cyberchef 11.0.0 → 11.1.0

package/src/core/operations/BLAKE3.mjs

@@ -6,7 +6,10 @@
 
 import Operation from "../Operation.mjs";
 import OperationError from "../errors/OperationError.mjs";
-import { blake3 } from "hash-wasm";
+import Utils from "../Utils.mjs";
+import { blake3 } from "@noble/hashes/blake3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+
 /**
  * BLAKE3 operation
  */
@@ -44,13 +47,16 @@ class BLAKE3 extends Operation {
     run(input, args) {
         const key = args[1];
         const size = args[0];
-        // Check if the user want a key hash or not
-        if (key === "") {
-            return blake3(input, size*8);
-        } if (key.length !== 32) {
-            throw new OperationError("The key must be exactly 32 bytes long");
+        const opts = { dkLen: size };
+        const inputBytes = new Uint8Array(Utils.strToArrayBuffer(input));
+        if (key !== "") {
+            const keyBytes = new Uint8Array(Utils.strToArrayBuffer(key));
+            if (keyBytes.length !== 32) {
+                throw new OperationError("The key must be exactly 32 bytes long");
+            }
+            opts.key = keyBytes;
         }
-        return blake3(input, size*8, key);
+        return bytesToHex(blake3(inputBytes, opts));
     }
 
 }

package/src/core/operations/BSONDeserialise.mjs

@@ -5,7 +5,7 @@
  */
 
 import Operation from "../Operation.mjs";
-import bson from "bson";
+import { deserialize } from "bson";
 import OperationError from "../errors/OperationError.mjs";
 
 /**
@@ -37,7 +37,7 @@ class BSONDeserialise extends Operation {
         if (!input.byteLength) return "";
 
         try {
-            const data = bson.deserialize(new Buffer(input));
+            const data = deserialize(new Uint8Array(input));
             return JSON.stringify(data, null, 2);
         } catch (err) {
             throw new OperationError(err.toString());

package/src/core/operations/BSONSerialise.mjs

@@ -5,7 +5,7 @@
  */
 
 import Operation from "../Operation.mjs";
-import bson from "bson";
+import { serialize } from "bson";
 import OperationError from "../errors/OperationError.mjs";
 
 /**
@@ -38,7 +38,8 @@ class BSONSerialise extends Operation {
 
         try {
             const data = JSON.parse(input);
-            return bson.serialize(data).buffer;
+            const result = serialize(data);
+            return result.buffer.slice(result.byteOffset, result.byteOffset + result.byteLength);
         } catch (err) {
             throw new OperationError(err.toString());
         }

package/src/core/operations/Bcrypt.mjs

@@ -43,7 +43,7 @@ class Bcrypt extends Operation {
         const rounds = args[0];
         const salt = await bcrypt.genSalt(rounds);
 
-        return await bcrypt.hash(input, salt, null, p => {
+        return await bcrypt.hash(input, salt, undefined, p => {
             // Progress callback
             if (isWorkerEnvironment())
                 self.sendStatusMessage(`Progress: ${(p * 100).toFixed(0)}%`);

package/src/core/operations/BcryptCompare.mjs

@@ -43,7 +43,7 @@ class BcryptCompare extends Operation {
     async run(input, args) {
         const hash = args[0];
 
-        const match = await bcrypt.compare(input, hash, null, p => {
+        const match = await bcrypt.compare(input, hash, undefined, p => {
             // Progress callback
             if (isWorkerEnvironment())
                 self.sendStatusMessage(`Progress: ${(p * 100).toFixed(0)}%`);

package/src/core/operations/DecodeText.mjs

@@ -5,6 +5,7 @@
  */
 
 import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
 import cptable from "codepage";
 import {CHR_ENC_CODE_PAGES} from "../lib/ChrEnc.mjs";
 
@@ -48,6 +49,9 @@ class DecodeText extends Operation {
      */
     run(input, args) {
         const format = CHR_ENC_CODE_PAGES[args[0]];
+        if (!format) {
+            throw new OperationError("Invalid encoding");
+        }
         return cptable.utils.decode(format, new Uint8Array(input));
     }
 

package/src/core/operations/EncodeText.mjs

@@ -5,6 +5,7 @@
  */
 
 import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
 import cptable from "codepage";
 import {CHR_ENC_CODE_PAGES} from "../lib/ChrEnc.mjs";
 
