stegdoc 1.0.0

package/src/lib/metadata.js

@@ -0,0 +1,111 @@
+/**
+ * Create metadata object for encoding
+ * @param {object} options - Metadata options
+ * @param {string} options.originalFilename - Original filename
+ * @param {string} options.originalExtension - Original file extension
+ * @param {string} options.hash - Hash identifier for this file
+ * @param {number} options.partNumber - Part number (for split files)
+ * @param {number} options.totalParts - Total number of parts
+ * @param {number} options.originalSize - Original file size in bytes
+ * @param {string} options.format - Output format ('xlsx' or 'docx')
+ * @param {boolean} options.encrypted - Whether the content is encrypted
+ * @param {boolean} options.compressed - Whether the content is compressed
+ * @param {string} options.contentHash - SHA-256 hash of original file for integrity verification
+ * @returns {object} Metadata object
+ */
+function createMetadata({
+  originalFilename,
+  originalExtension,
+  hash,
+  partNumber = null,
+  totalParts = null,
+  originalSize = 0,
+  format = 'xlsx',
+  encrypted = true,
+  compressed = false,
+  contentHash = null,
+}) {
+  return {
+    originalFilename,
+    originalExtension,
+    hash,
+    partNumber,
+    totalParts,
+    originalSize,
+    format,
+    encrypted,
+    compressed,
+    contentHash,
+    encodingDate: new Date().toISOString(),
+    version: '1.0.0',
+    tool: 'stegdoc',
+  };
+}
+
+/**
+ * Serialize metadata to string format for storage in DOCX
+ * @param {object} metadata - Metadata object
+ * @returns {string} JSON string
+ */
+function serializeMetadata(metadata) {
+  return JSON.stringify(metadata);
+}
+
+/**
+ * Parse metadata from string
+ * @param {string} metadataStr - JSON string
+ * @returns {object} Metadata object
+ */
+function parseMetadata(metadataStr) {
+  try {
+    return JSON.parse(metadataStr);
+  } catch (error) {
+    throw new Error(`Failed to parse metadata: ${error.message}`);
+  }
+}
+
+/**
+ * Validate metadata object
+ * @param {object} metadata - Metadata to validate
+ * @returns {boolean} True if valid
+ * @throws {Error} If metadata is invalid
+ */
+function validateMetadata(metadata) {
+  const required = ['originalFilename', 'originalExtension', 'hash', 'tool'];
+
+  for (const field of required) {
+    if (!metadata[field]) {
+      throw new Error(`Missing required metadata field: ${field}`);
+    }
+  }
+
+  if (metadata.tool !== 'stegdoc' && metadata.tool !== 'docstash' && metadata.tool !== 'whitener') {
+    throw new Error('Invalid tool identifier in metadata');
+  }
+
+  // If it's a multi-part file, validate part info
+  if (metadata.totalParts !== null && metadata.totalParts > 1) {
+    if (metadata.partNumber === null || metadata.partNumber < 1 || metadata.partNumber > metadata.totalParts) {
+      throw new Error('Invalid part number in metadata');
+    }
+  }
+
+  return true;
+}
+
+/**
+ * Check if metadata indicates a multi-part file
+ * @param {object} metadata - Metadata object
+ * @returns {boolean} True if multi-part
+ */
+function isMultiPart(metadata) {
+  return metadata.totalParts !== null && metadata.totalParts > 1;
+}
+
+module.exports = {
+  createMetadata,
+  serializeMetadata,
+  parseMetadata,
+  validateMetadata,
+  isMultiPart,
+};

package/src/lib/utils.js

@@ -0,0 +1,227 @@
+const crypto = require('crypto');
+
+/**
+ * Generate a random hash for file naming
+ * @param {number} length - Length of hash in bytes (default 8)
+ * @returns {string} Hexadecimal hash string
+ */
+function generateHash(length = 8) {
+  return crypto.randomBytes(length).toString('hex');
+}
+
+/**
