* feat: add CountEntries to skip decryption for list --detail (#549)
* test: add CountEntries and countCategory tests at browser level
* fix: address review feedback on CountRows and countLocalStorage
* test: add CountRows unit tests
* fix: implement proper Chromium localStorage LevelDB parsing
* feat: add IsMeta field to StorageEntry and keep META entries
* fix: add error logging for decryption and missing data fields
* fix: address PR review for localStorage parsing
* fix: use naïve instead of café in Latin-1 test to avoid typos false positive
* fix: extension enabled detection and sessionStorage decoding
* fix: session storage origin resolution and extension enabled detection
* fix: address PR review comments for storage parsing
Share a single KeyRetriever instance across all profiles of the same
browser, and add sync.Once caching to GcoredumpRetriever and
SecurityCmdRetriever. This avoids repeated keychain password prompts
(or securityd memory dumps) when extracting multiple profiles.
Closes#544
* feat: add Chromium Browser implementation with new architecture
* refactor: replace Walk with ReadDir+Stat for profile discovery
* refactor: remove queries override, use extractors for Yandex passwords
* refactor: remove dataSource wrapper, use []sourcePath directly
* fix: address Copilot review feedback on chromium_new.go
* fix: always call key retriever regardless of Local State existence
* feat: add Firefox extract methods and complete data model fields
Firefox extract methods:
- extractPasswords: JSON + ASN1PBE decryption via decryptPBE helper
- extractCookies: SQLite, plaintext (no encryption), journalOff
- extractHistories: SQLite, visit count ASC sort (matches old behavior)
- extractDownloads: SQLite, moz_annos JOIN with JSON content parsing
- extractBookmarks: SQLite, moz_bookmarks JOIN moz_places
- extractExtensions: JSON, filter by location=app-profile
- extractLocalStorage: SQLite webappsstore2, reversed originKey parsing
Complete data model fields (union of Chromium and Firefox):
- CookieEntry: add HasExpire, IsPersistent
- DownloadEntry: add MimeType
- CreditCardEntry: add NickName, Address
- ExtensionEntry: add HomepageURL, Enabled
Update Chromium extractors to populate new fields:
- extract_cookie.go: fill HasExpire, IsPersistent
- extract_download.go: SELECT and fill mime_type
- extract_creditcard.go: SELECT nickname, billing_address_id
- extract_extension.go: fill HomepageURL, Enabled (state==1)
Tests:
- Full test coverage for all 7 Firefox extract functions
- Password test uses known ASN1PBE test vectors from crypto package
- Table-driven tests for parseOriginKey
- Updated Chromium tests for new fields
* fix: add COALESCE for nullable bookmark title in Firefox query
Firefox moz_bookmarks.title can be NULL (PR #500 fixed this in old code).
Add COALESCE to handle NULL gracefully in SQL instead of relying on
driver-specific NULL→string conversion behavior.
* fix: enable journalOff for all Firefox SQLite extractors and populate cookie flags
- Set journalOff=true for extract_history, extract_download, extract_bookmark
(Firefox databases require PRAGMA journal_mode=off to avoid lock errors)
- Populate HasExpire and IsPersistent for Firefox cookies (derived from expiry>0)
- Add test assertions for HasExpire/IsPersistent in both Chromium and Firefox
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values
Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie
values before encryption to prevent cross-domain replay attacks.
After decryption, this 32-byte hash must be verified and stripped.
Changes:
- Add stripCookieHash() that verifies SHA256(host_key) and strips
the prefix only when it matches (auto-compatible with older Chrome)
- Fix edge case: cookies with empty values (exactly 32 bytes = hash only)
- Add decrypt_test.go with v10 round-trip encryption/decryption test
- Add stripCookieHash test cases for v24+, older Chrome, empty values,
short values, and host mismatch scenarios
Closes#524
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values
Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie
values before encryption to prevent cross-domain replay attacks.
After decryption, this 32-byte hash must be verified and stripped.
Changes:
- Add stripCookieHash() that verifies SHA256(host_key) and strips
the prefix only when it matches (auto-compatible with older Chrome)
- Fix edge case: cookies with empty values (exactly 32 bytes = hash only)
- Add table-driven decrypt tests for v10/v20/DPAPI per platform
- Add Windows-specific DPAPI round-trip test using CryptProtectData
- Add shared testAESKey constant in testutil_test.go
- Add stripCookieHash tests for v24+, older Chrome, empty values,
short values, and host mismatch scenarios
- Extend lint CI to run on ubuntu, windows, and macos
Closes#524
* fix: remove DPAPI test from darwin/linux (returns nil on Linux)
DecryptWithDPAPI returns nil error on Linux (silent no-op) but error
on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip
testing is properly covered in decrypt_windows_test.go.