@@ -48,6 +49,9 @@ class EncodeText extends Operation {
      */
     run(input, args) {
         const format = CHR_ENC_CODE_PAGES[args[0]];
+        if (!format) {
+            throw new OperationError("Invalid encoding");
+        }
         const encoded = cptable.utils.encode(format, input);
         return new Uint8Array(encoded).buffer;
     }

package/src/core/operations/EscapeSmartCharacters.mjs

@@ -0,0 +1,129 @@
+/**
+ * @author HarelKatz [github.com/HarelKatz]
+ * @copyright Crown Copyright 2026
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+
+/**
+ * Escape Smart Characters operation
+ */
+class EscapeSmartCharacters extends Operation {
+
+    /**
+     * EscapeSmartCharacters constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "Escape Smart Characters";
+        this.module = "Default";
+        this.description = "Converts smart (typographic) Unicode characters — e.g. smart quotes, em/en dashes, ellipses, ©, ®, ™, arrows — into their plain ASCII equivalents.<br><br>Characters with no ASCII mapping (e.g. <code>☣</code>) are handled according to the 'Unmappable characters' option.<br><br>e.g. <code>“Hello” — world…</code> becomes <code>\"Hello\" -- world...</code>";
+        this.infoURL = "";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [
+            {
+                name: "Unmappable characters",
+                type: "option",
+                value: ["Include", "Remove", "Replace with '.'"]
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        const [unmappable] = args;
+        let result = "";
+        for (const ch of input) {
+            if (ch.codePointAt(0) < 128) {
+                result += ch;
+            } else if (Object.prototype.hasOwnProperty.call(SMART_MAP, ch)) {
+                result += SMART_MAP[ch];
+            } else {
+                switch (unmappable) {
+                    case "Remove":
+                        break;
+                    case "Replace with '.'":
+                        result += ".";
+                        break;
+                    case "Include":
+                    default:
+                        result += ch;
+                        break;
+                }
+            }
+        }
+        return result;
+    }
+
+}
+
+const SMART_MAP = {
+    // Smart double quotes
+    "“": "\"",   // “ left double quotation mark
+    "”": "\"",   // ” right double quotation mark
+    "„": "\"",   // „ double low-9 quotation mark
+    "‟": "\"",   // ‟ double high-reversed-9 quotation mark
+    "″": "\"",   // ″ double prime
+
+    // Smart single quotes / apostrophes
+    "‘": "'",    // ‘ left single quotation mark
+    "’": "'",    // ’ right single quotation mark / apostrophe
+    "‚": "'",    // ‚ single low-9 quotation mark
+    "‛": "'",    // ‛ single high-reversed-9 quotation mark
+    "′": "'",    // ′ prime
+
+    // Dashes & hyphens
+    "‐": "-",    // ‐ hyphen
+    "‑": "-",    // ‑ non-breaking hyphen
+    "‒": "-",    // ‒ figure dash
+    "–": "-",    // – en dash
+    "—": "--",   // — em dash
+    "―": "--",   // ― horizontal bar
+
+    // Ellipsis
+    "…": "...",  // …
+
+    // Trademark / copyright symbols
+    "©": "(c)",  // ©
+    "®": "(r)",  // ®
+    "™": "(tm)", // ™
+
+    // Arrows
+    "←": "<--",  // ←
+    "→": "-->",  // →
+    "↑": "^",    // ↑
+    "↓": "v",    // ↓
+    "↔": "<->",  // ↔
+    "⇐": "<==",  // ⇐
+    "⇒": "==>",  // ⇒
+    "⇔": "<=>",  // ⇔
+
+    // Guillemets
+    "«": "<<",   // «
+    "»": ">>",   // »
+    "‹": "<",    // ‹
+    "›": ">",    // ›
+
+    // Math & misc symbols
+    "×": "x",    // ×
+    "÷": "/",    // ÷
+    "±": "+/-",  // ±
+    "•": "*",    // •
+    "·": ".",    // ·
+
+    // Non-ASCII spaces
+    "\u00A0": " ",    // NBSP
+    "\u2002": " ",    // en space
+    "\u2003": " ",    // em space
+    "\u2009": " ",    // thin space
+    "\u200A": " "     // hair space
+};
+
+export default EscapeSmartCharacters;