+ * Generate SHA-256 hash of a buffer for integrity verification
+ * @param {Buffer} buffer - Data to hash
+ * @returns {string} Hexadecimal SHA-256 hash
+ */
+function generateContentHash(buffer) {
+  return crypto.createHash('sha256').update(buffer).digest('hex');
+}
+
+/**
+ * Parse size string to bytes
+ * @param {string} sizeStr - Size string (e.g., "5MB", "100KB", "1GB")
+ * @returns {number} Size in bytes
+ */
+function parseSizeToBytes(sizeStr) {
+  if (typeof sizeStr === 'number') {
+    return sizeStr;
+  }
+
+  const units = {
+    B: 1,
+    KB: 1024,
+    MB: 1024 * 1024,
+    GB: 1024 * 1024 * 1024,
+  };
+
+  const match = sizeStr.trim().toUpperCase().match(/^(\d+(?:\.\d+)?)\s*(B|KB|MB|GB)?$/);
+
+  if (!match) {
+    throw new Error(`Invalid size format: ${sizeStr}. Use format like "5MB", "100KB", etc.`);
+  }
+
+  const value = parseFloat(match[1]);
+  const unit = match[2] || 'B';
+
+  return Math.floor(value * units[unit]);
+}
+
+/**
+ * Format bytes to human-readable string
+ * @param {number} bytes - Number of bytes
+ * @param {number} decimals - Number of decimal places (default 2)
+ * @returns {string} Formatted size string
+ */
+function formatBytes(bytes, decimals = 2) {
+  if (bytes === 0) return '0 B';
+
+  const k = 1024;
+  const dm = decimals < 0 ? 0 : decimals;
+  const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+
+  return parseFloat((bytes / Math.pow(k, i)).toFixed(dm)) + ' ' + sizes[i];
+}
+
+/**
+ * Generate a realistic-looking filename that matches the decoy theme
+ * Decoy data contains ~4 hours of server logs, so filenames reflect periodic reports
+ *
+ * @param {string} hash - Hash identifier (used internally for matching parts)
+ * @param {number} partNumber - Part number (optional, for split files)
+ * @param {number} totalParts - Total number of parts (optional)
+ * @param {string} format - Output format ('xlsx' or 'docx'), default 'xlsx'
+ * @returns {string} Realistic filename WITH extension
+ */
+function generateFilename(hash, partNumber = null, totalParts = null, format = 'xlsx') {
+  const ext = format.toLowerCase() === 'docx' ? 'docx' : 'xlsx';
+
+  // Generate deterministic timestamp based on hash (so all parts match)
+  // Use different parts of hash for day and hour to get better distribution
+  const hashNumLow = parseInt(hash.slice(0, 8), 16) >>> 0;
+  const hashNumHigh = parseInt(hash.slice(8, 16), 16) >>> 0;
+  const daysAgo = hashNumLow % 7; // 0-6 days ago
+  const hourBlock = (hashNumHigh % 6) * 4; // 0, 4, 8, 12, 16, 20
+
+  const now = new Date();
+  const date = new Date(now.getTime() - daysAgo * 24 * 60 * 60 * 1000);
+
+  // Format date in local timezone (YYYYMMDD)
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, '0');
+  const day = String(date.getDate()).padStart(2, '0');
+  const dateStr = `${year}${month}${day}`;
+  const timeStr = String(hourBlock).padStart(2, '0') + '00'; // HH00
+
+  // Use last 4 chars of hash as a "report ID" to keep files linked
+  const reportId = hash.slice(-4).toUpperCase();
+
+  if (format === 'xlsx') {
+    // Server metrics theme - looks like periodic 4-hour monitoring exports
+    if (partNumber !== null && totalParts !== null) {
+      return `server_metrics_${dateStr}_${timeStr}_${reportId}_part${partNumber}.${ext}`;
+    }
+    return `server_metrics_${dateStr}_${timeStr}_${reportId}.${ext}`;
+  } else {
+    // DOCX - use a different theme
+    if (partNumber !== null && totalParts !== null) {
+      return `system_report_${dateStr}_${timeStr}_${reportId}_part${partNumber}.${ext}`;
+    }
+    return `system_report_${dateStr}_${timeStr}_${reportId}.${ext}`;
+  }
+}
+
+/**
+ * Legacy alias for backward compatibility
