: add Chromium extract methods, source mapping, and tests
Implement per-category data extraction for Chromium browsers as typed
standalone functions, preparing for Phase 8 wiring into the new
Chromium struct.
New files:
- source.go: dataSource struct, chromiumSources/yandexSources maps,
yandexQueryOverrides for Yandex action_url variant
- decrypt.go: decryptValue() wrapping platform-specific decryption
- extract_password.go: SQLite + decrypt → []LoginEntry
- extract_cookie.go: SQLite + decrypt → []CookieEntry
- extract_creditcard.go: SQLite + decrypt → []CreditCardEntry
- extract_history.go: SQLite → []HistoryEntry
- extract_download.go: SQLite → []DownloadEntry
- extract_bookmark.go: JSON recursive → []BookmarkEntry
- extract_extension.go: JSON → []ExtensionEntry
- extract_storage.go: LevelDB → []StorageEntry (local + session)
- firefox/source.go: firefoxSources map
Tests use real Chrome table schemas for SQLite fixtures, with INSERT
helpers to keep test data readable and self-documenting.
Ref #520
* fix: remove LevelDB invalid path test (Windows compatibility)
leveldb.OpenFile creates the directory on Windows instead of returning
an error, causing TestExtractLocalStorage_InvalidPath to fail in CI.
This test was verifying LevelDB behavior, not our extraction logic.
* refactor: remove unused query parameter from extract functions
Only extractPasswords needs the query override (Yandex action_url).
The other 7 SQLite extract functions always use their default query,
so remove the unnecessary query parameter from their signatures.
* refactor: use DetectVersion in decryptValue instead of blind fallback
Replace try-then-fallback pattern with explicit version detection using
crypto.DetectVersion. Routes v10 to DecryptWithChromium, DPAPI to
DecryptWithDPAPI, and adds a TODO placeholder for v20 App-Bound
Encryption.
* chore: relax gocognit and gocritic linters for test files
* revert: restore strict gocognit and gocritic linters for test files
* fix: address review feedback on extract methods
- Store DetectVersion result in local variable to avoid duplicate call
- Scan credit card expiration_month/year as int then convert to string
(matches INTEGER column type in real Chrome schema)
- Add os.Stat check before leveldb.OpenFile to prevent creating empty
directories for non-existent paths
- Rename TestExtractExtensions_InvalidJSON to
TestExtractExtensions_MissingSettingsPath (JSON is valid, path is missing)
* fix: revert creditcard scan to string type for NULL safety
modernc.org/sqlite handles INTEGER→string conversion automatically.
Scanning into string is safer for nullable columns — NULL becomes ""
instead of "0" which would be an invalid month/year.
* feat: Decrypt the browser master key on macOS via CVE-2025-24204
* fix: resolve lint warnings and stabilize tests
* feat: default to gcoredump key extraction on macOS
* chore: downgrade golang version to 1.20, support windows 7
* chore: Update dependencies for Go project.
- Update dependencies in go.sum
- Improvements and optimizations in various files
- Bug fixes and error handling enhancements
* chore: Update modernc.org/sqlite library versions in go.mod and go.sum files
- Update version of `modernc.org/sqlite` to `v1.31.1` in `go.mod` and `go.sum` files
- Update module hash in `go.sum` file for `modernc.org/sqlite`
- Ensure consistency between `go.mod` and `go.sum` files in relation to `modernc.org/sqlite` version
* chore: replace log/slog with standard logger (#436)
* chore: replace log/slog with standard logger
* chore: Update Go dependencies and versions
- Update Go version from `1.22.5` to `1.20` and other dependencies
- Update critical dependencies to latest versions
- Ensure compatibility with new versions of dependencies
* chore: Optimize dependency management in workflows
- Update build and lint workflows to use `go mod tidy` for getting dependencies
- Change modules download mode to `'mod'` in linters configuration
- Add step to get dependencies in lint workflow
* refactor: Update dependencies and refactor Chromium key deletion logic
- Update `modernc.org/sqlite` to `v1.31.1` in `go.mod` and `go.sum`
- Increase version number to `0.5.0` in `cmd/hack-browser-data/main.go`
- Refactor and update logic for filtering and copying items in `browser/chromium/chromium.go`
* Improve logging functionality and data type conversion
- Add `String()` method to `DataType` enum in types.go
- Update log level to Debug in logger_test.go
- Set log level to Debug in `TestLoggerDebug` and `TestLoggerDebugf` functions
- Implement error handling for path permission errors in `chromiumWalkFunc`
- Refactor `firefoxWalkFunc` to handle permission errors and log warnings
- Add import statement for `log/slog` in `firefox/firefox.go`
- Refactored variable names for clarity and consistency in multiple files
- Updated logic to filter sensitive items based on a flag
- Implemented a function to skip processing specific paths to improve performance
* refactor: Refactor package names and imports for better code organization.