package/src/core/operations/GenerateLoremIpsum.mjs

@@ -8,6 +8,10 @@ import Operation from "../Operation.mjs";
 import OperationError from "../errors/OperationError.mjs";
 import { GenerateParagraphs, GenerateSentences, GenerateWords, GenerateBytes } from "../lib/LoremIpsum.mjs";
 
+// arbitrary limits set to avoid DoS by requesting ridiculous amounts of data
+const maxLoremWords = 100_000; // same limit also used for paragraphs/sentences
+const maxLoremCharacters = 1_000_000;
+
 /**
  * Generate Lorem Ipsum operation
  */
@@ -47,9 +51,7 @@ class GenerateLoremIpsum extends Operation {
      */
     run(input, args) {
         const [length, lengthType] = args;
-        if (length < 1) {
-            throw new OperationError("Length must be greater than 0");
-        }
+        checkLimits(lengthType, length);
         switch (lengthType) {
             case "Paragraphs":
                 return GenerateParagraphs(length);
@@ -68,3 +70,32 @@ class GenerateLoremIpsum extends Operation {
 }
 
 export default GenerateLoremIpsum;
+
+/**
+ * check combined validity of lengthType and length arguments
+ * @param {string} lengthType
+ * @param {number} length
+ * @throws {OperationError}
+ */
+function checkLimits(lengthType, length) {
+    if (length < 1) {
+        throw new OperationError("Length must be greater than 0");
+    }
+
+    switch (lengthType) {
+        case "Paragraphs":
+        case "Sentences":
+        case "Words":
+            if (length > maxLoremWords) {
+                throw new OperationError("Length must be less than " + maxLoremWords);
+            }
+            break;
+        case "Bytes":
+            if (length > maxLoremCharacters) {
+                throw new OperationError("Length must be less than " + maxLoremCharacters);
+            }
+            break;
+        default:
+            throw new OperationError("Invalid length type");
+    }
+}

package/src/core/operations/GeneratePGPKeyPair.mjs

@@ -12,6 +12,7 @@ import { getSubkeySize, ASP } from "../lib/PGP.mjs";
 import { cryptNotice } from "../lib/Crypt.mjs";
 import * as es6promisify from "es6-promisify";
 const promisify = es6promisify.default ? es6promisify.default.promisify : es6promisify.promisify;
+const KEY_FLAGS = kbpgp.const.openpgp.key_flags;
 
 
 /**
@@ -73,11 +74,11 @@ class GeneratePGPKeyPair extends Operation {
         if (name) userIdentifier += name;
         if (email) userIdentifier += ` <${email}>`;
 
-        let flags = kbpgp.const.openpgp.certify_keys;
-        flags |= kbpgp.const.openpgp.sign_data;
-        flags |= kbpgp.const.openpgp.auth;
-        flags |= kbpgp.const.openpgp.encrypt_comm;
-        flags |= kbpgp.const.openpgp.encrypt_storage;
+        let flags = KEY_FLAGS.certify_keys;
+        flags |= KEY_FLAGS.sign_data;
+        flags |= KEY_FLAGS.auth;
+        flags |= KEY_FLAGS.encrypt_comm;
+        flags |= KEY_FLAGS.encrypt_storage;
 
         const keyGenerationOptions = {
             userid: userIdentifier,
@@ -89,11 +90,11 @@ class GeneratePGPKeyPair extends Operation {
             },
             subkeys: [{
                 "nbits": getSubkeySize(keySize),
-                "flags": kbpgp.const.openpgp.sign_data,
+                "flags": KEY_FLAGS.sign_data,
                 "expire_in": 86400 * 365 * 8
             }, {
                 "nbits": getSubkeySize(keySize),
-                "flags": kbpgp.const.openpgp.encrypt_comm | kbpgp.const.openpgp.encrypt_storage,
+                "flags": KEY_FLAGS.encrypt_comm | KEY_FLAGS.encrypt_storage,
                 "expire_in": 86400 * 365 * 2
             }],
             asp: ASP