+ */
+function generateDocxFilename(hash, partNumber = null, totalParts = null) {
+  return generateFilename(hash, partNumber, totalParts, 'docx').replace(/\.docx$/, '');
+}
+
+/**
+ * Parse filename to extract hash, part information, and format
+ * @param {string} filename - Filename to parse
+ * @returns {object} Object with hash, partNumber, totalParts, baseHash, format
+ */
+function parseFilename(filename) {
+  // Detect format from extension
+  let format = 'xlsx';
+  let name = filename;
+
+  if (/\.docx$/i.test(filename)) {
+    format = 'docx';
+    name = filename.replace(/\.docx$/i, '');
+  } else if (/\.xlsx$/i.test(filename)) {
+    format = 'xlsx';
+    name = filename.replace(/\.xlsx$/i, '');
+  }
+
+  // Try new realistic filename format first
+  // Pattern: server_metrics_YYYYMMDD_HH00_XXXX[_partN]
+  // Or: system_report_YYYYMMDD_HH00_XXXX[_partN]
+  const realisticPattern = /^(server_metrics|system_report)_(\d{8})_(\d{4})_([A-F0-9]{4})(?:_part(\d+))?$/i;
+  const realisticMatch = name.match(realisticPattern);
+
+  if (realisticMatch) {
+    const [, prefix, dateStr, timeStr, reportId, partStr] = realisticMatch;
+    // Create a pseudo-hash from the components for matching purposes
+    // The reportId is the last 4 chars of the original hash
+    const baseIdentifier = `${dateStr}_${timeStr}_${reportId}`;
+
+    return {
+      hash: name,
+      baseHash: baseIdentifier,
+      partNumber: partStr ? parseInt(partStr, 10) : null,
+      totalParts: null, // Will be determined from metadata
+      format,
+      // Extra info for matching
+      reportId: reportId.toUpperCase(),
+      dateStr,
+      timeStr,
+    };
+  }
+
+  // Legacy: Check if it's a hex string (old format)
+  if (/^[a-f0-9]+$/i.test(name)) {
+    // Could be either single file or multi-part
+    // Single files are 16 chars (8 bytes), multi-part are 18+ chars (16 + 2 digit part number)
+
+    if (name.length === 16) {
+      // Single file
+      return {
+        hash: name,
+        baseHash: name,
+        partNumber: null,
+        totalParts: null,
+        format,
+      };
+    } else if (name.length >= 18) {
+      // Multi-part: last 2 chars are the part number
+      const baseHash = name.slice(0, -2);
+      const partNumber = parseInt(name.slice(-2), 10);
+
+      return {
+        hash: name,
+        baseHash: baseHash,
+        partNumber: partNumber,
+        totalParts: null, // Will be determined from metadata
+        format,
+      };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Legacy alias for backward compatibility
+ */
+function parseDocxFilename(filename) {
+  return parseFilename(filename);
+}
+
+/**
+ * Detect file format from extension
+ * @param {string} filename - Filename to check
+ * @returns {string} 'xlsx', 'docx', or null if unknown
+ */
+function detectFormat(filename) {
+  if (/\.xlsx$/i.test(filename)) return 'xlsx';
+  if (/\.docx$/i.test(filename)) return 'docx';
+  return null;
+}
+
+module.exports = {
+  generateHash,
+  generateContentHash,
+  parseSizeToBytes,
+  formatBytes,
+  generateFilename,
+  parseFilename,
+  detectFormat,
+  // Legacy aliases for backward compatibility
+  generateDocxFilename,
+  parseDocxFilename,
+};

package/src/lib/xlsx-handler.js

@@ -0,0 +1,359 @@
+const ExcelJS = require('exceljs');
+const fs = require('fs');
+const path = require('path');
+const AdmZip = require('adm-zip');
+const { generateDecoyHeaders, generateDecoyData, calculateDecoyRowCount, rowToArray, resetTimeWindow } = require('./decoy-generator');
+const { parseXmlFromZip, ensureArray, extractTextContent } = require('./xml-utils');
+
+// Constants for data storage