* fix: resolve Windows CI lint errors exposed by multi-platform lint
- Add _ = before windows.CloseHandle calls to satisfy errcheck
- Add build tag to params.go (only used on macOS/Linux, not Windows)
* fix: add .gitattributes to force LF and refactor cookie tests
- Add .gitattributes with `* text=auto eol=lf` to prevent CRLF
conversion on Windows CI causing gofumpt false positives
- Add .gitattributes to .gitignore whitelist
- Refactor stripCookieHash tests into table-driven style
* fix: address Copilot review on decrypt tests
- Assert error on wrong key instead of ignoring it (AES-CBC returns
padding error, not silent empty result)
- Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic
- Convert uint32 to int for make/copy slice bounds in Windows test
* fix: assert specific error message in wrong key decrypt test
* feat: add Chromium extract methods, source mapping, and tests
Implement per-category data extraction for Chromium browsers as typed
standalone functions, preparing for Phase 8 wiring into the new
Chromium struct.
New files:
- source.go: dataSource struct, chromiumSources/yandexSources maps,
yandexQueryOverrides for Yandex action_url variant
- decrypt.go: decryptValue() wrapping platform-specific decryption
- extract_password.go: SQLite + decrypt → []LoginEntry
- extract_cookie.go: SQLite + decrypt → []CookieEntry
- extract_creditcard.go: SQLite + decrypt → []CreditCardEntry
- extract_history.go: SQLite → []HistoryEntry
- extract_download.go: SQLite → []DownloadEntry
- extract_bookmark.go: JSON recursive → []BookmarkEntry
- extract_extension.go: JSON → []ExtensionEntry
- extract_storage.go: LevelDB → []StorageEntry (local + session)
- firefox/source.go: firefoxSources map
Tests use real Chrome table schemas for SQLite fixtures, with INSERT
helpers to keep test data readable and self-documenting.
Ref #520
* fix: remove LevelDB invalid path test (Windows compatibility)
leveldb.OpenFile creates the directory on Windows instead of returning
an error, causing TestExtractLocalStorage_InvalidPath to fail in CI.
This test was verifying LevelDB behavior, not our extraction logic.
* refactor: remove unused query parameter from extract functions
Only extractPasswords needs the query override (Yandex action_url).
The other 7 SQLite extract functions always use their default query,
so remove the unnecessary query parameter from their signatures.
* refactor: use DetectVersion in decryptValue instead of blind fallback
Replace try-then-fallback pattern with explicit version detection using
crypto.DetectVersion. Routes v10 to DecryptWithChromium, DPAPI to
DecryptWithDPAPI, and adds a TODO placeholder for v20 App-Bound
Encryption.
* chore: relax gocognit and gocritic linters for test files
* revert: restore strict gocognit and gocritic linters for test files
* fix: address review feedback on extract methods
- Store DetectVersion result in local variable to avoid duplicate call
- Scan credit card expiration_month/year as int then convert to string
(matches INTEGER column type in real Chrome schema)
- Add os.Stat check before leveldb.OpenFile to prevent creating empty
directories for non-existent paths
- Rename TestExtractExtensions_InvalidJSON to
TestExtractExtensions_MissingSettingsPath (JSON is valid, path is missing)
* fix: revert creditcard scan to string type for NULL safety
modernc.org/sqlite handles INTEGER→string conversion automatically.
Scanning into string is safer for nullable columns — NULL becomes ""
instead of "0" which would be an invalid month/year.
* feat: Decrypt the browser master key on macOS via CVE-2025-24204
* fix: resolve lint warnings and stabilize tests
* feat: default to gcoredump key extraction on macOS
* chore: downgrade golang version to 1.20, support windows 7
* chore: Update dependencies for Go project.
