mirrors/CyberChef
1
0
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2025-04-22 15:56:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added a CodeQL workflow to check for bugs through code analysis. Fixed numerous bugs and implemented safeguards as already reported.

Browse source
This commit is contained in:
n1474335 2021-02-10 13:13:19 +00:00
parent 892a3716ed
commit 1abc46058c
32 changed files with 87 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/core/ChefWorker.js
View file

@ -212,7 +212,7 @@ self.loadRequiredModules = function(recipeConfig) {
if (!(module in OpModules)) {
log.info(`Loading ${module} module`);
self.sendStatusMessage(`Loading ${module} module`);
self.importScripts(`${self.docURL}/modules/${module}.js`);
self.importScripts(`${self.docURL}/modules/${module}.js`); // lgtm [js/client-side-unvalidated-url-redirection]
self.sendStatusMessage("");
}
});

2
src/core/Dish.mjs
View file

@ -207,7 +207,7 @@ class Dish {
const data = new Uint8Array(this.value.slice(0, 2048)),
types = detectFileType(data);
if (!types.length || !types[0].mime || !types[0].mime === "text/plain") {
if (!types.length || !types[0].mime || !(types[0].mime === "text/plain")) {
return null;
} else {
return types[0].mime;

7
src/core/Utils.mjs
View file

@ -705,7 +705,7 @@ class Utils {
*/
static stripHtmlTags(htmlStr, removeScriptAndStyle=false) {
if (removeScriptAndStyle) {
htmlStr = htmlStr.replace(/<(script|style)[^>]*>.*<\/(script|style)>/gmi, "");
htmlStr = htmlStr.replace(/<(script|style)[^>]*>.*?<\/(script|style)>/gi, "");
}
return htmlStr.replace(/<[^>]+>/g, "");
}
@ -729,11 +729,10 @@ class Utils {
">": "&gt;",
'"': "&quot;",
"'": "&#x27;", // &apos; not recommended because it's not in the HTML spec
"/": "&#x2F;", // forward slash is included as it helps end an HTML entity
"`": "&#x60;"
};
return str.replace(/[&<>"'/`]/g, function (match) {
return str.replace(/[&<>"'`]/g, function (match) {
return HTML_CHARS[match];
});
}
@ -879,7 +878,7 @@ class Utils {
while ((m = recipeRegex.exec(recipe))) {
// Translate strings in args back to double-quotes
args = m[2]
.replace(/"/g, '\\"') // Escape double quotes
.replace(/"/g, '\\"') // Escape double quotes lgtm [js/incomplete-sanitization]
.replace(/(^|,|{|:)'/g, '$1"') // Replace opening ' with "
.replace(/([^\\]|(?:\\\\)+)'(,|:|}|$)/g, '$1"$2') // Replace closing ' with "
.replace(/\\'/g, "'"); // Unescape single quotes

2
src/core/config/scripts/newOperation.mjs
View file

@ -121,7 +121,7 @@ prompt.get(schema, (err, result) => {
const moduleName = result.opName.replace(/\w\S*/g, txt => {
return txt.charAt(0).toUpperCase() + txt.substr(1);
}).replace(/[\s-()/./]/g, "");
}).replace(/[\s-()./]/g, "");
const template = `/**

6
src/core/lib/Base85.mjs
View file

@ -32,9 +32,9 @@ export const ALPHABET_OPTIONS = [
* @returns {string}
*/
export function alphabetName(alphabet) {
alphabet = alphabet.replace("'", "&apos;");
alphabet = alphabet.replace("\"", "&quot;");
alphabet = alphabet.replace("\\", "&bsol;");
alphabet = alphabet.replace(/'/g, "&apos;");
alphabet = alphabet.replace(/"/g, "&quot;");
alphabet = alphabet.replace(/\\/g, "&bsol;");
let name;
ALPHABET_OPTIONS.forEach(function(a) {

10
src/core/lib/Charts.mjs
View file

@ -86,8 +86,8 @@ export function getScatterValues(input, recordDelimiter, fieldDelimiter, columnH
}
values = values.map(row => {
const x = parseFloat(row[0], 10),
y = parseFloat(row[1], 10);
const x = parseFloat(row[0]),
y = parseFloat(row[1]);
if (Number.isNaN(x)) throw new OperationError("Values must be numbers in base 10.");
if (Number.isNaN(y)) throw new OperationError("Values must be numbers in base 10.");
@ -121,8 +121,8 @@ export function getScatterValuesWithColour(input, recordDelimiter, fieldDelimite
}
values = values.map(row => {
const x = parseFloat(row[0], 10),
y = parseFloat(row[1], 10),
const x = parseFloat(row[0]),
y = parseFloat(row[1]),
colour = row[2];
if (Number.isNaN(x)) throw new OperationError("Values must be numbers in base 10.");
@ -157,7 +157,7 @@ export function getSeriesValues(input, recordDelimiter, fieldDelimiter, columnHe
values.forEach(row => {
const serie = row[0],
xVal = row[1],
val = parseFloat(row[2], 10);
val = parseFloat(row[2]);
if (Number.isNaN(val)) throw new OperationError("Values must be numbers in base 10.");

2
src/core/lib/FileType.mjs
View file

@ -213,7 +213,7 @@ function locatePotentialSig(buf, sig, offset) {
export function isType(type, buf) {
const types = detectFileType(buf);
if (!(types && types.length)) return false;
if (!types.length) return false;
if (typeof type === "string") {
return types.reduce((acc, t) => {

2
src/core/lib/Stream.mjs
View file

@ -177,7 +177,7 @@ export default class Stream {
// Get the skip table.
const skiptable = preprocess(val, length);
let found = true;
let found;
while (this.position < this.length) {
// Until we hit the final element of val in the stream.