+const HIDDEN_SHEET_NAME = 'Data';
+const VISIBLE_SHEET_NAME = 'Server Metrics';
+const CELL_CHUNK_SIZE = 32000; // Max characters per cell (~32KB)
+
+/**
+ * Create an XLSX file with encrypted base64 content hidden in a veryHidden sheet
+ * @param {object} options - Options for creating the XLSX
+ * @param {string} options.base64Content - Encrypted base64 content to store
+ * @param {string} options.encryptionMeta - Packed encryption metadata (iv:salt:authTag)
+ * @param {object} options.metadata - Metadata object (serialized JSON)
+ * @param {string} options.outputPath - Output file path
+ * @returns {Promise<string>} Path to created file
+ */
+async function createXlsxWithBase64(options) {
+  const { base64Content, encryptionMeta, metadata, outputPath } = options;
+
+  const workbook = new ExcelJS.Workbook();
+
+  // Set workbook properties to look legitimate
+  workbook.creator = 'Microsoft Excel';
+  workbook.lastModifiedBy = 'Microsoft Excel';
+  workbook.created = new Date();
+  workbook.modified = new Date();
+
+  // === Sheet 1: Visible decoy data (server metrics) ===
+  const visibleSheet = workbook.addWorksheet(VISIBLE_SHEET_NAME, {
+    properties: { tabColor: { argb: '4472C4' } },
+  });
+
+  // Add headers
+  const headers = generateDecoyHeaders();
+  const headerRow = visibleSheet.addRow(headers);
+
+  // Style header columns (10 columns for metrics data)
+  const headerCount = headers.length;
+  for (let col = 1; col <= headerCount; col++) {
+    const cell = headerRow.getCell(col);
+    cell.font = { bold: true, size: 11, color: { argb: 'FFFFFF' } };
+    cell.fill = {
+      type: 'pattern',
+      pattern: 'solid',
+      fgColor: { argb: '2E7D32' }, // Green for metrics/monitoring theme
+    };
+  }
+
+  // Calculate decoy row count based on payload size
+  const payloadSize = base64Content.length;
+  const rowCount = calculateDecoyRowCount(payloadSize);
+
+  // Generate and add decoy data
+  const decoyData = generateDecoyData(rowCount);
+  decoyData.forEach((row) => {
+    visibleSheet.addRow(rowToArray(row));
+  });
+
+  // Auto-fit columns for metrics data
+  visibleSheet.columns = [
+    { width: 20 }, // Timestamp
+    { width: 16 }, // Server ID
+    { width: 12 }, // Status
+    { width: 8 },  // CPU %
+    { width: 10 }, // Memory %
+    { width: 8 },  // Disk %
+    { width: 14 }, // Network (MB/s)
+    { width: 10 }, // Requests
+    { width: 14 }, // Resp Time (ms)
+    { width: 12 }, // Uptime (hrs)
+  ];
+
+  // Add filters to look more professional
+  visibleSheet.autoFilter = {
+    from: 'A1',
+    to: `J${rowCount + 1}`,
+  };
+
+  // === Sheet 2: Hidden payload (veryHidden) ===
+  const hiddenSheet = workbook.addWorksheet(HIDDEN_SHEET_NAME, {
+    state: 'veryHidden', // Not visible in Excel UI at all
+  });
+
+  // Store encryption metadata in cell A1
+  hiddenSheet.getCell('A1').value = encryptionMeta;
+
+  // Store serialized metadata in cell B1
+  hiddenSheet.getCell('B1').value = metadata;
+
+  // Split base64 content into chunks and store in cells
+  const chunks = splitIntoChunks(base64Content, CELL_CHUNK_SIZE);
+
+  // Store chunk count in C1 for reconstruction
+  hiddenSheet.getCell('C1').value = chunks.length.toString();
+
+  // Store chunks starting from A2
+  chunks.forEach((chunk, index) => {
+    const row = Math.floor(index / 26) + 2; // Start from row 2
+    const col = (index % 26) + 1; // Columns A-Z
+    hiddenSheet.getCell(row, col).value = chunk;
+  });
+
+  // Ensure output directory exists
+  const outputDir = path.dirname(outputPath);
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true });
+  }
+
+  // Write workbook to file
