npm - cyberchef - Versions diffs - 9.39.1 → 9.39.4 - Mend

cyberchef 9.39.1 → 9.39.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/package.json +1 -1
package/src/core/config/OperationConfig.json +14 -3
package/src/core/lib/FileSignatures.mjs +25 -1
package/src/core/operations/ExtractFiles.mjs +10 -2
package/src/core/operations/Fork.mjs +11 -2
package/src/core/operations/Merge.mjs +8 -2
package/src/core/operations/Subsection.mjs +10 -1
package/src/web/stylesheets/components/_operation.css +1 -1
package/tests/operations/index.mjs +1 -0
package/tests/operations/tests/Fork.mjs +14 -3
package/tests/operations/tests/Subsection.mjs +102 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cyberchef",
-  "version": "9.39.1",
+  "version": "9.39.4",
   "description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
   "author": "n1474335 <n1474335@gmail.com>",
   "homepage": "https://gchq.github.io/CyberChef",

package/src/core/config/OperationConfig.json CHANGED Viewed

@@ -5044,7 +5044,7 @@
     },
     "Extract Files": {
         "module": "Default",
-        "description": "Performs file carving to attempt to extract files from the input.<br><br>This operation is currently capable of carving out the following formats:\n            <ul>\n                <li>\n                JPG,JPEG,JPE,THM,MPO</li><li>GIF</li><li>PNG</li><li>BMP</li><li>ICO</li><li>TGA</li><li>FLV</li><li>WAV</li><li>MP3</li><li>PDF</li><li>RTF</li><li>DOCX,XLSX,PPTX</li><li>EPUB</li><li>EXE,DLL,DRV,VXD,SYS,OCX,VBX,COM,FON,SCR</li><li>ELF,BIN,AXF,O,PRX,SO</li><li>DYLIB</li><li>ZIP</li><li>TAR</li><li>GZ</li><li>BZ2</li><li>ZLIB</li><li>XZ</li><li>JAR</li><li>LZOP,LZO</li><li>DEB</li><li>SQLITE</li><li>EVT</li><li>EVTX</li><li>DMP</li><li>PF</li><li>PLIST</li><li>KEYCHAIN</li><li>LNK\n                </li>\n            </ul>",
+        "description": "Performs file carving to attempt to extract files from the input.<br><br>This operation is currently capable of carving out the following formats:\n            <ul>\n                <li>\n                JPG,JPEG,JPE,THM,MPO</li><li>GIF</li><li>PNG</li><li>WEBP</li><li>BMP</li><li>ICO</li><li>TGA</li><li>FLV</li><li>WAV</li><li>MP3</li><li>PDF</li><li>RTF</li><li>DOCX,XLSX,PPTX</li><li>EPUB</li><li>EXE,DLL,DRV,VXD,SYS,OCX,VBX,COM,FON,SCR</li><li>ELF,BIN,AXF,O,PRX,SO</li><li>DYLIB</li><li>ZIP</li><li>TAR</li><li>GZ</li><li>BZ2</li><li>ZLIB</li><li>XZ</li><li>JAR</li><li>LZOP,LZO</li><li>DEB</li><li>SQLITE</li><li>EVT</li><li>EVTX</li><li>DMP</li><li>PF</li><li>PLIST</li><li>KEYCHAIN</li><li>LNK\n                </li>\n            </ul>Minimum File Size can be used to prune small false positives.",
         "infoURL": "https://forensicswiki.xyz/wiki/index.php?title=File_Carving",
         "inputType": "ArrayBuffer",
         "outputType": "html",
@@ -5090,6 +5090,11 @@
                 "name": "Ignore failed extractions",
                 "type": "boolean",
                 "value": true
+            },
+            {
+                "name": "Minimum File Size",
+                "type": "number",
+                "value": 100
             }
         ]
     },
@@ -8335,13 +8340,19 @@
     },
     "Merge": {
         "module": "Default",
-        "description": "Consolidate all branches back into a single trunk. The opposite of Fork.",
+        "description": "Consolidate all branches back into a single trunk. The opposite of Fork. Unticking the Merge All checkbox will only consolidate all branches up to the nearest Fork/Subsection.",
         "infoURL": null,
         "inputType": "string",
         "outputType": "string",
         "flowControl": true,
         "manualBake": false,
-        "args": []
+        "args": [
+            {
+                "name": "Merge All",
+                "type": "boolean",
+                "value": true
+            }
+        ]
     },
     "Microsoft Script Decoder": {
         "module": "Default",