- Update dependencies in go.sum
- Improvements and optimizations in various files
- Bug fixes and error handling enhancements
* chore: Update modernc.org/sqlite library versions in go.mod and go.sum files
- Update version of `modernc.org/sqlite` to `v1.31.1` in `go.mod` and `go.sum` files
- Update module hash in `go.sum` file for `modernc.org/sqlite`
- Ensure consistency between `go.mod` and `go.sum` files in relation to `modernc.org/sqlite` version
* chore: replace log/slog with standard logger (#436)
* chore: replace log/slog with standard logger
* chore: Update Go dependencies and versions
- Update Go version from `1.22.5` to `1.20` and other dependencies
- Update critical dependencies to latest versions
- Ensure compatibility with new versions of dependencies
* chore: Optimize dependency management in workflows
- Update build and lint workflows to use `go mod tidy` for getting dependencies
- Change modules download mode to `'mod'` in linters configuration
- Add step to get dependencies in lint workflow
* refactor: Update dependencies and refactor Chromium key deletion logic
- Update `modernc.org/sqlite` to `v1.31.1` in `go.mod` and `go.sum`
- Increase version number to `0.5.0` in `cmd/hack-browser-data/main.go`
- Refactor and update logic for filtering and copying items in `browser/chromium/chromium.go`
* Improve logging functionality and data type conversion
- Add `String()` method to `DataType` enum in types.go
- Update log level to Debug in logger_test.go
- Set log level to Debug in `TestLoggerDebug` and `TestLoggerDebugf` functions
- Implement error handling for path permission errors in `chromiumWalkFunc`
- Refactor `firefoxWalkFunc` to handle permission errors and log warnings
- Add import statement for `log/slog` in `firefox/firefox.go`
- Refactored variable names for clarity and consistency in multiple files
- Updated logic to filter sensitive items based on a flag
- Implemented a function to skip processing specific paths to improve performance
* refactor: Refactor package names and imports for better code organization.
* refactor: Package imports and variable types for consistency
* chore: Disable unused-parameter rule in revive.
* refactor: Refactor and organize data extraction and browserdata parse.
* fix: rename wrong error message info
* feat: Refactor crypto decryption functions for consistency and error handling
- Close#301
- Refactored and renamed decryption functions across multiple files for consistency
- Updated cookie sorting method to sort in descending order
- Added new encryption functions for AES in CBC and GCM modes and DES in CBC mode
- Added error handling to decryption functions and created new error variables for invalid ciphertext length and decode failures
- Test cases added for encryption and decryption functions
- Removed unused code and imports.
* chore: Add new words to .typos.toml dictionary
- Add new terms to `.typos.toml` dictionary
- Improve code formatting and readability
- Refactor functions for better performance
- Update comments and documentation
- Resolve minor bugs and errors
* refactor: Refactor crypto package for better structure and readability
- Refactored and cleaned up crypto package code for better readability
- Renamed `ToByteArray` method to `bytes` for consistency
- Modified `DecryptWithDPAPI` method to use `outBlob.bytes()` for efficiency
- Added comments and removed unused methods in `loginPBE`
- Refactored `nssPBE` and `metaPBE` Decrypt methods to use `deriveKeyAndIV` helper method
- Improved overall maintainability and organization of codebase
* refactor: Refactor firefox password encryption and decryption.
- Implement ASN1PBE interface with various PBE struct types and encryption/decryption methods
- Fix naming and remove unused variables in browsingdata and crypto files
- Add tests for ASN1PBE implementation using external assertion package
- Refactor and improve error handling in firefox file functions related to master key retrieval
- Add input validation and AES-GCM encryption function to crypto file
* refactor: Simplify Firefox master key retrieval and decryption functions.
- Simplify variable names and functions in browsingdata/password/password.go
- Modify Decrypt function for each PBE type to have only one parameter named globalSalt in crypto/crypto.go
- Implement functions to retrieve master key from Firefox's key4.db file and query metadata and private NSS data in browser/firefox/firefox.go
* chore: Add dependencies and tests to Firefox package.
- Add go-sqlmock and github.com/kisielk/sqlstruct dependencies
- Add tests for Firefox package metadata and nssPrivate query
- Add test for Firefox's processMasterKey function (currently commented out)
* refactor: Refactor Firefox test functions, remove unused code
- Remove unused test function in firefox_test.go file
- Clean up code by removing unnecessary changes
- Simplify file structure for easier maintenance and readability
* refactor: Refactor logging to use structured slog package.