+  await workbook.xlsx.writeFile(outputPath);
+
+  // Post-process: ensure veryHidden state is set correctly
+  // ExcelJS sometimes has issues with veryHidden, so we fix it via XML
+  await ensureVeryHidden(outputPath);
+
+  return outputPath;
+}
+
+/**
+ * Read an XLSX file and extract encrypted base64 content and metadata
+ * @param {string} xlsxPath - Path to XLSX file
+ * @returns {Promise<object>} Object containing base64Content, encryptionMeta, and metadata
+ */
+async function readXlsxBase64(xlsxPath) {
+  if (!fs.existsSync(xlsxPath)) {
+    throw new Error(`XLSX file not found: ${xlsxPath}`);
+  }
+
+  // Try ExcelJS first, fall back to direct XML extraction if it fails
+  // (ExcelJS fails when namespace prefixes are changed, e.g., ns0:)
+  let hiddenSheet = null;
+  try {
+    const workbook = new ExcelJS.Workbook();
+    await workbook.xlsx.readFile(xlsxPath);
+
+    // Find the hidden sheet
+    workbook.eachSheet((sheet) => {
+      if (sheet.name === HIDDEN_SHEET_NAME || sheet.state === 'veryHidden') {
+        hiddenSheet = sheet;
+      }
+    });
+  } catch (excelError) {
+    // ExcelJS failed (likely namespace issue), use direct XML extraction
+    return await extractFromXml(xlsxPath);
+  }
+
+  // If not found via ExcelJS (veryHidden might be invisible), try direct XML extraction
+  if (!hiddenSheet) {
+    return await extractFromXml(xlsxPath);
+  }
+
+  // Extract encryption metadata from A1 (may be empty if unencrypted)
+  const encryptionMeta = hiddenSheet.getCell('A1').value || '';
+
+  // Extract serialized metadata from B1
+  const metadata = hiddenSheet.getCell('B1').value;
+  if (!metadata) {
+    throw new Error('No metadata found in XLSX file.');
+  }
+
+  // Get chunk count from C1
+  const chunkCountStr = hiddenSheet.getCell('C1').value;
+  const chunkCount = parseInt(chunkCountStr, 10);
+
+  if (isNaN(chunkCount) || chunkCount <= 0) {
+    throw new Error('Invalid chunk count in XLSX file.');
+  }
+
+  // Reconstruct base64 content from chunks
+  const chunks = [];
+  for (let i = 0; i < chunkCount; i++) {
+    const row = Math.floor(i / 26) + 2;
+    const col = (i % 26) + 1;
+    const chunk = hiddenSheet.getCell(row, col).value;
+    if (chunk) {
+      chunks.push(chunk);
+    }
+  }
+
+  const base64Content = chunks.join('');
+
+  return {
+    base64Content,
+    encryptionMeta,
+    metadata,
+  };
+}
+
+/**
+ * Extract data directly from XLSX XML using proper XML parser
+ * Handles any namespace prefix (default, ns0:, ns1:, etc.)
+ * @param {string} xlsxPath - Path to XLSX file
+ * @returns {Promise<object>} Extracted data
+ */
+async function extractFromXml(xlsxPath) {
+  // Parse shared strings using namespace-agnostic parser
+  let sharedStrings = [];
+  const ssParsed = parseXmlFromZip(xlsxPath, 'xl/sharedStrings.xml');
+
+  if (ssParsed && ssParsed.sst && ssParsed.sst.si) {
+    const siArray = ensureArray(ssParsed.sst.si);
+    sharedStrings = siArray.map((si) => extractTextContent(si.t));
+  }
+
+  // Parse the hidden sheet (sheet2.xml is our default location)
+  const sheetParsed = parseXmlFromZip(xlsxPath, 'xl/worksheets/sheet2.xml');
+
+  if (!sheetParsed) {
+    throw new Error('Hidden sheet not found in XLSX file. This may not be a whitener-encoded file.');
+  }
+
+  // Build cell map from worksheet > sheetData > row > c
+  const cellValues = new Map();
+  const sheetData = sheetParsed.worksheet?.sheetData;
+
+  if (sheetData && sheetData.row) {
+    const rows = ensureArray(sheetData.row);
+
+    for (const row of rows) {
+      if (!row.c) continue;
+      const cells = ensureArray(row.c);
+
+      for (const cell of cells) {
+        const cellRef = cell['@_r']; // e.g., "A1", "B1"
