mirror of
https://github.com/moonD4rk/HackBrowserData.git
synced 2026-05-19 18:58:03 +02:00
Roger
2c4e871e59
* fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add decrypt_test.go with v10 round-trip encryption/decryption test - Add stripCookieHash test cases for v24+, older Chrome, empty values, short values, and host mismatch scenarios Closes #524 * fix: strip SHA256(host_key) prefix from Chrome 130+ cookie values Chrome 130 (Cookie DB schema v24) prepends SHA256(domain) to cookie values before encryption to prevent cross-domain replay attacks. After decryption, this 32-byte hash must be verified and stripped. Changes: - Add stripCookieHash() that verifies SHA256(host_key) and strips the prefix only when it matches (auto-compatible with older Chrome) - Fix edge case: cookies with empty values (exactly 32 bytes = hash only) - Add table-driven decrypt tests for v10/v20/DPAPI per platform - Add Windows-specific DPAPI round-trip test using CryptProtectData - Add shared testAESKey constant in testutil_test.go - Add stripCookieHash tests for v24+, older Chrome, empty values, short values, and host mismatch scenarios - Extend lint CI to run on ubuntu, windows, and macos Closes #524 * fix: remove DPAPI test from darwin/linux (returns nil on Linux) DecryptWithDPAPI returns nil error on Linux (silent no-op) but error on macOS, causing the test to fail on Ubuntu CI. DPAPI round-trip testing is properly covered in decrypt_windows_test.go. * fix: resolve Windows CI lint errors exposed by multi-platform lint - Add _ = before windows.CloseHandle calls to satisfy errcheck - Add build tag to params.go (only used on macOS/Linux, not Windows) * fix: add .gitattributes to force LF and refactor cookie tests - Add .gitattributes with `* text=auto eol=lf` to prevent CRLF conversion on Windows CI causing gofumpt false positives - Add .gitattributes to .gitignore whitelist - Refactor stripCookieHash tests into table-driven style * fix: address Copilot review on decrypt tests - Assert error on wrong key instead of ignoring it (AES-CBC returns padding error, not silent empty result) - Guard empty plaintext in encryptWithDPAPI to prevent nil pointer panic - Convert uint32 to int for make/copy slice bounds in Windows test * fix: assert specific error message in wrong key decrypt test
89 lines
2.2 KiB
Go
89 lines
2.2 KiB
Go
package chromium
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestExtractCookies(t *testing.T) {
|
|
path := createTestDB(t, "Cookies", cookiesSchema,
|
|
insertCookie("session", ".old.com", "/", "", 13340000000000000, 13350000000000000, 1, 1),
|
|
insertCookie("token", ".new.com", "/api", "", 13360000000000000, 13370000000000000, 1, 0),
|
|
)
|
|
|
|
got, err := extractCookies(nil, path)
|
|
require.NoError(t, err)
|
|
require.Len(t, got, 2)
|
|
|
|
// Verify sort order: creation time descending (newest first)
|
|
assert.Equal(t, ".new.com", got[0].Host)
|
|
assert.Equal(t, ".old.com", got[1].Host)
|
|
|
|
// Verify field mapping
|
|
assert.Equal(t, "token", got[0].Name)
|
|
assert.Equal(t, "/api", got[0].Path)
|
|
assert.True(t, got[0].IsSecure)
|
|
assert.False(t, got[0].IsHTTPOnly)
|
|
assert.False(t, got[0].CreatedAt.IsZero())
|
|
assert.True(t, got[0].ExpireAt.After(got[0].CreatedAt))
|
|
assert.True(t, got[1].IsHTTPOnly)
|
|
}
|
|
|
|
func TestStripCookieHash(t *testing.T) {
|
|
googleHash := sha256.Sum256([]byte(".google.com"))
|
|
shopifyHash := sha256.Sum256([]byte(".shopify.com"))
|
|
|
|
tests := []struct {
|
|
name string
|
|
value []byte
|
|
hostKey string
|
|
want string
|
|
}{
|
|
{
|
|
name: "Chrome 130+ strips SHA256 prefix",
|
|
value: append(googleHash[:], []byte("GA1.3.240937927.1770097858")...),
|
|
hostKey: ".google.com",
|
|
want: "GA1.3.240937927.1770097858",
|
|
},
|
|
{
|
|
name: "Chrome 130+ empty original value",
|
|
value: shopifyHash[:],
|
|
hostKey: ".shopify.com",
|
|
want: "",
|
|
},
|
|
{
|
|
name: "older Chrome no prefix",
|
|
value: []byte("plain_cookie_value"),
|
|
hostKey: ".example.com",
|
|
want: "plain_cookie_value",
|
|
},
|
|
{
|
|
name: "short value unchanged",
|
|
value: []byte("short"),
|
|
hostKey: ".example.com",
|
|
want: "short",
|
|
},
|
|
{
|
|
name: "host mismatch not stripped",
|
|
value: append(googleHash[:], []byte("value")...),
|
|
hostKey: ".other.com",
|
|
want: string(append(googleHash[:], []byte("value")...)),
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := stripCookieHash(tt.value, tt.hostKey)
|
|
assert.Equal(t, tt.want, string(got))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestStripCookieHash_NilValue(t *testing.T) {
|
|
got := stripCookieHash(nil, ".example.com")
|
|
assert.Nil(t, got)
|
|
}
|