* refactor: Package imports and variable types for consistency
* chore: Disable unused-parameter rule in revive.
* refactor: Refactor and organize data extraction and browserdata parse.
* fix: rename wrong error message info
* feat: Refactor crypto decryption functions for consistency and error handling
- Close#301
- Refactored and renamed decryption functions across multiple files for consistency
- Updated cookie sorting method to sort in descending order
- Added new encryption functions for AES in CBC and GCM modes and DES in CBC mode
- Added error handling to decryption functions and created new error variables for invalid ciphertext length and decode failures
- Test cases added for encryption and decryption functions
- Removed unused code and imports.
* chore: Add new words to .typos.toml dictionary
- Add new terms to `.typos.toml` dictionary
- Improve code formatting and readability
- Refactor functions for better performance
- Update comments and documentation
- Resolve minor bugs and errors
* refactor: Refactor crypto package for better structure and readability
- Refactored and cleaned up crypto package code for better readability
- Renamed `ToByteArray` method to `bytes` for consistency
- Modified `DecryptWithDPAPI` method to use `outBlob.bytes()` for efficiency
- Added comments and removed unused methods in `loginPBE`
- Refactored `nssPBE` and `metaPBE` Decrypt methods to use `deriveKeyAndIV` helper method
- Improved overall maintainability and organization of codebase
* refactor: Refactor firefox password encryption and decryption.
- Implement ASN1PBE interface with various PBE struct types and encryption/decryption methods
- Fix naming and remove unused variables in browsingdata and crypto files
- Add tests for ASN1PBE implementation using external assertion package
- Refactor and improve error handling in firefox file functions related to master key retrieval
- Add input validation and AES-GCM encryption function to crypto file
* refactor: Simplify Firefox master key retrieval and decryption functions.
- Simplify variable names and functions in browsingdata/password/password.go
- Modify Decrypt function for each PBE type to have only one parameter named globalSalt in crypto/crypto.go
- Implement functions to retrieve master key from Firefox's key4.db file and query metadata and private NSS data in browser/firefox/firefox.go
* chore: Add dependencies and tests to Firefox package.
- Add go-sqlmock and github.com/kisielk/sqlstruct dependencies
- Add tests for Firefox package metadata and nssPrivate query
- Add test for Firefox's processMasterKey function (currently commented out)
* refactor: Refactor Firefox test functions, remove unused code
- Remove unused test function in firefox_test.go file
- Clean up code by removing unnecessary changes
- Simplify file structure for easier maintenance and readability
* refactor: Refactor logging to use structured slog package.
- Remove `gookit` dependencies from `go.sum`
- Improve error logging in multiple packages by replacing `log` with `log/slog`
- Update dependencies in `go.mod`
- Add new `logger` package with test cases
- Refactor logging statements in multiple packages to use `slog` instead of `log`
- Change logging format and level in multiple packages for better structured logging
* refactor: Refactor logger package and add handler interface
- Refactor logger package
- Rename `defaultHandler` to `DefaultLogger`
- Move `ReplaceAttr` function to `Logger` struct
- Implement `LogHandler` struct with `slog.Handler` interface
- Add new `Logger` methods for configuration
- Add `SetMaxLevel`, `SetJSONHandler`, `SetTextHandler`, `SetOutput`, `SetVerbose`, `SetReplaceAttrFunc`
- Add verbose flag to `cmd/hack-browser-data/main.go` to increase logging
* refactor: Refactor logger package to use simplified handler initialization.
