From 621331b03e16a65a4e9c470fa3d1a93136e45b99 Mon Sep 17 00:00:00 2001 From: C85297 <95289555+C85297@users.noreply.github.com> Date: Wed, 28 Jan 2026 16:10:51 +0000 Subject: [PATCH 01/19] Update CHANGELOG for v10.20.0 --- CHANGELOG.md | 165 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 164 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3a8feb70..535a11a35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,75 @@ All major and minor version changes will be documented in this file. Details of ## Details +### [10.20.0] - 2026-01-28 +- Fixed Optical Character Recognition and added tests [@n1474335] | [ab37c1e] +- Fixed JA4 version fallback value [@n1474335] | [7a5225c] +- Updated chromedriver [@n1474335] | [0e82e4b] +- Fixed RSA Sign and Verify character encodings [@n1474335] | [895a929] +- Updated chromedriver [@n1474335] | [d3adfc7] +- Added message format arg to RSA Verify operation [@n1474335] | [47c85a1] +- Add operation for parsing X.509 CRLs [@robinsandhu] | [#1887] +- Fix typo in description of JWT Sign recipe [@GuilhermoReadonly] | [#1961] +- Corrected path to generateNodeIndex.mjs [@simonarnell] | [#1959] +- Add 'header' ingredient to JWT Sign operation [@RandomByte] | [#1957] +- Add Parse TLS record operation [@c65722] | [#1936] +- Automatically detect chrome driver version [@gchq] | [#1972] +- Add Strip UDP header operation [@c65722] | [#1900] +- Add Strip TCP header operation [@c65722] | [#1898] +- Webpack compress with gzip and brotli [@max0x53] | [#1955] +- add offset field to 'Add Line Numbers' operation [@Adamkadaban] | [#1866] +- Disable flakey URL test [@a3957273] | [#1973] +- Add Strip IPv4 header operation [@c65722] | [#1899] +- IPv6 Transition Operation [@jb30795] | [#1780] +- fix: Blowfish - ignore IV length in ECB mode [@FranciscoPombal] | [#1902] +- Add 'Drop nth bytes' operation [@Oshawk] | [#1914] +- Add 'Take nth bytes' operation [@Oshawk] | [#1915] +- Add Leet Speak [@bartblaze] | [#1971] +- Fix Generate TOTP & HOPT [@exactlyaron] | [#1966] +- Updated luhn checksum operation to work with different bases [@k3ach] | [#1933] +- automatically theme mode based on user preference [@vs4vijay] | [#1921] +- fix: DES/Triple DES - misleading error messages [@FranciscoPombal] | [#1904] +- fix: ROT13 - shifting numbers by negative amounts [@FranciscoPombal] | [#1903] +- Introduce Yubico's Modhex for Conversion [@linuxgemini] | [#1105] +- Feature: MIME RFC2047 Decoding [@MShwed] | [#630] +- CC-1889 add _ option [@depperm] | [#1977] +- chore(root): add cspell [@evenstensberg] | [#1976] +- Preserve uppercase for Leet Speak [@bartblaze] | [#1981] +- Load the user's preferred color scheme if the URL contains an invalid theme [@0xh3xa] | [#2007] +- Add SM2 Encrypt and Decrypt Operations [@flakjacket95] | [#1909] +- Support jq as an operation. [@zhzy0077] | [#1604] +- Add fingerprints to the 'Parse X.509 certificate' operation [@JSCU-CNI] | [#1863] +- Added a JSON to YAML and a YAML to JSON operation [@ccarpo] | [#1286] +- Add CRC Operation [@r4mos] | [#1993] +- Bug Fix: selected theme not loading when refreshing [@0xh3xa] | [#2006] +- Fix(RecipeWaiter): sanitize user input in addOperation to prevent XSS [@0xh3xa] | [#2014] +- Docker multiplatform build support [@PathToLife] | [#1974] +- Add Base32 Hex Extended Alphabet and Base32 Tests. [@peterc-s] | [#1991] +- Add ECB/NoPadding and CBC/NoPadding support to AES encryption [@plvie] | [#2013] +- Add new operation: PHP Serialize [@brun0ne] | [#1548] +- Push input through postmessage [@kenduguay1] | [#1992] +- Add jsonata query operation [@jonking-ajar] | [#1587] +- Re-enable Npm Release in github workflows [@PathToLife] | [#2031] +- Add to ECDSA Verify the message format [@r4mos] | [#2027] +- Added alternating caps functionality [@sw5678] | [#1897] +- XOR Checksum operation added [@jg42526] | [#2035] +- Add GenerateAllChecksums operation * Remove checksums from GenerateAllHashes operation [@es45411] | [66d445c] +- Update GenerateAllChecksums infoURL [@es45411] | [#2037] +- Add toggle "+" character to URLDecode operation [@es45411] | [#2040] +- Workaround for Safari load bug [@GCHQDeveloper94872] | [#2038] +- Updated Dockerfile to correctly build on ARM64 platforms [@Sma-Das] | [#2042] +- Addresses bug report #2008 Added explicit support for octal IP addresses. Changed approach to IPv4 regex to be string manipulation generated. Added some unit tests for IP address parsing - probably not full coverage. Added lookahead and lookbehind tricks to resolve warned issue that 1.2.3.256 would still be extracted as 1.2.3.25. Now only accepts valid IP addresses. Warning replaced with clause about infinite length dotted decimal forms. [@gchqdev364] | [#2041] +- Remove trim from rail fence [@Odyhibit] | [#1986] +- Fix email regex [@ericli-splunk] | [#2025] +- Add Blake3 hashing [@xumptex] | [#2023] +- Use defaultIndex instead of 0 in transformArgs [@bartvanandel] | [#2015] +- Add "Generate UUID" and "Analyse UUID" operations [@bartvanandel] | [#2011] +- Add new operation: Template [@kendallgoto] | [#2021] +- Add more clear build instructions [@remingtr] | [#1873] +- Show On Map updated to use leaflet over WikiMedia [@0xff1ce] | [#1884] +- Fixed ToDecimal signed logic [@starplanet] | [#1545] +- Use BigInt for encoding/decoding VarInt [@mikecat] | [#1978] + ### [10.19.0] - 2024-06-21 - Add support for ECDSA and DSA in 'Parse CSR' [@robinsandhu] | [#1828] - Fix typos in SIGABA.mjs [@eltociear] | [#1834] @@ -440,6 +509,7 @@ All major and minor version changes will be documented in this file. Details of ## [4.0.0] - 2016-11-28 - Initial open source commit [@n1474335] | [b1d73a72](https://github.com/gchq/CyberChef/commit/b1d73a725dc7ab9fb7eb789296efd2b7e4b08306) +[10.20.0]: https://github.com/gchq/CyberChef/releases/tag/v10.20.0 [10.19.0]: https://github.com/gchq/CyberChef/releases/tag/v10.19.0 [10.18.0]: https://github.com/gchq/CyberChef/releases/tag/v10.18.0 [10.17.0]: https://github.com/gchq/CyberChef/releases/tag/v10.17.0 @@ -630,6 +700,60 @@ All major and minor version changes will be documented in this file. Details of [@cplussharp]: https://github.com/cplussharp [@robinsandhu]: https://github.com/robinsandhu [@eltociear]: https://github.com/eltociear +[@GuilhermoReadonly]: https://github.com/GuilhermoReadonly +[@simonarnell]: https://github.com/simonarnell +[@RandomByte]: https://github.com/RandomByte +[@c65722]: https://github.com/c65722 +[@c65722]: https://github.com/c65722 +[@c65722]: https://github.com/c65722 +[@max0x53]: https://github.com/max0x53 +[@Adamkadaban]: https://github.com/Adamkadaban +[@c65722]: https://github.com/c65722 +[@jb30795]: https://github.com/jb30795 +[@FranciscoPombal]: https://github.com/FranciscoPombal +[@Oshawk]: https://github.com/Oshawk +[@Oshawk]: https://github.com/Oshawk +[@bartblaze]: https://github.com/bartblaze +[@exactlyaron]: https://github.com/exactlyaron +[@k3ach]: https://github.com/k3ach +[@vs4vijay]: https://github.com/vs4vijay +[@FranciscoPombal]: https://github.com/FranciscoPombal +[@FranciscoPombal]: https://github.com/FranciscoPombal +[@linuxgemini]: https://github.com/linuxgemini +[@depperm]: https://github.com/depperm +[@evenstensberg]: https://github.com/evenstensberg +[@bartblaze]: https://github.com/bartblaze +[@0xh3xa]: https://github.com/0xh3xa +[@flakjacket95]: https://github.com/flakjacket95 +[@zhzy0077]: https://github.com/zhzy0077 +[@JSCU-CNI]: https://github.com/JSCU-CNI +[@ccarpo]: https://github.com/ccarpo +[@r4mos]: https://github.com/r4mos +[@0xh3xa]: https://github.com/0xh3xa +[@0xh3xa]: https://github.com/0xh3xa +[@PathToLife]: https://github.com/PathToLife +[@peterc-s]: https://github.com/peterc-s +[@plvie]: https://github.com/plvie +[@kenduguay1]: https://github.com/kenduguay1 +[@jonking-ajar]: https://github.com/jonking-ajar +[@PathToLife]: https://github.com/PathToLife +[@r4mos]: https://github.com/r4mos +[@jg42526]: https://github.com/jg42526 +[@es45411]: https://github.com/es45411 +[@gchq]: https://github.com/gchq +[@gchqdev364]: https://github.com/gchqdev364 +[@GCHQDeveloper94872]: https://github.com/GCHQDeveloper94872 +[@Sma-Das]: https://github.com/Sma-Das +[@gchq]: https://github.com/gchq +[@Odyhibit]: https://github.com/Odyhibit +[@ericli-splunk]: https://github.com/ericli-splunk +[@xumptex]: https://github.com/xumptex +[@bartvanandel]: https://github.com/bartvanandel +[@bartvanandel]: https://github.com/bartvanandel +[@kendallgoto]: https://github.com/kendallgoto +[@remingtr]: https://github.com/remingtr +[@0xff1ce]: https://github.com/0xff1ce +[@starplanet]: https://github.com/starplanet [8ad18b]: https://github.com/gchq/CyberChef/commit/8ad18bc7db6d9ff184ba3518686293a7685bf7b7 @@ -642,6 +766,46 @@ All major and minor version changes will be documented in this file. Details of [760eff4]: https://github.com/gchq/CyberChef/commit/760eff49b5307aaa3104c5e5b437ffe62299acd1 [65ffd8d]: https://github.com/gchq/CyberChef/commit/65ffd8d65d88eb369f6f61a5d1d0f807179bffb7 [0a353ee]: https://github.com/gchq/CyberChef/commit/0a353eeb378b9ca5d49e23c7dfc175ae07107b08 +[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1 +[ab37c1e]: https://github.com/gchq/CyberChef/commit/ab37c1e562dbee0495ed32876ecbb8225282af25 +[965570d]: https://github.com/gchq/CyberChef/commit/965570d2504c17ee1f96211a1dc10ed40cd2b332 +[a477f47]: https://github.com/gchq/CyberChef/commit/a477f47aecd01d78b11fe186ed4b20d9c487cfac +[7a5225c]: https://github.com/gchq/CyberChef/commit/7a5225c961a5e0d192b03152117cd10a761f73d6 +[5f88ae4]: https://github.com/gchq/CyberChef/commit/5f88ae44ec77228d9bed8f11e8cc8e7dcfb36914 +[0e82e4b]: https://github.com/gchq/CyberChef/commit/0e82e4b7c6c77cadb8be61cb145e081d6ecfdc88 +[d635cca]: https://github.com/gchq/CyberChef/commit/d635cca2106aae2a59caf0e5d7e3633ee1ea3155 +[895a929]: https://github.com/gchq/CyberChef/commit/895a9299255525cb57886deb9d9fd4ba17ae9548 +[270a333]: https://github.com/gchq/CyberChef/commit/270a33317944612d27ea1cc15275ad6b0ed097e5 +[d3adfc7]: https://github.com/gchq/CyberChef/commit/d3adfc7c3e5719279524356bce5261bd8350c0f8 +[47c85a1]: https://github.com/gchq/CyberChef/commit/47c85a105ddbdd4cabfa44ddddbc56e3907a8c33 +[3822c6c]: https://github.com/gchq/CyberChef/commit/3822c6c520a0b4200abc675c33f46082f5b9efc6 +[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1 +[ab37c1e]: https://github.com/gchq/CyberChef/commit/ab37c1e562dbee0495ed32876ecbb8225282af25 +[965570d]: https://github.com/gchq/CyberChef/commit/965570d2504c17ee1f96211a1dc10ed40cd2b332 +[a477f47]: https://github.com/gchq/CyberChef/commit/a477f47aecd01d78b11fe186ed4b20d9c487cfac +[7a5225c]: https://github.com/gchq/CyberChef/commit/7a5225c961a5e0d192b03152117cd10a761f73d6 +[5f88ae4]: https://github.com/gchq/CyberChef/commit/5f88ae44ec77228d9bed8f11e8cc8e7dcfb36914 +[0e82e4b]: https://github.com/gchq/CyberChef/commit/0e82e4b7c6c77cadb8be61cb145e081d6ecfdc88 +[d635cca]: https://github.com/gchq/CyberChef/commit/d635cca2106aae2a59caf0e5d7e3633ee1ea3155 +[895a929]: https://github.com/gchq/CyberChef/commit/895a9299255525cb57886deb9d9fd4ba17ae9548 +[270a333]: https://github.com/gchq/CyberChef/commit/270a33317944612d27ea1cc15275ad6b0ed097e5 +[d3adfc7]: https://github.com/gchq/CyberChef/commit/d3adfc7c3e5719279524356bce5261bd8350c0f8 +[47c85a1]: https://github.com/gchq/CyberChef/commit/47c85a105ddbdd4cabfa44ddddbc56e3907a8c33 +[3822c6c]: https://github.com/gchq/CyberChef/commit/3822c6c520a0b4200abc675c33f46082f5b9efc6 +[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1 +[ab37c1e]: https://github.com/gchq/CyberChef/commit/ab37c1e562dbee0495ed32876ecbb8225282af25 +[965570d]: https://github.com/gchq/CyberChef/commit/965570d2504c17ee1f96211a1dc10ed40cd2b332 +[a477f47]: https://github.com/gchq/CyberChef/commit/a477f47aecd01d78b11fe186ed4b20d9c487cfac +[7a5225c]: https://github.com/gchq/CyberChef/commit/7a5225c961a5e0d192b03152117cd10a761f73d6 +[5f88ae4]: https://github.com/gchq/CyberChef/commit/5f88ae44ec77228d9bed8f11e8cc8e7dcfb36914 +[0e82e4b]: https://github.com/gchq/CyberChef/commit/0e82e4b7c6c77cadb8be61cb145e081d6ecfdc88 +[d635cca]: https://github.com/gchq/CyberChef/commit/d635cca2106aae2a59caf0e5d7e3633ee1ea3155 +[895a929]: https://github.com/gchq/CyberChef/commit/895a9299255525cb57886deb9d9fd4ba17ae9548 +[270a333]: https://github.com/gchq/CyberChef/commit/270a33317944612d27ea1cc15275ad6b0ed097e5 +[d3adfc7]: https://github.com/gchq/CyberChef/commit/d3adfc7c3e5719279524356bce5261bd8350c0f8 +[47c85a1]: https://github.com/gchq/CyberChef/commit/47c85a105ddbdd4cabfa44ddddbc56e3907a8c33 +[3822c6c]: https://github.com/gchq/CyberChef/commit/3822c6c520a0b4200abc675c33f46082f5b9efc6 +[66d445c]: https://github.com/gchq/CyberChef/commit/66d445c5ef4e8bd896fd15396e3ce2d660d8ace1 [#95]: https://github.com/gchq/CyberChef/pull/299 [#173]: https://github.com/gchq/CyberChef/pull/173 @@ -778,4 +942,3 @@ All major and minor version changes will be documented in this file. Details of [#512]: https://github.com/gchq/CyberChef/issues/512 [#1732]: https://github.com/gchq/CyberChef/issues/1732 [#1789]: https://github.com/gchq/CyberChef/issues/1789 - From 2092e5b20cad5f794152562c845cca445e985373 Mon Sep 17 00:00:00 2001 From: C85297 <95289555+C85297@users.noreply.github.com> Date: Wed, 28 Jan 2026 16:11:57 +0000 Subject: [PATCH 02/19] 10.20.0 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index b374df4bc..fbd86bbbf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "cyberchef", - "version": "10.19.4", + "version": "10.20.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "cyberchef", - "version": "10.19.4", + "version": "10.20.0", "hasInstallScript": true, "license": "Apache-2.0", "dependencies": { diff --git a/package.json b/package.json index 9191ab6f0..1c2ef3ae1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "cyberchef", - "version": "10.19.4", + "version": "10.20.0", "description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.", "author": "n1474335 ", "homepage": "https://gchq.github.io/CyberChef", From b885e8423d75e566d279d171228f7bb5b3e3a479 Mon Sep 17 00:00:00 2001 From: GCHQ Developer C85297 <95289555+C85297@users.noreply.github.com> Date: Thu, 29 Jan 2026 13:40:34 +0000 Subject: [PATCH 03/19] Bump jsonpath-plus (#2166) Closes #1928 #1926 --- package-lock.json | 16 ++++++++-------- package.json | 2 +- tests/operations/tests/Code.mjs | 15 ++++++++++++++- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index fbd86bbbf..af76ee067 100644 --- a/package-lock.json +++ b/package-lock.json @@ -57,7 +57,7 @@ "jsesc": "^3.0.2", "json5": "^2.2.3", "jsonata": "^2.0.3", - "jsonpath-plus": "^9.0.0", + "jsonpath-plus": "^10.3.0", "jsonwebtoken": "8.5.1", "jsqr": "^1.4.0", "jsrsasign": "^11.1.0", @@ -12503,21 +12503,21 @@ } }, "node_modules/jsonpath-plus": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz", - "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==", + "version": "10.3.0", + "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.3.0.tgz", + "integrity": "sha512-8TNmfeTCk2Le33A3vRRwtuworG/L5RrgMvdjhKZxvyShO+mBu2fP50OWUjRLNtvw344DdDarFh9buFAZs5ujeA==", "license": "MIT", "dependencies": { - "@jsep-plugin/assignment": "^1.2.1", - "@jsep-plugin/regex": "^1.0.3", - "jsep": "^1.3.8" + "@jsep-plugin/assignment": "^1.3.0", + "@jsep-plugin/regex": "^1.0.4", + "jsep": "^1.4.0" }, "bin": { "jsonpath": "bin/jsonpath-cli.js", "jsonpath-plus": "bin/jsonpath-cli.js" }, "engines": { - "node": ">=14.0.0" + "node": ">=18.0.0" } }, "node_modules/jsonwebtoken": { diff --git a/package.json b/package.json index 1c2ef3ae1..ec3f0520e 100644 --- a/package.json +++ b/package.json @@ -143,7 +143,7 @@ "jsesc": "^3.0.2", "json5": "^2.2.3", "jsonata": "^2.0.3", - "jsonpath-plus": "^9.0.0", + "jsonpath-plus": "^10.3.0", "jsonwebtoken": "8.5.1", "jsqr": "^1.4.0", "jsrsasign": "^11.1.0", diff --git a/tests/operations/tests/Code.mjs b/tests/operations/tests/Code.mjs index c62c76302..0a25c0e81 100644 --- a/tests/operations/tests/Code.mjs +++ b/tests/operations/tests/Code.mjs @@ -322,8 +322,21 @@ TestRegister.addTests([ ] } ], - expectedMatch: /^Invalid JPath expression: jsonPath: self is not defined:/ + expectedMatch: /^Invalid JPath expression: Unexpected "{" at character 1/ }, + { + name: "JPath Expression: Script-based RCE", + input: "[{}]", + recipeConfig: [ + { + "op": "JPath expression", + "args": [ + "$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('id').toString())\";a=''[['constructor']][['constructor']](p);a())]", + "\n" + ] + } + ], + expectedMatch: /^Invalid JPath expression: jsonPath: Cannot read properties of {2}\(reading 'constructor'\): / }, { name: "CSS selector", input: '
\n

hello

\n

world

\n

again

\n
', From a30f5f1b503af6c7d301f8bc013e5cdaf23a5020 Mon Sep 17 00:00:00 2001 From: Paul Hudson Date: Thu, 29 Jan 2026 14:32:38 +0000 Subject: [PATCH 04/19] Tiny typo fix in "To Base85" operation (#2118) This adjusts spelling in the "To Base85" operation from "delimeter" to "delimiter". Co-authored-by: GCHQ Developer C85297 <95289555+C85297@users.noreply.github.com> --- src/core/operations/ToBase85.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/operations/ToBase85.mjs b/src/core/operations/ToBase85.mjs index 839ef1e45..e9b0a4852 100644 --- a/src/core/operations/ToBase85.mjs +++ b/src/core/operations/ToBase85.mjs @@ -33,7 +33,7 @@ class ToBase85 extends Operation { value: ALPHABET_OPTIONS }, { - name: "Include delimeter", + name: "Include delimiter", type: "boolean", value: false } From dd26c09003f3b5132c76082f2df4bb6bb236314b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E3=81=BF=E3=81=91CAT?= Date: Fri, 30 Jan 2026 00:00:17 +0900 Subject: [PATCH 05/19] Exclude Delete character from hex dump output (#2086) Co-authored-by: GCHQ Developer C85297 <95289555+C85297@users.noreply.github.com> --- src/core/Utils.mjs | 2 +- tests/node/tests/Utils.mjs | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/core/Utils.mjs b/src/core/Utils.mjs index a9c381d76..eae86374b 100755 --- a/src/core/Utils.mjs +++ b/src/core/Utils.mjs @@ -177,7 +177,7 @@ class Utils { */ static printable(str, preserveWs=false, onlyAscii=false) { if (onlyAscii) { - return str.replace(/[^\x20-\x7f]/g, "."); + return str.replace(/[^\x20-\x7e]/g, "."); } // eslint-disable-next-line no-misleading-character-class diff --git a/tests/node/tests/Utils.mjs b/tests/node/tests/Utils.mjs index 8dbf37ae7..5ee7c9362 100644 --- a/tests/node/tests/Utils.mjs +++ b/tests/node/tests/Utils.mjs @@ -20,4 +20,10 @@ TestRegister.addApiTests([ assert.equal(Utils.parseEscapedChars("\\\\\\'"), "\\'"); }), + it("Utils: should replace delete character", () => { + assert.equal( + Utils.printable("\x7e\x7f\x80\xa7", false, true), + "\x7e...", + ); + }), ]); From 9512444eeee0fc1b737e08d250999eb9840e7a30 Mon Sep 17 00:00:00 2001 From: Thomas M <44269971+thomasxm@users.noreply.github.com> Date: Fri, 30 Jan 2026 19:02:23 +0000 Subject: [PATCH 06/19] Add Bech32 and Bech32m encoding/decoding operations (#2159) --- src/core/config/Categories.json | 2 + src/core/lib/Bech32.mjs | 371 +++++++++++++++ src/core/operations/FromBech32.mjs | 149 ++++++ src/core/operations/ToBech32.mjs | 92 ++++ tests/operations/index.mjs | 1 + tests/operations/tests/Bech32.mjs | 702 +++++++++++++++++++++++++++++ 6 files changed, 1317 insertions(+) create mode 100644 src/core/lib/Bech32.mjs create mode 100644 src/core/operations/FromBech32.mjs create mode 100644 src/core/operations/ToBech32.mjs create mode 100644 tests/operations/tests/Bech32.mjs diff --git a/src/core/config/Categories.json b/src/core/config/Categories.json index 434c8bb61..aac00ca1c 100644 --- a/src/core/config/Categories.json +++ b/src/core/config/Categories.json @@ -26,6 +26,8 @@ "From Base45", "To Base58", "From Base58", + "To Bech32", + "From Bech32", "To Base62", "From Base62", "To Base64", diff --git a/src/core/lib/Bech32.mjs b/src/core/lib/Bech32.mjs new file mode 100644 index 000000000..6b87a1427 --- /dev/null +++ b/src/core/lib/Bech32.mjs @@ -0,0 +1,371 @@ +/** + * Pure JavaScript implementation of Bech32 and Bech32m encoding. + * + * Bech32 is defined in BIP-0173: https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki + * Bech32m is defined in BIP-0350: https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki + * + * @author Medjedtxm + * @copyright Crown Copyright 2025 + * @license Apache-2.0 + */ + +import OperationError from "../errors/OperationError.mjs"; + +/** Bech32 character set (32 characters, excludes 1, b, i, o) */ +const CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l"; + +/** Reverse lookup table for decoding */ +const CHARSET_REV = {}; +for (let i = 0; i < CHARSET.length; i++) { + CHARSET_REV[CHARSET[i]] = i; +} + +/** Checksum constant for Bech32 (BIP-0173) */ +const BECH32_CONST = 1; + +/** Checksum constant for Bech32m (BIP-0350) */ +const BECH32M_CONST = 0x2bc830a3; + +/** Generator polynomial coefficients for checksum */ +const GENERATOR = [0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3]; + +/** + * Compute the polymod checksum + * @param {number[]} values - Array of 5-bit values + * @returns {number} - Checksum value + */ +function polymod(values) { + let chk = 1; + for (const v of values) { + const top = chk >> 25; + chk = ((chk & 0x1ffffff) << 5) ^ v; + for (let i = 0; i < 5; i++) { + if ((top >> i) & 1) { + chk ^= GENERATOR[i]; + } + } + } + return chk; +} + +/** + * Expand HRP for checksum computation + * @param {string} hrp - Human-readable part (lowercase) + * @returns {number[]} - Expanded values + */ +function hrpExpand(hrp) { + const result = []; + for (let i = 0; i < hrp.length; i++) { + result.push(hrp.charCodeAt(i) >> 5); + } + result.push(0); + for (let i = 0; i < hrp.length; i++) { + result.push(hrp.charCodeAt(i) & 31); + } + return result; +} + +/** + * Verify checksum of a Bech32/Bech32m string + * @param {string} hrp - Human-readable part (lowercase) + * @param {number[]} data - Data including checksum (5-bit values) + * @param {string} encoding - "Bech32" or "Bech32m" + * @returns {boolean} - True if checksum is valid + */ +function verifyChecksum(hrp, data, encoding) { + const constant = encoding === "Bech32m" ? BECH32M_CONST : BECH32_CONST; + return polymod(hrpExpand(hrp).concat(data)) === constant; +} + +/** + * Create checksum for Bech32/Bech32m encoding + * @param {string} hrp - Human-readable part (lowercase) + * @param {number[]} data - Data values (5-bit) + * @param {string} encoding - "Bech32" or "Bech32m" + * @returns {number[]} - 6 checksum values + */ +function createChecksum(hrp, data, encoding) { + const constant = encoding === "Bech32m" ? BECH32M_CONST : BECH32_CONST; + const values = hrpExpand(hrp).concat(data).concat([0, 0, 0, 0, 0, 0]); + const mod = polymod(values) ^ constant; + const result = []; + for (let i = 0; i < 6; i++) { + result.push((mod >> (5 * (5 - i))) & 31); + } + return result; +} + +/** + * Convert 8-bit bytes to 5-bit words + * @param {number[]|Uint8Array} data - Input bytes + * @returns {number[]} - 5-bit words + */ +export function toWords(data) { + let value = 0; + let bits = 0; + const result = []; + + for (let i = 0; i < data.length; i++) { + value = (value << 8) | data[i]; + bits += 8; + + while (bits >= 5) { + bits -= 5; + result.push((value >> bits) & 31); + } + } + + // Pad remaining bits + if (bits > 0) { + result.push((value << (5 - bits)) & 31); + } + + return result; +} + +/** + * Convert 5-bit words to 8-bit bytes + * @param {number[]} words - 5-bit words + * @returns {number[]} - Output bytes + */ +export function fromWords(words) { + let value = 0; + let bits = 0; + const result = []; + + for (let i = 0; i < words.length; i++) { + value = (value << 5) | words[i]; + bits += 5; + + while (bits >= 8) { + bits -= 8; + result.push((value >> bits) & 255); + } + } + + // Check for invalid padding per BIP-0173 + // Condition 1: Cannot have 5+ bits remaining (would indicate incomplete byte) + if (bits >= 5) { + throw new OperationError("Invalid padding: too many bits remaining"); + } + // Condition 2: Remaining padding bits must all be zero + if (bits > 0) { + const paddingValue = (value << (8 - bits)) & 255; + if (paddingValue !== 0) { + throw new OperationError("Invalid padding: non-zero bits in padding"); + } + } + + return result; +} + +/** + * Encode data to Bech32/Bech32m string + * + * @param {string} hrp - Human-readable part + * @param {number[]|Uint8Array} data - Data bytes to encode + * @param {string} encoding - "Bech32" or "Bech32m" + * @param {boolean} segwit - If true, treat first byte as witness version (for Bitcoin SegWit) + * @returns {string} - Encoded Bech32/Bech32m string + */ +export function encode(hrp, data, encoding = "Bech32", segwit = false) { + // Validate HRP + if (!hrp || hrp.length === 0) { + throw new OperationError("Human-Readable Part (HRP) cannot be empty."); + } + + // Check HRP characters (ASCII 33-126) + for (let i = 0; i < hrp.length; i++) { + const c = hrp.charCodeAt(i); + if (c < 33 || c > 126) { + throw new OperationError(`HRP contains invalid character at position ${i}. Only printable ASCII characters (33-126) are allowed.`); + } + } + + // Convert HRP to lowercase + const hrpLower = hrp.toLowerCase(); + + let words; + if (segwit && data.length >= 2) { + // SegWit encoding: first byte is witness version (0-16), rest is witness program + const witnessVersion = data[0]; + if (witnessVersion > 16) { + throw new OperationError(`Invalid witness version: ${witnessVersion}. Must be 0-16.`); + } + const witnessProgram = Array.prototype.slice.call(data, 1); + + // Validate witness program length per BIP-0141 + if (witnessProgram.length < 2 || witnessProgram.length > 40) { + throw new OperationError(`Invalid witness program length: ${witnessProgram.length}. Must be 2-40 bytes.`); + } + if (witnessVersion === 0 && witnessProgram.length !== 20 && witnessProgram.length !== 32) { + throw new OperationError(`Invalid witness program length for v0: ${witnessProgram.length}. Must be 20 or 32 bytes.`); + } + + // Witness version is kept as single 5-bit value, program is converted + words = [witnessVersion].concat(toWords(witnessProgram)); + } else { + // Generic encoding: convert all bytes to 5-bit words + words = toWords(data); + } + + // Create checksum + const checksum = createChecksum(hrpLower, words, encoding); + + // Build result string + let result = hrpLower + "1"; + for (const w of words.concat(checksum)) { + result += CHARSET[w]; + } + + // Check maximum length (90 characters) + if (result.length > 90) { + throw new OperationError(`Encoded string exceeds maximum length of 90 characters (got ${result.length}). Consider using smaller input data.`); + } + + return result; +} + +/** + * Decode a Bech32/Bech32m string + * + * @param {string} str - Bech32/Bech32m encoded string + * @param {string} encoding - "Bech32", "Bech32m", or "Auto-detect" + * @returns {{hrp: string, data: number[]}} - Decoded HRP and data bytes + */ +export function decode(str, encoding = "Auto-detect") { + // Check for empty input + if (!str || str.length === 0) { + throw new OperationError("Input cannot be empty."); + } + + // Check maximum length + if (str.length > 90) { + throw new OperationError(`Invalid Bech32 string: exceeds maximum length of 90 characters (got ${str.length}).`); + } + + // Check for mixed case + const hasUpper = /[A-Z]/.test(str); + const hasLower = /[a-z]/.test(str); + if (hasUpper && hasLower) { + throw new OperationError("Invalid Bech32 string: mixed case is not allowed. Use all uppercase or all lowercase."); + } + + // Convert to lowercase for processing + str = str.toLowerCase(); + + // Find separator (last occurrence of '1') + const sepIndex = str.lastIndexOf("1"); + if (sepIndex === -1) { + throw new OperationError("Invalid Bech32 string: no separator '1' found."); + } + + if (sepIndex === 0) { + throw new OperationError("Invalid Bech32 string: Human-Readable Part (HRP) cannot be empty."); + } + + if (sepIndex + 7 > str.length) { + throw new OperationError("Invalid Bech32 string: data part is too short (minimum 6 characters for checksum)."); + } + + // Extract HRP and data part + const hrp = str.substring(0, sepIndex); + const dataPart = str.substring(sepIndex + 1); + + // Validate HRP characters + for (let i = 0; i < hrp.length; i++) { + const c = hrp.charCodeAt(i); + if (c < 33 || c > 126) { + throw new OperationError(`HRP contains invalid character at position ${i}.`); + } + } + + // Decode data characters to 5-bit values + const data = []; + for (let i = 0; i < dataPart.length; i++) { + const c = dataPart[i]; + if (CHARSET_REV[c] === undefined) { + throw new OperationError(`Invalid character '${c}' at position ${sepIndex + 1 + i}.`); + } + data.push(CHARSET_REV[c]); + } + + // Verify checksum + let usedEncoding; + if (encoding === "Bech32") { + if (!verifyChecksum(hrp, data, "Bech32")) { + throw new OperationError("Invalid Bech32 checksum."); + } + usedEncoding = "Bech32"; + } else if (encoding === "Bech32m") { + if (!verifyChecksum(hrp, data, "Bech32m")) { + throw new OperationError("Invalid Bech32m checksum."); + } + usedEncoding = "Bech32m"; + } else { + // Auto-detect: try Bech32 first, then Bech32m + if (verifyChecksum(hrp, data, "Bech32")) { + usedEncoding = "Bech32"; + } else if (verifyChecksum(hrp, data, "Bech32m")) { + usedEncoding = "Bech32m"; + } else { + throw new OperationError("Invalid Bech32/Bech32m string: checksum verification failed."); + } + } + + // Remove checksum (last 6 values) + const words = data.slice(0, data.length - 6); + + // Check if this is likely a SegWit address (Bitcoin, Litecoin, etc.) + // For SegWit, the first 5-bit word is the witness version (0-16) + // and should be extracted separately, not bit-converted with the rest + const segwitHrps = ["bc", "tb", "ltc", "tltc", "bcrt"]; + const couldBeSegWit = segwitHrps.includes(hrp) && words.length > 0 && words[0] <= 16; + + let bytes; + let witnessVersion = null; + + if (couldBeSegWit) { + // Try SegWit decode first + try { + witnessVersion = words[0]; + const programWords = words.slice(1); + const programBytes = fromWords(programWords); + + // Validate SegWit witness program length (20 or 32 bytes for v0, 2-40 for others) + const validV0 = witnessVersion === 0 && (programBytes.length === 20 || programBytes.length === 32); + const validOther = witnessVersion !== 0 && programBytes.length >= 2 && programBytes.length <= 40; + + if (validV0 || validOther) { + // Valid SegWit address + bytes = [witnessVersion, ...programBytes]; + } else { + // Not valid SegWit, fall back to generic decode + witnessVersion = null; + bytes = fromWords(words); + } + } catch (e) { + // SegWit decode failed, try generic decode + witnessVersion = null; + try { + bytes = fromWords(words); + } catch (e2) { + throw new OperationError(`Failed to decode data: ${e2.message}`); + } + } + } else { + // Generic Bech32: convert all words + try { + bytes = fromWords(words); + } catch (e) { + throw new OperationError(`Failed to decode data: ${e.message}`); + } + } + + return { + hrp: hrp, + data: bytes, + encoding: usedEncoding, + witnessVersion: witnessVersion + }; +} diff --git a/src/core/operations/FromBech32.mjs b/src/core/operations/FromBech32.mjs new file mode 100644 index 000000000..8a01d4db5 --- /dev/null +++ b/src/core/operations/FromBech32.mjs @@ -0,0 +1,149 @@ +/** + * @author Medjedtxm + * @copyright Crown Copyright 2025 + * @license Apache-2.0 + */ + +import Operation from "../Operation.mjs"; +import { decode } from "../lib/Bech32.mjs"; +import { toHex } from "../lib/Hex.mjs"; + +/** + * From Bech32 operation + */ +class FromBech32 extends Operation { + + /** + * FromBech32 constructor + */ + constructor() { + super(); + + this.name = "From Bech32"; + this.module = "Default"; + this.description = "Bech32 is an encoding scheme primarily used for Bitcoin SegWit addresses (BIP-0173). It uses a 32-character alphabet that excludes easily confused characters (1, b, i, o) and includes a checksum for error detection.

