mirror of
https://github.com/moonD4rk/HackBrowserData.git
synced 2026-05-19 18:58:03 +02:00
Roger
2c4e871e59
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add decrypt_test.go with v10 round-trip encryption/decryption test - Add stripCookieHash test cases for v24+, older Chrome, empty values, short values, and host mismatch scenarios Closes #524 * fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add table-driven decrypt tests for v10/v20/DPAPI per platform - Add Windows-specific DPAPI round-trip test using CryptProtectData - Add shared testAESKey constant in testutil_test.go - Add stripCookieHash tests for v24+, older Chrome, empty values, short values, and host mismatch scenarios - Extend lint CI to run on ubuntu, windows, and macos Closes #524 * fix: remove DPAPI test from darwin/linux (returns nil on Linux) DecryptWithDPAPI returns nil error on Linux (silent no-op) but error on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip testing is properly covered in decrypt_windows_test.go. * fix: resolve Windows CI lint errors exposed by multi-platform lint - Add _ = before windows.CloseHandle calls to satisfy errcheck - Add build tag to params.go (only used on macOS/Linux, not Windows) * fix: add .gitattributes to force LF and refactor cookie tests - Add .gitattributes with `* text=auto eol=lf` to prevent CRLF conversion on Windows CI causing gofumpt false positives - Add .gitattributes to .gitignore whitelist - Refactor stripCookieHash tests into table-driven style * fix: address Copilot review on decrypt tests - Assert error on wrong key instead of ignoring it (AES-CBC returns padding error, not silent empty result) - Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic - Convert uint32 to int for make/copy slice bounds in Windows test * fix: assert specific error message in wrong key decrypt test
48 lines
780 B
Plaintext
48 lines
780 B
Plaintext
# Ignore everything by default (whitelist approach).
|
|
# This is critical for a security research tool — prevents
|
|
# accidental commit of browser data files (Cookies, Login Data, etc.)
|
|
*
|
|
|
|
# Allow git to traverse directories
|
|
!*/
|
|
|
|
# === Source code ===
|
|
!*.go
|
|
!go.mod
|
|
!go.sum
|
|
|
|
# === Project root config ===
|
|
!.gitattributes
|
|
!.gitignore
|
|
!.golangci.yml
|
|
!.goreleaser.yml
|
|
!.typos.toml
|
|
!CLAUDE.md
|
|
!LICENSE
|
|
|
|
# === Documentation ===
|
|
!README.md
|
|
!CONTRIBUTING.md
|
|
!CODE_OF_CONDUCT.md
|
|
!LOGO.png
|
|
!CONTRIBUTORS.svg
|
|
|
|
# === GitHub ===
|
|
!.github/workflows/*.yml
|
|
!.github/ISSUE_TEMPLATE/*.md
|
|
!.github/PULL_REQUEST_TEMPLATE.md
|
|
!.github/dependabot.yml
|
|
!.github/release-drafter.yml
|
|
|
|
# === RFCs ===
|
|
!rfcs/*.md
|
|
|
|
# === Always ignore (override !*/) ===
|
|
.git/
|
|
.idea/
|
|
.vscode/
|
|
vendor/
|
|
result/
|
|
results/
|
|
.DS_Store
|