package/src/core/lib/FileSignatures.mjs CHANGED Viewed

@@ -70,7 +70,7 @@ export const FILE_SIGNATURES = {
                 10: 0x42,
                 11: 0x50
             },
-            extractor: null
+            extractor: extractWEBP
         },
         {
             name: "Camera Image File Format",
@@ -3032,6 +3032,30 @@ export function extractPNG(bytes, offset) {
 }
+/**
+ * WEBP extractor.
+ *
+ * @param {Uint8Array} bytes
+ * @param {number} offset
+ * @returns {Uint8Array}
+ */
+export function extractWEBP(bytes, offset) {
+    const stream = new Stream(bytes.slice(offset));
+    // Move to file size offset.
+    stream.moveForwardsBy(4);
+    // Read file size field.
+    const fileSize = stream.readInt(4, "le");
+    // Move to end of file.
+    // There is no need to minus 8 from the size as the size factors in the offset.
+    stream.moveForwardsBy(fileSize);
+    return stream.carve();
+}
 /**
  * BMP extractor.
  *

package/src/core/operations/ExtractFiles.mjs CHANGED Viewed

@@ -38,7 +38,7 @@ class ExtractFiles extends Operation {
                 <li>
                 ${supportedExts.join("</li><li>")}
                 </li>
-            </ul>`;
+            </ul>Minimum File Size can be used to prune small false positives.`;
         this.infoURL = "https://forensicswiki.xyz/wiki/index.php?title=File_Carving";
         this.inputType = "ArrayBuffer";
         this.outputType = "List<File>";
@@ -54,6 +54,11 @@ class ExtractFiles extends Operation {
                 name: "Ignore failed extractions",
                 type: "boolean",
                 value: true
+            },
+            {
+                name: "Minimum File Size",
+                type: "number",
+                value: 100
             }
         ]);
     }
@@ -66,6 +71,7 @@ class ExtractFiles extends Operation {
     run(input, args) {
         const bytes = new Uint8Array(input),
             categories = [],
+            minSize = args.pop(1),
             ignoreFailedExtractions = args.pop(1);
         args.forEach((cat, i) => {
@@ -80,7 +86,9 @@ class ExtractFiles extends Operation {
         const errors = [];
         detectedFiles.forEach(detectedFile => {
             try {
-                files.push(extractFile(bytes, detectedFile.fileDetails, detectedFile.offset));
+                const file = extractFile(bytes, detectedFile.fileDetails, detectedFile.offset);
+                if (file.size >= minSize)
+                    files.push(file);
             } catch (err) {
                 if (!ignoreFailedExtractions && err.message.indexOf("No extraction algorithm available") < 0) {
                     errors.push(

package/src/core/operations/Fork.mjs CHANGED Viewed

@@ -65,12 +65,21 @@ class Fork extends Operation {
         if (input)
             inputs = input.split(splitDelim);
+        // Set to 1 as if we are here, then there is one, the current one.
+        let numOp = 1;
         // Create subOpList for each tranche to operate on
-        // (all remaining operations unless we encounter a Merge)
+        // all remaining operations unless we encounter a Merge
         for (i = state.progress + 1; i < opList.length; i++) {
             if (opList[i].name === "Merge" && !opList[i].disabled) {
-                break;
+                numOp--;
+                if (numOp === 0 || opList[i].ingValues[0])
+                    break;
+                else
+                    // Not this Fork's Merge.
+                    subOpList.push(opList[i]);
             } else {
+                if (opList[i].name === "Fork" || opList[i].name === "Subsection")
+                    numOp++;
                 subOpList.push(opList[i]);
             }
         }

package/src/core/operations/Merge.mjs CHANGED Viewed

@@ -20,10 +20,16 @@ class Merge extends Operation {
         this.name = "Merge";
         this.flowControl = true;
         this.module = "Default";
-        this.description = "Consolidate all branches back into a single trunk. The opposite of Fork.";
+        this.description = "Consolidate all branches back into a single trunk. The opposite of Fork. Unticking the Merge All checkbox will only consolidate all branches up to the nearest Fork/Subsection.";
         this.inputType = "string";
         this.outputType = "string";
-        this.args = [];
+        this.args = [
+            {
+                name: "Merge All",
+                type: "boolean",
+                value: true,
+            }
+        ];
     }
     /**

package/src/core/operations/Subsection.mjs CHANGED Viewed

@@ -67,12 +67,21 @@ class Subsection extends Operation {
             subOpList   = [];
         if (input && section !== "") {
+            // Set to 1 as if we are here, then there is one, the current one.
+            let numOp = 1;
             // Create subOpList for each tranche to operate on
             // all remaining operations unless we encounter a Merge
             for (let i = state.progress + 1; i < opList.length; i++) {
                 if (opList[i].name === "Merge" && !opList[i].disabled) {
-                    break;
+                    numOp--;
+                    if (numOp === 0 || opList[i].ingValues[0])
+                        break;
+                    else
+                        // Not this subsection's Merge.
+                        subOpList.push(opList[i]);
                 } else {
+                    if (opList[i].name === "Fork" || opList[i].name === "Subsection")
+                        numOp++;
                     subOpList.push(opList[i]);
                 }
             }