Bech32m (BIP-0350) is an updated version used for Bitcoin Taproot addresses.

Auto-detect will attempt Bech32 first, then Bech32m if the checksum fails.

Output format options allow you to see the Human-Readable Part (HRP) along with the decoded data."; + this.infoURL = "https://wikipedia.org/wiki/Bech32"; + this.inputType = "string"; + this.outputType = "string"; + this.args = [ + { + "name": "Encoding", + "type": "option", + "value": ["Auto-detect", "Bech32", "Bech32m"] + }, + { + "name": "Output Format", + "type": "option", + "value": ["Raw", "Hex", "Bitcoin scriptPubKey", "HRP: Hex", "JSON"] + } + ]; + this.checks = [ + { + // Bitcoin mainnet SegWit/Taproot addresses + pattern: "^bc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{6,87}$", + flags: "i", + args: ["Auto-detect", "Hex"] + }, + { + // Bitcoin testnet addresses + pattern: "^tb1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{6,87}$", + flags: "i", + args: ["Auto-detect", "Hex"] + }, + { + // AGE public keys + pattern: "^age1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{6,87}$", + flags: "i", + args: ["Auto-detect", "HRP: Hex"] + }, + { + // AGE secret keys + pattern: "^AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{6,87}$", + flags: "", + args: ["Auto-detect", "HRP: Hex"] + }, + { + // Litecoin mainnet addresses + pattern: "^ltc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{6,87}$", + flags: "i", + args: ["Auto-detect", "Hex"] + }, + { + // Generic bech32 pattern + pattern: "^[a-z]{1,83}1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{6,}$", + flags: "i", + args: ["Auto-detect", "Hex"] + } + ]; + } + + /** + * @param {string} input + * @param {Object[]} args + * @returns {string} + */ + run(input, args) { + const encoding = args[0]; + const outputFormat = args[1]; + + input = input.trim(); + + if (input.length === 0) { + return ""; + } + + const decoded = decode(input, encoding); + + // Format output based on selected option + switch (outputFormat) { + case "Raw": + return decoded.data.map(b => String.fromCharCode(b)).join(""); + + case "Hex": + return toHex(decoded.data, ""); + + case "Bitcoin scriptPubKey": { + // Convert to Bitcoin scriptPubKey format as shown in BIP-0173/BIP-0350 + // Format: [OP_version][length][witness_program] + // OP_0 = 0x00, OP_1-OP_16 = 0x51-0x60 + if (decoded.witnessVersion === null || decoded.data.length < 2) { + // Not a SegWit address, fall back to hex + return toHex(decoded.data, ""); + } + const witnessVersion = decoded.data[0]; + const witnessProgram = decoded.data.slice(1); + + // Convert witness version to OP code + let opCode; + if (witnessVersion === 0) { + opCode = 0x00; // OP_0 + } else if (witnessVersion >= 1 && witnessVersion <= 16) { + opCode = 0x50 + witnessVersion; // OP_1 = 0x51, ..., OP_16 = 0x60 + } else { + // Invalid witness version, fall back to hex + return toHex(decoded.data, ""); + } + + // Build scriptPubKey: [OP_version][length][program] + const scriptPubKey = [opCode, witnessProgram.length, ...witnessProgram]; + return toHex(scriptPubKey, ""); + } + + case "HRP: Hex": + return `${decoded.hrp}: ${toHex(decoded.data, "")}`; + + case "JSON": + return JSON.stringify({ + hrp: decoded.hrp, + encoding: decoded.encoding, + data: toHex(decoded.data, "") + }, null, 2); + + default: + return toHex(decoded.data, ""); + } + } + +} + +export default FromBech32; diff --git a/src/core/operations/ToBech32.mjs b/src/core/operations/ToBech32.mjs new file mode 100644 index 000000000..a7c97355b --- /dev/null +++ b/src/core/operations/ToBech32.mjs @@ -0,0 +1,92 @@ +/** + * @author Medjedtxm + * @copyright Crown Copyright 2025 + * @license Apache-2.0 + */ + +import Operation from "../Operation.mjs"; +import { encode } from "../lib/Bech32.mjs"; +import { fromHex } from "../lib/Hex.mjs"; + +/** + * To Bech32 operation + */ +class ToBech32 extends Operation { + + /** + * ToBech32 constructor + */ + constructor() { + super(); + + this.name = "To Bech32"; + this.module = "Default"; + this.description = "Bech32 is an encoding scheme primarily used for Bitcoin SegWit addresses (BIP-0173). It uses a 32-character alphabet that excludes easily confused characters (1, b, i, o) and includes a checksum for error detection.

Bech32m (BIP-0350) is an updated version that fixes a weakness in the original Bech32 checksum and is used for Bitcoin Taproot addresses.

The Human-Readable Part (HRP) identifies the network or purpose (e.g., 'bc' for Bitcoin mainnet, 'tb' for testnet, 'age' for AGE encryption keys).

Maximum output length is 90 characters as per specification."; + this.infoURL = "https://wikipedia.org/wiki/Bech32"; + this.inputType = "ArrayBuffer"; + this.outputType = "string"; + this.args = [ + { + "name": "Human-Readable Part (HRP)", + "type": "string", + "value": "bc" + }, + { + "name": "Encoding", + "type": "option", + "value": ["Bech32", "Bech32m"] + }, + { + "name": "Input Format", + "type": "option", + "value": ["Raw bytes", "Hex"] + }, + { + "name": "Mode", + "type": "option", + "value": ["Generic", "Bitcoin SegWit"] + }, + { + "name": "Witness Version", + "type": "number", + "value": 0, + "hint": "SegWit witness version (0-16). Only used in Bitcoin SegWit mode." + } + ]; + } + + /** + * @param {ArrayBuffer} input + * @param {Object[]} args + * @returns {string} + */ + run(input, args) { + const hrp = args[0]; + const encoding = args[1]; + const inputFormat = args[2]; + const mode = args[3]; + const witnessVersion = args[4]; + + let inputArray; + if (inputFormat === "Hex") { + // Convert hex string to bytes + const hexStr = new TextDecoder().decode(new Uint8Array(input)).replace(/\s/g, ""); + inputArray = fromHex(hexStr); + } else { + inputArray = new Uint8Array(input); + } + + if (mode === "Bitcoin SegWit") { + // Prepend witness version to the input data + const withVersion = new Uint8Array(inputArray.length + 1); + withVersion[0] = witnessVersion; + withVersion.set(inputArray, 1); + return encode(hrp, withVersion, encoding, true); + } + + return encode(hrp, inputArray, encoding, false); + } + +} + +export default ToBech32; diff --git a/tests/operations/index.mjs b/tests/operations/index.mjs index f147e9e7c..6d5b266f2 100644 --- a/tests/operations/index.mjs +++ b/tests/operations/index.mjs @@ -26,6 +26,7 @@ import "./tests/Base64.mjs"; import "./tests/Base85.mjs"; import "./tests/Base92.mjs"; import "./tests/BCD.mjs"; +import "./tests/Bech32.mjs"; import "./tests/BitwiseOp.mjs"; import "./tests/BLAKE2b.mjs"; import "./tests/BLAKE2s.mjs"; diff --git a/tests/operations/tests/Bech32.mjs b/tests/operations/tests/Bech32.mjs new file mode 100644 index 000000000..85325d477 --- /dev/null +++ b/tests/operations/tests/Bech32.mjs @@ -0,0 +1,702 @@ +/** + * Bech32 tests. + * + * Test vectors from official BIP specifications: + * BIP-0173: https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki + * BIP-0350: https://github.com/bitcoin/bips/blob/master/bip-0350.mediawiki + * + * AGE key test vectors from: + * https://asecuritysite.com/age/go_age5 + * + * @author Medjedtxm + * @copyright Crown Copyright 2025 + * @license Apache-2.0 + */ + +import TestRegister from "../../lib/TestRegister.mjs"; + +TestRegister.addTests([ + // ============= To Bech32 Tests ============= + { + name: "To Bech32: empty input", + input: "", + expectedOutput: "bc1gmk9yu", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32: single byte", + input: "A", + expectedOutput: "bc1gyufle22", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32: Hello", + input: "Hello", + expectedOutput: "bc1fpjkcmr0gzsgcg", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32: custom HRP", + input: "test", + expectedOutput: "custom1w3jhxaq593qur", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["custom", "Bech32", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32: testnet HRP", + input: "data", + expectedOutput: "tb1v3shgcg3x07jr", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["tb", "Bech32", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32m: empty input", + input: "", + expectedOutput: "bc1a8xfp7", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32m", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32m: single byte", + input: "A", + expectedOutput: "bc1gyf4040g", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32m", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32m: Hello", + input: "Hello", + expectedOutput: "bc1fpjkcmr0a7qya2", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32m", "Raw bytes", "Generic", 0] + } + ], + }, + { + name: "To Bech32: empty HRP error", + input: "test", + expectedOutput: "Human-Readable Part (HRP) cannot be empty.", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["", "Bech32", "Raw bytes", "Generic", 0] + } + ], + }, + + // ============= From Bech32 Tests (Raw output) ============= + { + name: "From Bech32: decode single byte (Raw)", + input: "bc1gyufle22", + expectedOutput: "A", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Raw"] + } + ], + }, + { + name: "From Bech32: decode Hello (Raw)", + input: "bc1fpjkcmr0gzsgcg", + expectedOutput: "Hello", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Raw"] + } + ], + }, + { + name: "From Bech32: auto-detect Bech32 (Raw)", + input: "bc1fpjkcmr0gzsgcg", + expectedOutput: "Hello", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Raw"] + } + ], + }, + { + name: "From Bech32m: decode Hello (Raw)", + input: "bc1fpjkcmr0a7qya2", + expectedOutput: "Hello", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "Raw"] + } + ], + }, + { + name: "From Bech32: auto-detect Bech32m (Raw)", + input: "bc1fpjkcmr0a7qya2", + expectedOutput: "Hello", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Raw"] + } + ], + }, + { + name: "From Bech32: uppercase input (Raw)", + input: "BC1FPJKCMR0GZSGCG", + expectedOutput: "Hello", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Raw"] + } + ], + }, + { + name: "From Bech32: custom HRP (Raw)", + input: "custom1w3jhxaq593qur", + expectedOutput: "test", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Raw"] + } + ], + }, + { + name: "From Bech32: empty input", + input: "", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Hex"] + } + ], + }, + { + name: "From Bech32: empty data part (Hex)", + input: "bc1gmk9yu", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + + // ============= From Bech32 HRP Output Tests ============= + { + name: "From Bech32: HRP: Hex output format", + input: "bc1fpjkcmr0gzsgcg", + expectedOutput: "bc: 48656c6c6f", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: JSON output format", + input: "bc1fpjkcmr0gzsgcg", + expectedOutput: "{\n \"hrp\": \"bc\",\n \"encoding\": \"Bech32\",\n \"data\": \"48656c6c6f\"\n}", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "JSON"] + } + ], + }, + { + name: "From Bech32: Hex output format", + input: "bc1fpjkcmr0gzsgcg", + expectedOutput: "48656c6c6f", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + + // ============= AGE Key Test Vectors ============= + // From: https://asecuritysite.com/age/go_age5 + { + name: "From Bech32: AGE public key 1 (HRP: Hex)", + input: "age1kk86t4lr4s9uwvnqjzp2e35rflvcpnjt33q99547ct23xzk0ssss3ma49j", + expectedOutput: "age: b58fa5d7e3ac0bc732609082acc6834fd980ce4b8c4052d2bec2d5130acf8421", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: AGE private key 1 (HRP: Hex)", + input: "AGE-SECRET-KEY-1Z5N23X54Y4E9NLMPNH6EZDQQX9V883TMKJ3ZJF5QXXMKNZ2RPFXQUQF74G", + expectedOutput: "age-secret-key-: 1526a89a95257259ff619df5913400315873c57bb4a229268031b76989430a4c", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: AGE public key 2 (HRP: Hex)", + input: "age1nwt7gkq7udvalagqn7l8a4jgju7wtenkg925pvuqvn7cfcry6u2qkae4ad", + expectedOutput: "age: 9b97e4581ee359dff5009fbe7ed648973ce5e676415540b38064fd84e064d714", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: AGE private key 2 (HRP: Hex)", + input: "AGE-SECRET-KEY-137M0YVE3CL6M8C4ET9L2KU67FPQHJZTW547QD5CK0R5A5T09ZGJSQGR9LX", + expectedOutput: "age-secret-key-: 8fb6f23331c7f5b3e2b9597eab735e484179096ea57c06d31678e9da2de51225", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: AGE public key 1 (JSON)", + input: "age1kk86t4lr4s9uwvnqjzp2e35rflvcpnjt33q99547ct23xzk0ssss3ma49j", + expectedOutput: "{\n \"hrp\": \"age\",\n \"encoding\": \"Bech32\",\n \"data\": \"b58fa5d7e3ac0bc732609082acc6834fd980ce4b8c4052d2bec2d5130acf8421\"\n}", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "JSON"] + } + ], + }, + + // ============= Error Cases ============= + { + name: "From Bech32: mixed case error", + input: "bc1FpjKcmr0gzsgcg", + expectedOutput: "Invalid Bech32 string: mixed case is not allowed. Use all uppercase or all lowercase.", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Hex"] + } + ], + }, + { + name: "From Bech32: no separator error", + input: "noseparator", + expectedOutput: "Invalid Bech32 string: no separator '1' found.", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Hex"] + } + ], + }, + { + name: "From Bech32: empty HRP error", + input: "1qqqqqqqqqqqqqqqq", + expectedOutput: "Invalid Bech32 string: Human-Readable Part (HRP) cannot be empty.", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Hex"] + } + ], + }, + { + name: "From Bech32: invalid checksum", + input: "bc1fpjkcmr0gzsgcx", + expectedOutput: "Invalid Bech32/Bech32m string: checksum verification failed.", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Hex"] + } + ], + }, + { + name: "From Bech32: data too short", + input: "bc1abc", + expectedOutput: "Invalid Bech32 string: data part is too short (minimum 6 characters for checksum).", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Hex"] + } + ], + }, + { + name: "From Bech32: wrong encoding specified", + input: "bc1fpjkcmr0gzsgcg", + expectedOutput: "Invalid Bech32m checksum.", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "Hex"] + } + ], + }, + + // ============= BIP-0173 Test Vectors (Bech32) ============= + { + name: "From Bech32: BIP-0173 A12UEL5L (empty data)", + input: "A12UEL5L", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + { + name: "From Bech32: BIP-0173 a12uel5l lowercase", + input: "a12uel5l", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + { + name: "From Bech32: BIP-0173 long HRP with bio", + input: "an83characterlonghumanreadablepartthatcontainsthenumber1andtheexcludedcharactersbio1tt5tgs", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + { + name: "From Bech32: BIP-0173 abcdef with data", + input: "abcdef1qpzry9x8gf2tvdw0s3jn54khce6mua7lmqqqxw", + expectedOutput: "abcdef: 00443214c74254b635cf84653a56d7c675be77df", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: BIP-0173 split HRP", + input: "split1checkupstagehandshakeupstreamerranterredcaperred2y9e3w", + expectedOutput: "split: c5f38b70305f519bf66d85fb6cf03058f3dde463ecd7918f2dc743918f2d", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32: BIP-0173 question mark HRP", + input: "?1ezyfcl", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + + // ============= BIP-0350 Test Vectors (Bech32m) ============= + { + name: "From Bech32m: BIP-0350 A1LQFN3A (empty data)", + input: "A1LQFN3A", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "Hex"] + } + ], + }, + { + name: "From Bech32m: BIP-0350 a1lqfn3a lowercase", + input: "a1lqfn3a", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "Hex"] + } + ], + }, + { + name: "From Bech32m: BIP-0350 long HRP", + input: "an83characterlonghumanreadablepartthatcontainsthetheexcludedcharactersbioandnumber11sg7hg6", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "Hex"] + } + ], + }, + { + name: "From Bech32m: BIP-0350 abcdef with data", + input: "abcdef1l7aum6echk45nj3s0wdvt2fg8x9yrzpqzd3ryx", + expectedOutput: "abcdef: ffbbcdeb38bdab49ca307b9ac5a928398a418820", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32m: BIP-0350 split HRP", + input: "split1checkupstagehandshakeupstreamerranterredcaperredlc445v", + expectedOutput: "split: c5f38b70305f519bf66d85fb6cf03058f3dde463ecd7918f2dc743918f2d", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "HRP: Hex"] + } + ], + }, + { + name: "From Bech32m: BIP-0350 question mark HRP", + input: "?1v759aa", + expectedOutput: "", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Bech32m", "Hex"] + } + ], + }, + + // ============= Bitcoin scriptPubKey Output Format Tests ============= + // Test vectors from BIP-0173 and BIP-0350 + { + name: "From Bech32: Bitcoin scriptPubKey v0 P2WPKH", + input: "BC1QW508D6QEJXTDG4Y5R3ZARVARY0C5XW7KV8F3T4", + expectedOutput: "0014751e76e8199196d454941c45d1b3a323f1433bd6", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Bitcoin scriptPubKey"] + } + ], + }, + { + name: "From Bech32: Bitcoin scriptPubKey v0 P2WSH", + input: "tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7", + expectedOutput: "00201863143c14c5166804bd19203356da136c985678cd4d27a1b8c6329604903262", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Bitcoin scriptPubKey"] + } + ], + }, + { + name: "From Bech32: Bitcoin scriptPubKey v1 Taproot (Bech32m)", + input: "bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqzk5jj0", + expectedOutput: "512079be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Bitcoin scriptPubKey"] + } + ], + }, + { + name: "From Bech32: Bitcoin scriptPubKey v16", + input: "BC1SW50QGDZ25J", + expectedOutput: "6002751e", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Bitcoin scriptPubKey"] + } + ], + }, + { + name: "From Bech32: Bitcoin scriptPubKey v2", + input: "bc1zw508d6qejxtdg4y5r3zarvaryvaxxpcs", + expectedOutput: "5210751e76e8199196d454941c45d1b3a323", + recipeConfig: [ + { + "op": "From Bech32", + "args": ["Auto-detect", "Bitcoin scriptPubKey"] + } + ], + }, + + // ============= Bitcoin SegWit Encoding Tests ============= + { + name: "To Bech32: Bitcoin SegWit v0 P2WPKH", + input: "751e76e8199196d454941c45d1b3a323f1433bd6", + expectedOutput: "bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t4", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32", "Hex", "Bitcoin SegWit", 0] + } + ], + }, + { + name: "To Bech32: Bitcoin SegWit v0 P2WSH testnet", + input: "1863143c14c5166804bd19203356da136c985678cd4d27a1b8c6329604903262", + expectedOutput: "tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["tb", "Bech32", "Hex", "Bitcoin SegWit", 0] + } + ], + }, + { + name: "To Bech32m: Bitcoin Taproot v1", + input: "79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", + expectedOutput: "bc1p0xlxvlhemja6c4dqv22uapctqupfhlxm9h8z3k2e72q4k9hcz7vqzk5jj0", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32m", "Hex", "Bitcoin SegWit", 1] + } + ], + }, + { + name: "To Bech32m: Bitcoin SegWit v16", + input: "751e", + expectedOutput: "bc1sw50qgdz25j", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["bc", "Bech32m", "Hex", "Bitcoin SegWit", 16] + } + ], + }, + + // ============= Round-trip Tests ============= + { + name: "Bech32: encode then decode round-trip", + input: "The quick brown fox jumps over the lazy dog", + expectedOutput: "The quick brown fox jumps over the lazy dog", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["test", "Bech32", "Raw bytes", "Generic", 0] + }, + { + "op": "From Bech32", + "args": ["Bech32", "Raw"] + } + ], + }, + { + name: "Bech32m: encode then decode round-trip", + input: "The quick brown fox jumps over the lazy dog", + expectedOutput: "The quick brown fox jumps over the lazy dog", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["test", "Bech32m", "Raw bytes", "Generic", 0] + }, + { + "op": "From Bech32", + "args": ["Bech32m", "Raw"] + } + ], + }, + { + name: "Bech32: binary data round-trip", + input: "0001020304050607", + expectedOutput: "0001020304050607", + recipeConfig: [ + { + "op": "From Hex", + "args": ["Auto"] + }, + { + "op": "To Bech32", + "args": ["bc", "Bech32", "Raw bytes", "Generic", 0] + }, + { + "op": "From Bech32", + "args": ["Bech32", "Hex"] + } + ], + }, + { + name: "Bech32: auto-detect round-trip", + input: "CyberChef Bech32 Test", + expectedOutput: "CyberChef Bech32 Test", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["cyberchef", "Bech32", "Raw bytes", "Generic", 0] + }, + { + "op": "From Bech32", + "args": ["Auto-detect", "Raw"] + } + ], + }, + { + name: "Bech32m: auto-detect round-trip", + input: "CyberChef Bech32m Test", + expectedOutput: "CyberChef Bech32m Test", + recipeConfig: [ + { + "op": "To Bech32", + "args": ["cyberchef", "Bech32m", "Raw bytes", "Generic", 0] + }, + { + "op": "From Bech32", + "args": ["Auto-detect", "Raw"] + } + ], + }, +]); From e0c4957da4ea7c2afce0a31962216d8994f02971 Mon Sep 17 00:00:00 2001 From: FS <181785897+tuliperis@users.noreply.github.com> Date: Sat, 31 Jan 2026 13:01:10 +0100 Subject: [PATCH 07/19] Fix the processing of ALPNs for JA4 to align with new specification update (#2165) --- src/core/lib/JA4.mjs | 38 ++++++++++++++++++++++++++++------ src/core/lib/TLS.mjs | 10 ++++----- tests/operations/tests/JA4.mjs | 22 ++++++++++++++++++++ 3 files changed, 59 insertions(+), 11 deletions(-) diff --git a/src/core/lib/JA4.mjs b/src/core/lib/JA4.mjs index f600f4d89..58422bcad 100644 --- a/src/core/lib/JA4.mjs +++ b/src/core/lib/JA4.mjs @@ -91,9 +91,7 @@ export function toJA4(bytes) { let alpn = "00"; for (const ext of tlsr.handshake.value.extensions.value) { if (ext.type.value === "application_layer_protocol_negotiation") { - alpn = parseFirstALPNValue(ext.value.data); - alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1); - if (alpn.charCodeAt(0) > 127) alpn = "99"; + alpn = alpnFingerprint(parseFirstALPNValue(ext.value.data)); break; } } @@ -212,9 +210,7 @@ export function toJA4S(bytes) { let alpn = "00"; for (const ext of tlsr.handshake.value.extensions.value) { if (ext.type.value === "application_layer_protocol_negotiation") { - alpn = parseFirstALPNValue(ext.value.data); - alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1); - if (alpn.charCodeAt(0) > 127) alpn = "99"; + alpn = alpnFingerprint(parseFirstALPNValue(ext.value.data)); break; } } @@ -262,3 +258,33 @@ function tlsVersionMapper(version) { default: return "00"; // Unknown } } + +/** + * Checks if a byte is ASCII alphanumeric (0-9, A-Z, a-z). + * @param {number} byte + * @returns {boolean} + */ +function isAlphanumeric(byte) { + return (byte >= 0x30 && byte <= 0x39) || + (byte >= 0x41 && byte <= 0x5A) || + (byte >= 0x61 && byte <= 0x7A); +} + +/** + * Computes the 2-character ALPN fingerprint from raw ALPN bytes. + * If both first and last bytes are ASCII alphanumeric, returns their characters. + * Otherwise, returns first hex digit of first byte + last hex digit of last byte. + * @param {Uint8Array|null} rawBytes + * @returns {string} + */ +function alpnFingerprint(rawBytes) { + if (!rawBytes || rawBytes.length === 0) return "00"; + const firstByte = rawBytes[0]; + const lastByte = rawBytes[rawBytes.length - 1]; + if (isAlphanumeric(firstByte) && isAlphanumeric(lastByte)) { + return String.fromCharCode(firstByte) + String.fromCharCode(lastByte); + } + const firstHex = firstByte.toString(16).padStart(2, "0"); + const lastHex = lastByte.toString(16).padStart(2, "0"); + return firstHex[0] + lastHex[1]; +} diff --git