package/src/core/operations/PGPSign.mjs

@@ -0,0 +1,83 @@
+/**
+ * @author GCHQDeveloper581
+ * @copyright Crown Copyright 2026
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+import kbpgp from "kbpgp";
+import { ASP, importPrivateKey } from "../lib/PGP.mjs";
+import OperationError from "../errors/OperationError.mjs";
+import * as es6promisify from "es6-promisify";
+const promisify = es6promisify.default ? es6promisify.default.promisify : es6promisify.promisify;
+
+/**
+ * PGP Sign operation
+ */
+class PGPSign extends Operation {
+
+    /**
+     * PGPSign constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "PGP Sign";
+        this.module = "PGP";
+        this.description = [
+            "Input: the message you want to sign",
+            "<br><br>",
+            "Arguments: the ASCII-armoured PGP private key of the sender.",
+            "<br><br>",
+            "Pretty Good Privacy is an encryption standard (OpenPGP) used for encrypting, decrypting, and signing messages.",
+            "<br><br>",
+            "This function uses the Keybase implementation of PGP.",
+        ].join("\n");
+        this.infoURL = "https://wikipedia.org/wiki/Pretty_Good_Privacy"; // Usually a Wikipedia link. Remember to remove localisation (i.e. https://wikipedia.org/etc rather than https://en.wikipedia.org/etc)
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [
+            {
+                "name": "Private key of signer",
+                "type": "text",
+                "value": ""
+            },
+            {
+                "name": "Private key passphrase (optional)",
+                "type": "string",
+                "value": ""
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     *
+     * @throws {OperationError} if failed private key import or failed encryption
+     */
+    async run(input, args) {
+        const message = input,
+            [privateKey, passphrase] = args;
+        let signedMessage;
+
+        if (!privateKey) throw new OperationError("Enter the private key of the signer.");
+        const privKey = await importPrivateKey(privateKey, passphrase);
+
+        try {
+            signedMessage = await promisify(kbpgp.box)({
+                "msg": message,
+                "sign_with": privKey,
+                "asp": ASP
+            });
+        } catch (err) {
+            throw new OperationError(`Couldn't sign message: ${err}`);
+        }
+
+        return signedMessage;
+    }
+
+}
+
+export default PGPSign;

package/src/core/operations/ParseEthernetFrame.mjs

@@ -92,7 +92,7 @@ class ParseEthernetFrame extends Operation {
         const packetData = input.slice(offset);
 
         if (outputFormat === "Packet data") {
-            return Utils.byteArrayToChars(packetData);
+            return Utils.escapeHtml(Utils.byteArrayToChars(packetData));
         } else if (outputFormat === "Packet data (hex)") {
             return toHex(packetData);
         } else if (outputFormat === "Text output") {

package/src/core/operations/ParseIPv4Header.mjs

@@ -138,7 +138,7 @@ class ParseIPv4Header extends Operation {
         } else if (outputFormat === "Data (hex)") {
             return toHex(data);
         } else if (outputFormat === "Data (raw)") {
-            return Utils.byteArrayToChars(data);
+            return Utils.escapeHtml(Utils.byteArrayToChars(data));
         }
     }
 

package/src/core/operations/ParseObjectIDTimestamp.mjs

@@ -6,7 +6,7 @@
 
 import Operation from "../Operation.mjs";
 import OperationError from "../errors/OperationError.mjs";
-import BSON from "bson";
+import { ObjectId } from "bson";
 
 /**
  * Parse ObjectID timestamp operation
@@ -35,7 +35,7 @@ class ParseObjectIDTimestamp extends Operation {
      */
     run(input, args) {
         try {
-            const objectId = new BSON.ObjectID(input);
+            const objectId = new ObjectId(input);
             return objectId.getTimestamp().toISOString();
         } catch (err) {
             throw new OperationError(err);

package/src/core/operations/ParseUserAgent.mjs

@@ -5,7 +5,7 @@
  */
 
 import Operation from "../Operation.mjs";
-import UAParser from "ua-parser-js";
+import { UAParser } from "ua-parser-js";
 