package/src/web/stylesheets/components/_operation.css CHANGED Viewed

@@ -186,7 +186,7 @@ div.toggle-string {
 }
 .ingredients .dropdown-toggle-split {
-    height: 41px !important;
+    height: 40px !important;
 }
 .boolean-arg {

package/tests/operations/index.mjs CHANGED Viewed

@@ -114,6 +114,7 @@ import "./tests/HASSH.mjs";
 import "./tests/GetAllCasings.mjs";
 import "./tests/SIGABA.mjs";
 import "./tests/ELFInfo.mjs";
+import "./tests/Subsection.mjs";
 // Cannot test operations that use the File type yet

package/tests/operations/tests/Fork.mjs CHANGED Viewed

@@ -31,7 +31,7 @@ TestRegister.addTests([
             },
             {
                 op: "Merge",
-                args: [],
+                args: [true],
             },
         ],
     },
@@ -50,7 +50,7 @@ TestRegister.addTests([
             },
             {
                 op: "Merge",
-                args: [],
+                args: [true],
             },
         ],
     },
@@ -66,5 +66,16 @@ TestRegister.addTests([
             {"op": "Label", "args": ["skipReturn"]},
             {"op": "To Base64", "args": ["A-Za-z0-9+/="]}
         ]
-    }
+    },
+    {
+        name: "Fork, Partial Merge",
+        input: "Hello World",
+        expectedOutput: "48656c6c6f 576f726c64",
+        recipeConfig: [
+            { "op": "Fork",   "args": [" ", " ", false] },
+            { "op": "Fork",   "args": ["l", "l", false] },
+            { "op": "Merge",  "args": [false] },
+            { "op": "To Hex", "args": ["None", 0] },
+        ]
+    },
 ]);

package/tests/operations/tests/Subsection.mjs ADDED Viewed

@@ -0,0 +1,102 @@
+/**
+ * Subsection Tests.
+ *
+ * @author n1073645 [n1073645@gmail.com]
+ * @copyright Crown Copyright 2022
+ * @license Apache-2.0
+ */
+import TestRegister from "../../lib/TestRegister.mjs";
+TestRegister.addTests([
+    {
+        name: "Subsection: nothing",
+        input: "",
+        expectedOutput: "",
+        recipeConfig: [
+            {
+                "op": "Subsection",
+                "args": ["", true, true, false],
+            },
+        ],
+    },
+    {
+        name: "Subsection, Full Merge: nothing",
+        input: "",
+        expectedOutput: "",
+        recipeConfig: [
+            {
+                "op": "Subsection",
+                "args": ["", true, true, false],
+            },
+            {
+                "op": "Merge",
+                "args": [true],
+            },
+        ],
+    },
+    {
+        name: "Subsection, Partial Merge: nothing",
+        input: "",
+        expectedOutput: "",
+        recipeConfig: [
+            {
+                "op": "Subsection",
+                "args": ["", true, true, false],
+            },
+            {
+                "op": "Merge",
+                "args": [false],
+            },
+        ],
+    },
+    {
+        name: "Subsection, Full Merge: Base64 with Hex",
+        input: "SGVsbG38675629ybGQ=",
+        expectedOutput: "Hello World",
+        recipeConfig: [
+            {
+                "op": "Subsection",
+                "args": ["386756", true, true, false],
+            },
+            {
+                "op": "From Hex",
+                "args": ["Auto"],
+            },
+            {
+                "op": "Merge",
+                "args": [true],
+            },
+            {
+                "op": "From Base64",
+                "args": ["A-Za-z0-9+/=", true, false],
+            },
+        ],
+    },
+    {
+        name: "Subsection, Partial Merge: Base64 with Hex surrounded by binary data.",
+        input: "000000000SGVsbG38675629ybGQ=0000000000",
+        expectedOutput: "000000000Hello World0000000000",
+        recipeConfig: [
+            {
+                "op": "Subsection",
+                "args": ["SGVsbG38675629ybGQ=", true, true, false],
+            },
+            {
+                "op": "Subsection",
+                "args": ["386756", true, true, false],
+            },
+            {
+                "op": "From Hex",
+                "args": ["Auto"],
+            },
+            {
+                "op": "Merge",
+                "args": [false],
+            },
+            {
+                "op": "From Base64",
+                "args": ["A-Za-z0-9+/=", true, false],
+            },
+        ],
+    },
+]);