a/src/core/lib/TLS.mjs b/src/core/lib/TLS.mjs index 6373bfa25..eaf661a89 100644 --- a/src/core/lib/TLS.mjs +++ b/src/core/lib/TLS.mjs @@ -863,15 +863,15 @@ export function parseHighestSupportedVersion(bytes) { } /** - * Parses the application_layer_protocol_negotiation extension and returns the first value. + * Parses the application_layer_protocol_negotiation extension and returns the first value as raw bytes. * @param {Uint8Array} bytes - * @returns {number} + * @returns {Uint8Array|null} */ export function parseFirstALPNValue(bytes) { const s = new Stream(bytes); const alpnExtLen = s.readInt(2); - if (alpnExtLen < 3) return "00"; + if (alpnExtLen < 2) return null; const strLen = s.readInt(1); - if (strLen < 2) return "00"; - return s.readString(strLen); + if (strLen < 1) return null; + return s.getBytes(strLen); } diff --git a/tests/operations/tests/JA4.mjs b/tests/operations/tests/JA4.mjs index 0fb4624ea..699dca406 100644 --- a/tests/operations/tests/JA4.mjs +++ b/tests/operations/tests/JA4.mjs @@ -30,6 +30,28 @@ TestRegister.addTests([ } ], }, + { + name: "JA4 Fingerprint: TLS 1.3 with whitespace-only ALPN", + input: "1603010200010001fc0303ed338a18e711d670cdc472ff570a5b59f1ace12e5365918bf68bf845019147b6207e4437bfb062d98a4aeb753be8f09022a9dc9413d7694dad4db57fcdcf076e820024130213031301c02cc030c02bc02fcca9cca8c024c028c023c027009f009e006b006700ff0100018f0000001800160000136465762e636f6e74656e74677261622e6e6574000b000403000102000a00160014001d0017001e00190018010001010102010301040023000000100004000201200016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d00207af053336d5e2c1675aa4c6ce78de5e5fdbd296538113f051ea17ccb64289f22001500d2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + expectedOutput: "t13d181220_85036bcba153_d41ae481755e", + recipeConfig: [ + { + "op": "JA4 Fingerprint", + "args": ["Hex", "JA4"] + } + ], + }, + { + name: "JA4 Fingerprint: TLS 1.3 with ALPN containing a whitespace", + input: "1603010200010001fc0303273682a603be3f64dd025df4ad0f4d2d13043c3a233405a68bb29b865808749a20f4dfc40242b2fce38fae26c516ef9bef20a1b9349eba3c003780168d72471f5c0024130213031301c02cc030c02bc02fcca9cca8c024c028c023c027009f009e006b006700ff0100018f0000001800160000136465762e636f6e74656e74677261622e6e6574000b000403000102000a00160014001d0017001e0019001801000101010201030104002300000010000500030261200016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020f4dd1567bd858d3a9f1d88db1fee6a10ab0ea1aa6afe96ffb6a7c4d79dea4075001500d10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + expectedOutput: "t13d181260_85036bcba153_d41ae481755e", + recipeConfig: [ + { + "op": "JA4 Fingerprint", + "args": ["Hex", "JA4"] + } + ], + }, { name: "JA4 Fingerprint: TLS 1.2", input: "1603010200010001fc0303ecb2691addb2bf6c599c7aaae23de5f42561cc04eb41029acc6fc050a16ac1d22046f8617b580ac9358e2aa44e306d52466bcc989c87c8ca64309f5faf50ba7b4d0022130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f00350100019100000021001f00001c636f6e74696c652e73657276696365732e6d6f7a696c6c612e636f6d00170000ff01000100000a000e000c001d00170018001901000101000b00020100002300000010000e000c02683208687474702f312e310005000501000000000022000a000804030503060302030033006b0069001d00208909858fbeb6ed2f1248ba5b9e2978bead0e840110192c61daed0096798b184400170041044d183d91f5eed35791fa982464e3b0214aaa5f5d1b78616d9b9fbebc22d11f535b2f94c686143136aa795e6e5a875d6c08064ad5b76d44caad766e2483012748002b00050403040303000d0018001604030503060308040805080604010501060102030201002d00020101001c000240010015007a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", From 5c49f8772748d8efb2b20fb821ef010e441007d4 Mon Sep 17 00:00:00 2001 From: GCHQDeveloper581 <63102987+GCHQDeveloper581@users.noreply.github.com> Date: Mon, 2 Feb 2026 10:17:46 +0000 Subject: [PATCH 08/19] Update kbpgp package (resolves #2135) (#2136) --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index af76ee067..4bb454561 100644 --- a/package-lock.json +++ b/package-lock.json @@ -61,7 +61,7 @@ "jsonwebtoken": "8.5.1", "jsqr": "^1.4.0", "jsrsasign": "^11.1.0", - "kbpgp": "2.1.15", + "kbpgp": "^2.1.17", "libbzip2-wasm": "0.0.4", "libyara-wasm": "^1.2.1", "lodash": "^4.17.21", @@ -12601,9 +12601,9 @@ } }, "node_modules/kbpgp": { - "version": "2.1.15", - "resolved": "https://registry.npmjs.org/kbpgp/-/kbpgp-2.1.15.tgz", - "integrity": "sha512-iFdQT+m2Mi2DB14kEFydF2joNe9x3E2VZCGZUt7UXsiZnQx5TtSl4KofP7EPtjHvf7weCxNKlEPSYiiCNMZ2jA==", + "version": "2.1.17", + "resolved": "https://registry.npmjs.org/kbpgp/-/kbpgp-2.1.17.tgz", + "integrity": "sha512-pnjH7amyg6dZLXyF42BKbCTST0l0r1ErunqtFRrJCkHkGJb83cZZmx1pnqNFr+d/ls+5gvcHrZLPfUG5q7oRYw==", "license": "BSD-3-Clause", "dependencies": { "bn": "^1.0.5", diff --git a/package.json b/package.json index ec3f0520e..a2b69f9ff 100644 --- a/package.json +++ b/package.json @@ -147,7 +147,7 @@ "jsonwebtoken": "8.5.1", "jsqr": "^1.4.0", "jsrsasign": "^11.1.0", - "kbpgp": "2.1.15", + "kbpgp": "^2.1.17", "libbzip2-wasm": "0.0.4", "libyara-wasm": "^1.2.1", "lodash": "^4.17.21", From 5e53fe113d1346199f27de5b37c01809ba5d6fd0 Mon Sep 17 00:00:00 2001 From: GCHQ Developer C85297 <95289555+C85297@users.noreply.github.com> Date: Tue, 3 Feb 2026 12:16:04 +0000 Subject: [PATCH 09/19] Update crypto browserify (#2172) --- package-lock.json | 120 ++++++++++++++++++++++++++++++++++++---------- package.json | 2 +- 2 files changed, 96 insertions(+), 26 deletions(-) diff --git a/package-lock.json b/package-lock.json index 4bb454561..184e5cc3f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -31,7 +31,7 @@ "chi-squared": "^1.1.0", "codepage": "^1.15.0", "crypto-api": "^0.8.5", - "crypto-browserify": "^3.12.0", + "crypto-browserify": "^3.12.1", "crypto-js": "^4.2.0", "ctph.js": "0.0.5", "d3": "7.9.0", @@ -5137,7 +5137,6 @@ "version": "1.0.7", "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.7.tgz", "integrity": "sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==", - "dev": true, "license": "MIT", "dependencies": { "possible-typed-array-names": "^1.0.0" @@ -9844,7 +9843,6 @@ "version": "0.3.3", "resolved": "https://registry.npmjs.org/for-each/-/for-each-0.3.3.tgz", "integrity": "sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==", - "dev": true, "license": "MIT", "dependencies": { "is-callable": "^1.1.3" @@ -11706,7 +11704,6 @@ "version": "1.2.7", "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.2.7.tgz", "integrity": "sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==", - "dev": true, "license": "MIT", "engines": { "node": ">= 0.4" @@ -12057,6 +12054,21 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/is-typed-array": { + "version": "1.1.15", + "resolved": "https://registry.npmjs.org/is-typed-array/-/is-typed-array-1.1.15.tgz", + "integrity": "sha512-p3EcsicXjit7SaskXHs1hA91QxgTw46Fv6EFKKGS5DRFLD8yKnohjF3hxoju94b/OcMZoQukzpPpBE9uLVKzgQ==", + "license": "MIT", + "dependencies": { + "which-typed-array": "^1.1.16" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/is-unc-path": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-unc-path/-/is-unc-path-1.0.0.tgz", @@ -14900,19 +14912,20 @@ } }, "node_modules/pbkdf2": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.2.tgz", - "integrity": "sha512-iuh7L6jA7JEGu2WxDwtQP1ddOpaJNC4KlDEFfdQajSGgGPNi4OyDc2R7QnbY2bR9QjBVGwgvTdNJZoE7RaxUMA==", + "version": "3.1.5", + "resolved": "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.5.tgz", + "integrity": "sha512-Q3CG/cYvCO1ye4QKkuH7EXxs3VC/rI1/trd+qX2+PolbaKG0H+bgcZzrTt96mMyRtejk+JMCiLUn3y29W8qmFQ==", "license": "MIT", "dependencies": { - "create-hash": "^1.1.2", - "create-hmac": "^1.1.4", - "ripemd160": "^2.0.1", - "safe-buffer": "^5.0.1", - "sha.js": "^2.4.8" + "create-hash": "^1.2.0", + "create-hmac": "^1.1.7", + "ripemd160": "^2.0.3", + "safe-buffer": "^5.2.1", + "sha.js": "^2.4.12", + "to-buffer": "^1.2.1" }, "engines": { - "node": ">=0.12" + "node": ">= 0.10" } }, "node_modules/peek-readable": { @@ -15170,7 +15183,6 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/possible-typed-array-names/-/possible-typed-array-names-1.0.0.tgz", "integrity": "sha512-d7Uw+eZoloe0EHDIYoe+bQ5WXnGMOpmiZFTuMWCwpjzzkL2nTjcKiAk4hh8TjnGye2TwWOk3UXucZ+3rbmBa8Q==", - "dev": true, "license": "MIT", "engines": { "node": ">= 0.4" @@ -16149,13 +16161,31 @@ } }, "node_modules/ripemd160": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.2.tgz", - "integrity": "sha512-ii4iagi25WusVoiC4B4lq7pbXfAp3D9v5CwfkY33vffw2+pkDjY1D8GaN7spsxvCSx8dkPqOZCEZyfxcmJG2IA==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/ripemd160/-/ripemd160-2.0.3.tgz", + "integrity": "sha512-5Di9UC0+8h1L6ZD2d7awM7E/T4uA1fJRlx6zk/NvdCCVEoAnFqvHmCuNeIKoCeIixBX/q8uM+6ycDvF8woqosA==", "license": "MIT", "dependencies": { - "hash-base": "^3.0.0", - "inherits": "^2.0.1" + "hash-base": "^3.1.2", + "inherits": "^2.0.4" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/ripemd160/node_modules/hash-base": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/hash-base/-/hash-base-3.1.2.tgz", + "integrity": "sha512-Bb33KbowVTIj5s7Ked1OsqHUeCpz//tPwR+E2zJgJKo9Z5XolZ9b6bdUgjmYlwnWhoOQKoTd1TYToZGn5mAYOg==", + "license": "MIT", + "dependencies": { + "inherits": "^2.0.4", + "readable-stream": "^2.3.8", + "safe-buffer": "^5.2.1", + "to-buffer": "^1.2.1" + }, + "engines": { + "node": ">= 0.8" } }, "node_modules/rison": { @@ -16617,16 +16647,23 @@ "license": "ISC" }, "node_modules/sha.js": { - "version": "2.4.11", - "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.11.tgz", - "integrity": "sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==", + "version": "2.4.12", + "resolved": "https://registry.npmjs.org/sha.js/-/sha.js-2.4.12.tgz", + "integrity": "sha512-8LzC5+bvI45BjpfXU8V5fdU2mfeKiQe1D1gIMn7XUlF3OTUrpdJpPPH4EMAnF0DsHHdSZqCdSss5qCmJKuiO3w==", "license": "(MIT AND BSD-3-Clause)", "dependencies": { - "inherits": "^2.0.1", - "safe-buffer": "^5.0.1" + "inherits": "^2.0.4", + "safe-buffer": "^5.2.1", + "to-buffer": "^1.2.0" }, "bin": { "sha.js": "bin.js" + }, + "engines": { + "node": ">= 0.10" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" } }, "node_modules/shebang-command": { @@ -17663,6 +17700,26 @@ "node": ">=14.14" } }, + "node_modules/to-buffer": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/to-buffer/-/to-buffer-1.2.2.tgz", + "integrity": "sha512-db0E3UJjcFhpDhAF4tLo03oli3pwl3dbnzXOUIlRKrp+ldk/VUxzpWYZENsw2SZiuBjHAk7DfB0VU7NKdpb6sw==", + "license": "MIT", + "dependencies": { + "isarray": "^2.0.5", + "safe-buffer": "^5.2.1", + "typed-array-buffer": "^1.0.3" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/to-buffer/node_modules/isarray": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/isarray/-/isarray-2.0.5.tgz", + "integrity": "sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==", + "license": "MIT" + }, "node_modules/to-fast-properties": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-1.0.3.tgz", @@ -17845,6 +17902,20 @@ "node": ">= 0.6" } }, + "node_modules/typed-array-buffer": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/typed-array-buffer/-/typed-array-buffer-1.0.3.tgz", + "integrity": "sha512-nAYYwfY3qnzX30IkA6AQZjVbtK6duGontcQm1WSG1MD94YLqK0515GNApXkoxKOWMusVssAHWLh9SeaoefYFGw==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.3", + "es-errors": "^1.3.0", + "is-typed-array": "^1.1.14" + }, + "engines": { + "node": ">= 0.4" + } + }, "node_modules/ua-parser-js": { "version": "1.0.40", "resolved": "https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-1.0.40.tgz", @@ -18855,7 +18926,6 @@ "version": "1.1.18", "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.18.tgz", "integrity": "sha512-qEcY+KJYlWyLH9vNbsr6/5j59AXk5ni5aakf8ldzBvGde6Iz4sxZGkJyWSAueTG7QhOvNRYb1lDdFmL5Td0QKA==", - "dev": true, "license": "MIT", "dependencies": { "available-typed-arrays": "^1.0.7", diff --git a/package.json b/package.json index a2b69f9ff..fe50083c2 100644 --- a/package.json +++ b/package.json @@ -117,7 +117,7 @@ "chi-squared": "^1.1.0", "codepage": "^1.15.0", "crypto-api": "^0.8.5", - "crypto-browserify": "^3.12.0", + "crypto-browserify": "^3.12.1", "crypto-js": "^4.2.0", "ctph.js": "0.0.5", "d3": "7.9.0", From 55ef47f645705476623765037e1ef307be84d94c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Feb 2026 13:23:09 +0000 Subject: [PATCH 10/19] Bump node-forge from 1.3.1 to 1.3.3 (#2173) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 184e5cc3f..2320fd600 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13995,9 +13995,9 @@ } }, "node_modules/node-forge": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz", - "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==", + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.3.tgz", + "integrity": "sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==", "license": "(BSD-3-Clause OR GPL-2.0)", "engines": { "node": ">= 6.13.0" From 9df82113c4b78fd7b293d325f4c56854e401d70a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Feb 2026 14:01:18 +0000 Subject: [PATCH 11/19] Bump form-data from 4.0.1 to 4.0.5 (#2175) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 2320fd600..0b7bce146 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8740,6 +8740,22 @@ "node": ">= 0.4" } }, + "node_modules/es-set-tostringtag": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz", + "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==", + "dev": true, + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.6", + "has-tostringtag": "^1.0.2", + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" + } + }, "node_modules/es6-object-assign": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/es6-object-assign/-/es6-object-assign-1.1.0.tgz", @@ -9902,14 +9918,16 @@ } }, "node_modules/form-data": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.1.tgz", - "integrity": "sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw==", + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", + "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", "dev": true, "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", + "es-set-tostringtag": "^2.1.0", + "hasown": "^2.0.2", "mime-types": "^2.1.12" }, "engines": { From 96c93b95f21ffd63dc5619541681cf07641fc56c Mon Sep 17 00:00:00 2001 From: GCHQ Developer C85297 <95289555+C85297@users.noreply.github.com> Date: Tue, 3 Feb 2026 15:12:41 +0000 Subject: [PATCH 12/19] Remove version 10 message from banner (#2169) --- .github/workflows/master.yml | 2 +- src/web/App.mjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 8a3aff54b..fc878863a 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -33,7 +33,7 @@ jobs: - name: Production Build if: success() - run: npx grunt prod --msg="Version 10 is here! Read about the new features here" + run: npx grunt prod --msg="" - name: Generate sitemap run: npx grunt exec:sitemap diff --git a/src/web/App.mjs b/src/web/App.mjs index 7071854ac..143545d6a 100644 --- a/src/web/App.mjs +++ b/src/web/App.mjs @@ -650,7 +650,7 @@ class App { // const compareURL = `https://github.com/gchq/CyberChef/compare/v${prev.join(".")}...v${PKG_VERSION}`; - let compileInfo = `Last build: ${timeSinceCompile.substr(0, 1).toUpperCase() + timeSinceCompile.substr(1)} ago`; + let compileInfo = `Last build: ${timeSinceCompile.substring(0, 1).toUpperCase() + timeSinceCompile.substring(1)} ago`; if (window.compileMessage !== "") { compileInfo += " - " + window.compileMessage; From 64399ad60ed3b998c6425bbe66b22e74c26d7d4a Mon Sep 17 00:00:00 2001 From: Alex Gustafsson Date: Tue, 3 Feb 2026 16:42:46 +0100 Subject: [PATCH 13/19] Use recommended GitHub Actions to build image (#2055) Co-authored-by: C85297 <95289555+C85297@users.noreply.github.com> --- .github/workflows/pull_requests.yml | 16 ++++++------- .github/workflows/releases.yml | 36 ++++++++++++++--------------- Dockerfile | 5 +--- 3 files changed, 26 insertions(+), 31 deletions(-) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 296e60b99..7731970af 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -34,20 +34,20 @@ jobs: if: success() run: npx grunt prod + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Production Image Build if: success() id: build-image - uses: redhat-actions/buildah-build@v2 + uses: docker/build-push-action@v6 with: # Not being uploaded to any registry, use a simple name to allow Buildah to build correctly. image: cyberchef - containerfiles: ./Dockerfile - platforms: linux/amd64 - oci: true - # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. - extra-args: | - --ulimit nofile=10000 - + platforms: linux/amd64,linux/arm64 - name: UI Tests if: success() run: | diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index a77f4984b..52e81f2c4 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -45,6 +45,12 @@ jobs: sudo apt-get install xvfb xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Image Metadata id: image-metadata uses: docker/metadata-action@v4 @@ -55,30 +61,22 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{version}} - - name: Production Image Build - id: build-image - uses: redhat-actions/buildah-build@v2 + - name: Log in to GHCR + uses: docker/login-action@v3 with: - tags: ${{ steps.image-metadata.outputs.tags }} - labels: ${{ steps.image-metadata.outputs.labels }} - containerfiles: ./Dockerfile - platforms: linux/amd64,linux/arm64 - oci: true - # enable build layer caching between platforms - layers: true - # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. - extra-args: | - --ulimit nofile=10000 - - - name: Publish to GHCR - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build-image.outputs.image }} - tags: ${{ steps.build-image.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} + - name: Publish to GHCR + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.image-metadata.outputs.tags }} + labels: ${{ steps.image-metadata.outputs.labels }} + platforms: linux/amd64,linux/arm64 + - name: Upload Release Assets id: upload-release-assets uses: svenstaro/upload-release-action@v2 diff --git a/Dockerfile b/Dockerfile index ba605fd71..2184a2941 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,9 +27,6 @@ RUN npm run build ######################################### # Package static build files into nginx # ######################################### -# We are using Github Actions: redhat-actions/buildah-build@v2 which needs manual selection of arch in base image -# Remove TARGETARCH if docker buildx is supported in the CI release as --platform=$TARGETPLATFORM will be automatically set -ARG TARGETPLATFORM -FROM --platform=${TARGETPLATFORM} nginx:stable-alpine AS cyberchef +FROM nginx:stable-alpine AS cyberchef COPY --from=builder /app/build/prod /usr/share/nginx/html/ From 1542cadde8f60d50f2bf8d53d0f0b9f888e2cbb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=BCgo?= <8133415+rbpi@users.noreply.github.com> Date: Wed, 4 Feb 2026 01:44:59 +0700 Subject: [PATCH 14/19] Update Sitemap URLs to Use Valid Paths in sitemap.mjs (#1861) Co-authored-by: C85297 <95289555+C85297@users.noreply.github.com> --- src/web/static/sitemap.mjs | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/src/web/static/sitemap.mjs b/src/web/static/sitemap.mjs index b96047fc8..4f8101d4c 100644 --- a/src/web/static/sitemap.mjs +++ b/src/web/static/sitemap.mjs @@ -1,6 +1,5 @@ import sm from "sitemap"; -import OperationConfig from "../../core/config/OperationConfig.json" assert {type: "json"}; - +import OperationConfig from "../../core/config/OperationConfig.json" assert { type: "json" }; /** * Generates an XML sitemap for all CyberChef operations and a number of recipes. @@ -10,25 +9,25 @@ import OperationConfig from "../../core/config/OperationConfig.json" assert {typ * @license Apache-2.0 */ -const smStream = new sm.SitemapStream({ - hostname: "https://gchq.github.io/CyberChef", -}); +const baseUrl = "https://gchq.github.io/CyberChef/"; + +const smStream = new sm.SitemapStream({}); smStream.write({ - url: "/", + url: baseUrl, changefreq: "weekly", - priority: 1.0 + priority: 1.0, }); for (const op in OperationConfig) { smStream.write({ - url: `/?op=${encodeURIComponent(op)}`, + url: `${baseUrl}?op=${encodeURIComponent(op)}`, changeFreq: "yearly", - priority: 0.5 + priority: 0.5, }); } smStream.end(); sm.streamToPromise(smStream).then( - buffer => console.log(buffer.toString()) // eslint-disable-line no-console + (buffer) => console.log(buffer.toString()), // eslint-disable-line no-console ); From fa34e2fafc5df9c7153676c5df6d8263094c12cb Mon Sep 17 00:00:00 2001 From: Thomas <31802793+ThomasNotTom@users.noreply.github.com> Date: Wed, 4 Feb 2026 09:38:25 +0000 Subject: [PATCH 15/19] Fix: Correctly parse xxd odd byte hexdumps (#2058) Co-authored-by: GCHQDeveloper581 <63102987+GCHQDeveloper581@users.noreply.github.com> --- src/core/operations/FromHexdump.mjs | 2 +- tests/operations/tests/Hexdump.mjs | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/core/operations/FromHexdump.mjs b/src/core/operations/FromHexdump.mjs index e8c25441f..6fd3c1dc7 100644 --- a/src/core/operations/FromHexdump.mjs +++ b/src/core/operations/FromHexdump.mjs @@ -43,7 +43,7 @@ class FromHexdump extends Operation { */ run(input, args) { const output = [], - regex = /^\s*(?:[\dA-F]{4,16}h?:?)?[ \t]+((?:[\dA-F]{2} ){1,8}(?:[ \t]|[\dA-F]{2}-)(?:[\dA-F]{2} ){1,8}|(?:[\dA-F]{4} )*[\dA-F]{4}|(?:[\dA-F]{2} )*[\dA-F]{2})/igm; + regex = /^\s*(?:[\dA-F]{4,16}h?:?)?[ \t]+((?:[\dA-F]{2} ){1,8}(?:[ \t]|[\dA-F]{2}-)(?:[\dA-F]{2} ){1,8}|(?:[\dA-F]{4} )+(?:[\dA-F]{2})?|(?:[\dA-F]{2} )*[\dA-F]{2})/igm; let block, line; while ((block = regex.exec(input))) { diff --git a/tests/operations/tests/Hexdump.mjs b/tests/operations/tests/Hexdump.mjs index 90523a08e..6eb486db2 100644 --- a/tests/operations/tests/Hexdump.mjs +++ b/tests/operations/tests/Hexdump.mjs @@ -152,6 +152,17 @@ TestRegister.addTests([ } ], }, + { + name: "From Hexdump: xxd format, odd number of bytes", + input: "00000000: 6162 6364 65 abcde", + expectedOutput: "abcde", + recipeConfig: [ + { + op: "From Hexdump", + args: [] + } + ], + }, { name: "From Hexdump: Wireshark", input: `00000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ........ ........ From 693b7d86dd9d9e6e1163a8a105e5d05f96a06d1e Mon Sep 17 00:00:00 2001 From: GCHQ Developer 85297 <95289555+C85297@users.noreply.github.com> Date: Wed, 4 Feb 2026 14:20:22 +0000 Subject: [PATCH 16/19] Use NPM trusted publishing (#2174) Co-authored-by: GCHQDeveloper581 <63102987+GCHQDeveloper581@users.noreply.github.com> (minor tweaks only) --- .editorconfig | 4 + .github/workflows/codeql.yml | 28 +++--- .github/workflows/master.yml | 77 ++++++++-------- .github/workflows/pull_requests.yml | 71 ++++++++------- .github/workflows/releases.yml | 131 ++++++++++++++-------------- 5 files changed, 159 insertions(+), 152 deletions(-) diff --git a/.editorconfig b/.editorconfig index b50059bbd..cef4cab07 100644 --- a/.editorconfig +++ b/.editorconfig @@ -12,3 +12,7 @@ indent_size = 4 [{package.json,.travis.yml,nightwatch.json}] indent_style = space indent_size = 2 + +[.github/**.yml] +indent_style = space +indent_size = 2 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1350e9769..59fb73e70 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -3,13 +3,13 @@ name: "CodeQL Analysis" on: workflow_dispatch: push: - branches: [ master ] + branches: [master] pull_request: # The branches below must be a subset of the branches above - branches: [ master ] + branches: [master] types: [synchronize, opened, reopened] schedule: - - cron: '22 17 * * 5' + - cron: "22 17 * * 5" jobs: analyze: @@ -23,18 +23,18 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript' ] + language: ["javascript"] steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v6 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index fc878863a..d092a74c6 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -4,55 +4,56 @@ on: workflow_dispatch: push: branches: - - master + - master jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 - - name: Set node version - uses: actions/setup-node@v3 - with: - node-version: '18.x' + - name: Set node version + uses: actions/setup-node@v6 + with: + node-version: 18 + registry-url: "https://registry.npmjs.org" - - name: Install - run: | - export DETECT_CHROMEDRIVER_VERSION=true - npm install - npm run setheapsize + - name: Install + run: | + export DETECT_CHROMEDRIVER_VERSION=true + npm install + npm run setheapsize - - name: Lint - run: npx grunt lint + - name: Lint + run: npx grunt lint - - name: Unit Tests - run: | - npm test - npm run testnodeconsumer + - name: Unit Tests + run: | + npm test + npm run testnodeconsumer - - name: Production Build - if: success() - run: npx grunt prod --msg="" + - name: Production Build + if: success() + run: npx grunt prod --msg="" - - name: Generate sitemap - run: npx grunt exec:sitemap + - name: Generate sitemap + run: npx grunt exec:sitemap - - name: UI Tests - if: success() - run: | - sudo apt-get install xvfb - xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui + - name: UI Tests + if: success() + run: | + sudo apt-get install xvfb + xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui - - name: Prepare for GitHub Pages - if: success() - run: npx grunt copy:ghPages + - name: Prepare for GitHub Pages + if: success() + run: npx grunt copy:ghPages - - name: Deploy to GitHub Pages - if: success() && github.ref == 'refs/heads/master' - uses: crazy-max/ghaction-github-pages@v3 - with: - target_branch: gh-pages - build_dir: ./build/prod - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Deploy to GitHub Pages + if: success() && github.ref == 'refs/heads/master' + uses: crazy-max/ghaction-github-pages@v3 + with: + target_branch: gh-pages + build_dir: ./build/prod + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 7731970af..7f65b6171 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -9,47 +9,46 @@ jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 - - name: Set node version - uses: actions/setup-node@v3 - with: - node-version: '18.x' + - name: Set node version + uses: actions/setup-node@v6 + with: + node-version: 18 + registry-url: "https://registry.npmjs.org" - - name: Install - run: | - export DETECT_CHROMEDRIVER_VERSION=true - npm install - npm run setheapsize + - name: Install + run: | + export DETECT_CHROMEDRIVER_VERSION=true + npm install + npm run setheapsize - - name: Lint - run: npx grunt lint + - name: Lint + run: npx grunt lint - - name: Unit Tests - run: | - npm test - npm run testnodeconsumer + - name: Unit Tests + run: | + npm test + npm run testnodeconsumer - - name: Production Build - if: success() - run: npx grunt prod + - name: Production Build + if: success() + run: npx grunt prod - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - - name: Production Image Build - if: success() - id: build-image - uses: docker/build-push-action@v6 - with: - # Not being uploaded to any registry, use a simple name to allow Buildah to build correctly. - image: cyberchef - platforms: linux/amd64,linux/arm64 - - name: UI Tests - if: success() - run: | - sudo apt-get install xvfb - xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui + - name: Production Image Build + if: success() + id: build-image + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + - name: UI Tests + if: success() + run: | + sudo apt-get install xvfb + xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 52e81f2c4..b40af8761 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -4,7 +4,11 @@ on: workflow_dispatch: push: tags: - - 'v*' + - "v*" + +permissions: + id-token: write + contents: read env: REGISTRY: ghcr.io @@ -16,79 +20,78 @@ jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 - - name: Set node version - uses: actions/setup-node@v3 - with: - node-version: '18.x' + - name: Set node version + uses: actions/setup-node@v6 + with: + node-version: 18 + registry-url: "https://registry.npmjs.org" - - name: Install - run: | - export DETECT_CHROMEDRIVER_VERSION=true - npm ci - npm run setheapsize + - name: Install + run: | + export DETECT_CHROMEDRIVER_VERSION=true + npm ci + npm run setheapsize - - name: Lint - run: npx grunt lint + - name: Lint + run: npx grunt lint - - name: Unit Tests - run: | - npm test - npm run testnodeconsumer + - name: Unit Tests + run: | + npm test + npm run testnodeconsumer - - name: Production Build - run: npx grunt prod + - name: Production Build + run: npx grunt prod - - name: UI Tests - run: | - sudo apt-get install xvfb - xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui + - name: UI Tests + run: | + sudo apt-get install xvfb + xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - - name: Image Metadata - id: image-metadata - uses: docker/metadata-action@v4 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=semver,pattern={{major}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{version}} + - name: Image Metadata + id: image-metadata + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{major}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{version}} - - name: Log in to GHCR - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} - - name: Publish to GHCR - uses: docker/build-push-action@v6 - with: - context: . - push: true - tags: ${{ steps.image-metadata.outputs.tags }} - labels: ${{ steps.image-metadata.outputs.labels }} - platforms: linux/amd64,linux/arm64 + - name: Publish to GHCR + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.image-metadata.outputs.tags }} + labels: ${{ steps.image-metadata.outputs.labels }} + platforms: linux/amd64,linux/arm64 - - name: Upload Release Assets - id: upload-release-assets - uses: svenstaro/upload-release-action@v2 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: build/prod/*.zip - tag: ${{ github.ref }} - overwrite: true - file_glob: true - body: "See the [CHANGELOG](https://github.com/gchq/CyberChef/blob/master/CHANGELOG.md) and [commit messages](https://github.com/gchq/CyberChef/commits/master) for details." + - name: Upload Release Assets + id: upload-release-assets + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: build/prod/*.zip + tag: ${{ github.ref }} + overwrite: true + file_glob: true + body: "See the [CHANGELOG](https://github.com/gchq/CyberChef/blob/master/CHANGELOG.md) and [commit messages](https://github.com/gchq/CyberChef/commits/master) for details." - - name: Publish to NPM - uses: JS-DevTools/npm-publish@v1 - with: - token: ${{ secrets.NPM_TOKEN }} + - name: Publish to NPM + run: npm publish From de3a5ff6347c1443ccfed629ec48f23c51093f46 Mon Sep 17 00:00:00 2001 From: GCHQDeveloper581 <63102987+GCHQDeveloper581@users.noreply.github.com> Date: Wed, 4 Feb 2026 15:12:25 +0000 Subject: [PATCH 17/19] Fix code scanning warnings in workflows (#2177) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/master.yml | 5 +++++ .github/workflows/pull_requests.yml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index d092a74c6..74710dff1 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -1,5 +1,8 @@ name: "Master Build, Test & Deploy" +permissions: + contents: read + on: workflow_dispatch: push: @@ -8,6 +11,8 @@ on: jobs: main: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 7f65b6171..8f04df72c 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -1,5 +1,8 @@ name: "Pull Requests" +permissions: + contents: read + on: workflow_dispatch: pull_request: From 4e8f0c34f3be214b7fd8a5b20d21c5ead209472a Mon Sep 17 00:00:00 2001 From: GCHQ Developer 85297 <95289555+C85297@users.noreply.github.com> Date: Wed, 4 Feb 2026 15:26:23 +0000 Subject: [PATCH 18/19] Remove custom CodeQL workflow (#2176) --- .github/workflows/codeql.yml | 40 ------------------------------------ 1 file changed, 40 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 59fb73e70..000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: "CodeQL Analysis" - -on: - workflow_dispatch: - push: - branches: [master] - pull_request: - # The branches below must be a subset of the branches above - branches: [master] - types: [synchronize, opened, reopened] - schedule: - - cron: "22 17 * * 5" - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["javascript"] - - steps: - - name: Checkout repository - uses: actions/checkout@v6 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" From 0cf7bcaddc55952c24202edd7f3349cc0a2667b9 Mon Sep 17 00:00:00 2001 From: d98762625 <37445287+d98762625@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:46:30 +0000 Subject: [PATCH 19/19] Fix import operations with special chars in them (#1040) Co-authored-by: jg42526 <210032080+jg42526@users.noreply.github.com> (fixed test broken by a dependency updated elsewhere) --- src/node/apiUtils.mjs | 2 +- tests/node/tests/nodeApi.mjs | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/src/node/apiUtils.mjs b/src/node/apiUtils.mjs index 64688073a..9d1c43cc8 100644 --- a/src/node/apiUtils.mjs +++ b/src/node/apiUtils.mjs @@ -66,7 +66,7 @@ export function removeSubheadingsFromArray(array) { * @param str */ export function sanitise(str) { - return str.replace(/ /g, "").toLowerCase(); + return str.replace(/[/\s.-]/g, "").toLowerCase(); } diff --git a/tests/node/tests/nodeApi.mjs b/tests/node/tests/nodeApi.mjs index 29a47ffc8..92d4d9911 100644 --- a/tests/node/tests/nodeApi.mjs +++ b/tests/node/tests/nodeApi.mjs @@ -345,6 +345,42 @@ TestRegister.addApiTests([ assert.strictEqual(result.toString(), "begin_something_aaaaaaaaaaaaaa_end_something"); }), + it("chef.bake: should accept operation names from Chef Website which contain forward slash", () => { + const result = chef.bake("I'll have the test salmon", [ + { "op": "Find / Replace", + "args": [{ "option": "Regex", "string": "test" }, "good", true, false, true, false]} + ]); + assert.strictEqual(result.toString(), "I'll have the good salmon"); + }), + + it("chef.bake: should accept operation names from Chef Website which contain a hyphen", () => { + const result = chef.bake("I'll have the test salmon", [ + { "op": "Adler-32 Checksum", + "args": [] } + ]); + assert.strictEqual(result.toString(), "6e4208f8"); + }), + + it("chef.bake: should accept operation names from Chef Website which contain a period", () => { + const result = chef.bake("30 13 02 01 05 16 0e 41 6e 79 62 6f 64 79 20 74 68 65 72 65 3f", [ + { "op": "Parse ASN.1 hex string", + "args": [0, 32] } + ]); + assert.strictEqual(result.toString(), `SEQUENCE + INTEGER 05 + IA5String 'Anybody there?' +`); + }), + + it("Excluded operations: throw a sensible error when you try and call one", () => { + try { + chef.fork(); + } catch (e) { + assert.strictEqual(e.type, "ExcludedOperationError"); + assert.strictEqual(e.message, "Sorry, the Fork operation is not available in the Node.js version of CyberChef."); + } + }), + it("chef.bake: cannot accept flowControl operations in recipe", () => { assert.throws(() => chef.bake("some input", "magic"), { name: "TypeError",