 /**
  * Parse User Agent operation

package/src/core/operations/ROR13.mjs

@@ -0,0 +1,83 @@
+/**
+ * ROR13 Hash operation (Windows API hashing convention)
+ * @author fufu_btw
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+
+/**
+ * Implements a ROR13 hash used for API name hashing techniques.
+ */
+class ROR13 extends Operation {
+
+    /**
+     * Constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "ROR13";
+        this.module = "Default";
+        this.description = "Computes a ROR13 hash used in API hashing techniques.";
+        this.infoURL = "";
+        this.inputType = "byteArray";
+        this.outputType = "string";
+
+        this.args = [];
+    }
+
+    /**
+     * Rotate right (32-bit)
+     *
+     * @param {number} value - input value
+     * @param {number} bits - rotation bits
+     * @returns {number} rotated value
+     */
+    ror(value, bits) {
+        return ((value >>> bits) | (value << (32 - bits))) >>> 0;
+    }
+
+    /**
+     * Execute ROR13 hash
+     *
+     * @param {byteArray} input - input bytes
+     * @param {Object[]} args - operation arguments
+     * @returns {string} hex hash
+     */
+    run(input, args) {
+        let hash = 0;
+
+        for (let i = 0; i < input.length; i++) {
+            const chr = input[i] & 0xFF;
+            hash = this.ror(hash, 13);
+            hash = (hash + chr) >>> 0;
+        }
+
+        return "0x" + hash.toString(16).padStart(8, "0").toUpperCase();
+    }
+
+    /**
+     * Highlight input
+     *
+     * @param {Object[]} pos
+     * @param {Object[]} args
+     * @returns {Object[]}
+     */
+    highlight(pos, args) {
+        return pos;
+    }
+
+    /**
+     * Reverse highlight
+     *
+     * @param {Object[]} pos
+     * @param {Object[]} args
+     * @returns {Object[]}
+     */
+    highlightReverse(pos, args) {
+        return pos;
+    }
+}
+
+export default ROR13;

package/src/core/operations/RemoveANSIEscapeCodes.mjs

@@ -0,0 +1,41 @@
+/**
+ * @author Louis-Ladd [lewisharshman1@gmail.com]
+ * @copyright Crown Copyright 2025
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+
+/**
+ * Remove ANSI Escape Codes operation
+ */
+class RemoveANSIEscapeCodes extends Operation {
+
+    /**
+     * RemoveANSIEscapeCodes constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "Remove ANSI Escape Codes";
+        this.module = "Default";
+        this.description = "Removes ANSI Escape Codes.";
+        this.infoURL = "https://wikipedia.org/wiki/ANSI_escape_code";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        const ansiRegex = /\x1B\[[0-?]*[ -/]*[@-~]/g;
+        return input.replace(ansiRegex, "");
+    }
+
+}
+
+export default RemoveANSIEscapeCodes;

package/src/core/operations/SeriesChart.mjs

@@ -15,6 +15,20 @@ import Utils from "../Utils.mjs";
 const d3 = d3temp.default ? d3temp.default : d3temp;
 const nodom = nodomtemp.default ? nodomtemp.default: nodomtemp;
 
+/**
+ * Removes D3's internal bound data from a nodom tree before serialization.
+ * nodom serializes enumerable expando properties such as __data__ as attributes,
+ * so leaving them on attacker-controlled values can create executable markup.
+ *
+ * @param {Object} node
+ */
+function clearD3BoundData(node) {
+    delete node.__data__;
+
+    if (!node.childNodes) return;
+    node.childNodes.forEach(clearD3BoundData);
+}
+
 /**
  * Series chart operation
  */
@@ -222,6 +236,8 @@ class SeriesChart extends Operation {
                 .text(serie.name);
         });
 
+        clearD3BoundData(svg.node());
+
         return svg._groups[0][0].outerHTML;
     }