+        const cellType = cell['@_t']; // "s" for shared string
+        const cellValue = cell.v;
+
+        if (cellRef === undefined) continue;
+
+        if (cellType === 's' && cellValue !== undefined) {
+          // Shared string reference
+          const ssIndex = parseInt(cellValue, 10);
+          if (ssIndex < sharedStrings.length) {
+            cellValues.set(cellRef, sharedStrings[ssIndex]);
+          }
+        } else if (cellValue !== undefined) {
+          cellValues.set(cellRef, String(cellValue));
+        }
+      }
+    }
+  }
+
+  // Extract our data
+  const encryptionMeta = cellValues.get('A1') || ''; // May be empty if unencrypted
+  const metadata = cellValues.get('B1');
+  const chunkCountStr = cellValues.get('C1');
+
+  if (!metadata) {
+    throw new Error('No metadata found in XLSX file.');
+  }
+
+  const chunkCount = parseInt(chunkCountStr, 10);
+  if (isNaN(chunkCount) || chunkCount <= 0) {
+    throw new Error('Invalid chunk count in XLSX file.');
+  }
+
+  // Reconstruct chunks
+  const chunks = [];
+  for (let i = 0; i < chunkCount; i++) {
+    const row = Math.floor(i / 26) + 2;
+    const col = (i % 26) + 1;
+    const cellRef = `${columnToLetter(col)}${row}`;
+    const chunk = cellValues.get(cellRef);
+    if (chunk) {
+      chunks.push(chunk);
+    }
+  }
+
+  return {
+    base64Content: chunks.join(''),
+    encryptionMeta,
+    metadata,
+  };
+}
+
+/**
+ * Ensure the hidden sheet is truly veryHidden by modifying the workbook.xml
+ * @param {string} xlsxPath - Path to XLSX file
+ */
+async function ensureVeryHidden(xlsxPath) {
+  const zip = new AdmZip(xlsxPath);
+
+  // Modify workbook.xml to ensure veryHidden state
+  const workbookEntry = zip.getEntry('xl/workbook.xml');
+  if (workbookEntry) {
+    let workbookXml = workbookEntry.getData().toString('utf8');
+
+    // Find the Data sheet and fix its state to veryHidden
+    // First, remove any existing state attribute from the Data sheet
+    workbookXml = workbookXml.replace(
+      /(<sheet[^>]*name="Data"[^>]*)\s+state="[^"]*"([^>]*\/>)/gi,
+      '$1 state="veryHidden"$2'
+    );
+
+    // If no state attribute was present, add one
+    if (!workbookXml.match(/<sheet[^>]*name="Data"[^>]*state="/i)) {
+      workbookXml = workbookXml.replace(
+        /(<sheet[^>]*name="Data")([^>]*\/>)/gi,
+        '$1 state="veryHidden"$2'
+      );
+    }
+
+    zip.updateFile('xl/workbook.xml', Buffer.from(workbookXml, 'utf8'));
+    zip.writeZip(xlsxPath);
+  }
+}
+
+/**
+ * Split a string into chunks of specified size
+ * @param {string} str - String to split
+ * @param {number} size - Max chunk size
+ * @returns {Array<string>} Array of chunks
+ */
+function splitIntoChunks(str, size) {
+  const chunks = [];
+  for (let i = 0; i < str.length; i += size) {
+    chunks.push(str.slice(i, i + size));
+  }
+  return chunks;
+}
+
+/**
+ * Convert column number to letter (1=A, 2=B, ..., 27=AA)
+ * @param {number} col - Column number (1-based)
+ * @returns {string} Column letter
+ */
+function columnToLetter(col) {
+  let letter = '';
+  while (col > 0) {
+    const mod = (col - 1) % 26;
+    letter = String.fromCharCode(65 + mod) + letter;
+    col = Math.floor((col - 1) / 26);
+  }
+  return letter;
+}
+
+/**
+ * Decode XML entities
+ * @param {string} str - String with XML entities
+ * @returns {string} Decoded string
+ */
+function decodeXmlEntities(str) {
+  return str
+    .replace(/&quot;/g, '"')
+    .replace(/&apos;/g, "'")
+    .replace(/&lt;/g, '<')
+    .replace(/&gt;/g, '>')
+    .replace(/&amp;/g, '&');
+}
+
+module.exports = {
+  createXlsxWithBase64,
+  readXlsxBase64,
+};