- Remove `gookit` dependencies from `go.sum`
- Improve error logging in multiple packages by replacing `log` with `log/slog`
- Update dependencies in `go.mod`
- Add new `logger` package with test cases
- Refactor logging statements in multiple packages to use `slog` instead of `log`
- Change logging format and level in multiple packages for better structured logging
* refactor: Refactor logger package and add handler interface
- Refactor logger package
- Rename `defaultHandler` to `DefaultLogger`
- Move `ReplaceAttr` function to `Logger` struct
- Implement `LogHandler` struct with `slog.Handler` interface
- Add new `Logger` methods for configuration
- Add `SetMaxLevel`, `SetJSONHandler`, `SetTextHandler`, `SetOutput`, `SetVerbose`, `SetReplaceAttrFunc`
- Add verbose flag to `cmd/hack-browser-data/main.go` to increase logging
* refactor: Refactor logger package to use simplified handler initialization.
- Refactor logger package to use Default instead of DefaultLogger
- Update `NewHandler` method to correctly reference `Default` logger and simplify handler initialization
- Update tests for logger to reflect changes in Default usage
- Rename `DefaultLogger` to `Default` and update comments to better reflect its purpose
- Update function calls in hack-browser-data main.go to reflect logger package updates
* refactor: Refactor logging in Chromium implementation
Refactor logging and simplify decryption in chromium files
- Replace logger package import with shared slog package
- Change logging messages to use slog instead of logger
- Simplify decryption process by removing first 5 characters of encrypted key
- Refactor error logging in linux file to use shared slog package
- Replace string concatenation with formatted string in linux error message
* refactor: Refactor file paths and use map to store item names
- Refactored file paths for various browsing data types to use a consistent method of generating temporary file names
- Modified parsing functions in many browsing data types to use the new temporary file naming scheme
- Renamed `FileName` to `Filename` for consistency in the `item` package
- Removed unnecessary code and comments throughout various files
- Made minor improvements to some Item methods such as `TempFilename` and `FileName`
* ci: Optimize GitHub actions and update Go versions. (#274)
* ci: Optimize GitHub actions and update Go versions.
- Add GitHub actions for unit testing, linting, building, and releasing
- Use a matrix strategy to test on different versions and platforms
- Update setup-go and go-version options for compatibility
- Format code and build zip files for different operating systems
- Upload releases to GitHub with specific asset names and types
* fix: Refactor item file naming convention
- Update `filename()` function to return `UnsupportedItem` in specific cases
- Replace `UnknownItem` with `UnsupportedItem` in `Filename` method of `Item` struct
- Refactor code for clarity and consistency
* ci: Update GitHub workflow with latest setup-go version
- Update setup-go action to v3 in lint.yml GitHub workflow
- Omits some big changes in file diff summary
- Improve overall workflow reliability and efficiency
* ci: Improve GitHub actions across platforms
- Improve Windows compatibility in build workflow
- Optimize unit testing for pull requests
- Upgrade Coveralls GitHub action to v2 for improved coverage tracking
* build: Optimize build process for consistency and efficiency
- Ensure consistency of line endings by disabling Git's automatic conversion
- Add format check for Windows systems
- Update Go version in strategy matrix to `1.21.x`
- Remove unused dependencies from build process
- Include all packages in repository in build command
* ci: Refactor GitHub workflow configuration
- Remove unnecessary checks for `windows-latest` in github workflow
- Change `gofmt` check to `diff` for formatting
- Remove unneeded Git configuration for encoding of line endings
- Close#273
* ci: Update default branch references in GitHub Actions workflows (#277)
- Update Github Actions workflows to use `main` branch instead of `master`.
- Rename `master` branch to `main` in `lint.yml` and `build.yml` files.
- Change default branch to `main` in `contributors.yml` workflow file.
- Improve error handling in browsingdata.go Recovery function
- Add logging for file copy errors in chromium.go
- Modify copyItemToLocal function to continue copying files on error
* feat: improve extension parsing
* refactor: Refactor extension parsing and update file names.
- Refactor extension parsing function for clarity and DRYness
- Update name of a file to "Secure Preferences"
- Add TODO comment for future work on extension files and folders
- Remove unnecessary file write operation and import statement
---------
Co-authored-by: moonD4rk <moond4rk13@gmail.com>
* fix: nil browsing data in case error
Signed-off-by: Andrii Ursulenko <a.ursulenko@gmail.com>
* fix: ignore walk error, use walkdir instead of walk
---------
Signed-off-by: Andrii Ursulenko <a.ursulenko@gmail.com>
Co-authored-by: Andrii Ursulenko <a.ursulenko@gmail.com>
Roger