- Refactor logger package to use Default instead of DefaultLogger
- Update `NewHandler` method to correctly reference `Default` logger and simplify handler initialization
- Update tests for logger to reflect changes in Default usage
- Rename `DefaultLogger` to `Default` and update comments to better reflect its purpose
- Update function calls in hack-browser-data main.go to reflect logger package updates
* refactor: Refactor logging in Chromium implementation
Refactor logging and simplify decryption in chromium files
- Replace logger package import with shared slog package
- Change logging messages to use slog instead of logger
- Simplify decryption process by removing first 5 characters of encrypted key
- Refactor error logging in linux file to use shared slog package
- Replace string concatenation with formatted string in linux error message
* refactor: Refactor file paths and use map to store item names
- Refactored file paths for various browsing data types to use a consistent method of generating temporary file names
- Modified parsing functions in many browsing data types to use the new temporary file naming scheme
- Renamed `FileName` to `Filename` for consistency in the `item` package
- Removed unnecessary code and comments throughout various files
- Made minor improvements to some Item methods such as `TempFilename` and `FileName`
* ci: Optimize GitHub actions and update Go versions. (#274)
* ci: Optimize GitHub actions and update Go versions.
- Add GitHub actions for unit testing, linting, building, and releasing
- Use a matrix strategy to test on different versions and platforms
- Update setup-go and go-version options for compatibility
- Format code and build zip files for different operating systems
- Upload releases to GitHub with specific asset names and types
* fix: Refactor item file naming convention
- Update `filename()` function to return `UnsupportedItem` in specific cases
- Replace `UnknownItem` with `UnsupportedItem` in `Filename` method of `Item` struct
- Refactor code for clarity and consistency
* ci: Update GitHub workflow with latest setup-go version
- Update setup-go action to v3 in lint.yml GitHub workflow
- Omits some big changes in file diff summary
- Improve overall workflow reliability and efficiency
* ci: Improve GitHub actions across platforms
- Improve Windows compatibility in build workflow
- Optimize unit testing for pull requests
- Upgrade Coveralls GitHub action to v2 for improved coverage tracking
* build: Optimize build process for consistency and efficiency
- Ensure consistency of line endings by disabling Git's automatic conversion
- Add format check for Windows systems
- Update Go version in strategy matrix to `1.21.x`
- Remove unused dependencies from build process
- Include all packages in repository in build command
* ci: Refactor GitHub workflow configuration
- Remove unnecessary checks for `windows-latest` in github workflow
- Change `gofmt` check to `diff` for formatting
- Remove unneeded Git configuration for encoding of line endings
- Close#273
* ci: Update default branch references in GitHub Actions workflows (#277)
- Update Github Actions workflows to use `main` branch instead of `master`.
- Rename `master` branch to `main` in `lint.yml` and `build.yml` files.
- Change default branch to `main` in `contributors.yml` workflow file.
- Improve error handling in browsingdata.go Recovery function
- Add logging for file copy errors in chromium.go
- Modify copyItemToLocal function to continue copying files on error
* feat: improve extension parsing
* refactor: Refactor extension parsing and update file names.
- Refactor extension parsing function for clarity and DRYness
- Update name of a file to "Secure Preferences"
- Add TODO comment for future work on extension files and folders
- Remove unnecessary file write operation and import statement
---------
Co-authored-by: moonD4rk <moond4rk13@gmail.com>
* fix: nil browsing data in case error
Signed-off-by: Andrii Ursulenko <a.ursulenko@gmail.com>
* fix: ignore walk error, use walkdir instead of walk
---------
Signed-off-by: Andrii Ursulenko <a.ursulenko@gmail.com>
Co-authored-by: Andrii Ursulenko <a.ursulenko@gmail.com>
Roger