4
src/core/operations/ExtractEmailAddresses.mjs
View file

@ -39,8 +39,8 @@ class ExtractEmailAddresses extends Operation {
*/
run(input, args) {
const displayTotal = args[0],
// email regex from: https://www.regextester.com/98066
regex = /(?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9](?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9-]*[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9])?\.)+[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9](?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9-]*[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])/ig;
// email regex from: https://www.regextester.com/98066
regex = /(?:[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9](?:[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9-]*[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9])?\.)+[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9](?:[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9-]*[\u00A0-\uD7FF\uE000-\uFFFFa-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}\])/ig;
return search(input, regex, null, displayTotal);
}

2
src/core/operations/FromBCD.mjs
View file

@ -95,7 +95,7 @@ class FromBCD extends Operation {
if (!packed) {
// Discard each high nibble
for (let i = 0; i < nibbles.length; i++) {
nibbles.splice(i, 1);
nibbles.splice(i, 1); // lgtm [js/loop-iteration-skipped-due-to-shifting]
}
}

2
src/core/operations/FromBase.mjs
View file

@ -46,7 +46,7 @@ class FromBase extends Operation {
}
const number = input.replace(/\s/g, "").split(".");
let result = new BigNumber(number[0], radix) || 0;
let result = new BigNumber(number[0], radix);
if (number.length === 1) return result;

8
src/core/operations/FromBase32.mjs
View file

@ -84,10 +84,10 @@ class FromBase32 extends Operation {
chr5 = ((enc7 & 7) << 5) | enc8;
output.push(chr1);
if (enc2 & 3 !== 0 || enc3 !== 32) output.push(chr2);
if (enc4 & 15 !== 0 || enc5 !== 32) output.push(chr3);
if (enc5 & 1 !== 0 || enc6 !== 32) output.push(chr4);
if (enc7 & 7 !== 0 || enc8 !== 32) output.push(chr5);
if ((enc2 & 3) !== 0 || enc3 !== 32) output.push(chr2);
if ((enc4 & 15) !== 0 || enc5 !== 32) output.push(chr3);
if ((enc5 & 1) !== 0 || enc6 !== 32) output.push(chr4);
if ((enc7 & 7) !== 0 || enc8 !== 32) output.push(chr5);
}
return output;

2
src/core/operations/Lorenz.mjs
View file

@ -376,7 +376,7 @@ class Lorenz extends Operation {
// Psi wheels only move sometimes, dependent on M37 current setting and limitations
const basicmotor = m37lug;
let totalmotor = basicmotor;
let totalmotor;
let lim = 0;
p5[2] = p5[1];

2
src/core/operations/OpticalCharacterRecognition.mjs
View file

@ -51,7 +51,7 @@ class OpticalCharacterRecognition extends Operation {
async run(input, args) {
const [showConfidence] = args;
if (!isWorkerEnvironment()) throw OperationError("This operation only works in a browser");
if (!isWorkerEnvironment()) throw new OperationError("This operation only works in a browser");
const type = isImage(input);
if (!type) {

8
src/core/operations/PHPDeserialize.mjs
View file

@ -111,7 +111,7 @@ class PHPDeserialize extends Operation {
} else {
const numberCheck = lastItem.match(/[0-9]+/);
if (args[0] && numberCheck && numberCheck[0].length === lastItem.length) {
result.push("\"" + lastItem + "\": " + item);
result.push('"' + lastItem + '": ' + item);
} else {
result.push(lastItem + ": " + item);
}
@ -149,11 +149,11 @@ class PHPDeserialize extends Operation {
const length = readUntil(":");
expect("\"");
const value = read(length);
expect("\";");
expect('";');
if (args[0]) {
return "\"" + value.replace(/"/g, "\\\"") + "\"";
return '"' + value.replace(/"/g, '\\"') + '"'; // lgtm [js/incomplete-sanitization]
} else {
return "\"" + value + "\"";
return '"' + value + '"';
}
}

2
src/core/operations/ParseIPv6Address.mjs
View file

@ -169,7 +169,7 @@ class ParseIPv6Address extends Operation {
// Detect possible EUI-64 addresses
if ((ipv6[5] & 0xff === 0xff) && (ipv6[6] >>> 8 === 0xfe)) {
if (((ipv6[5] & 0xff) === 0xff) && (ipv6[6] >>> 8 === 0xfe)) {
output += "\n\nThis IPv6 address contains a modified EUI-64 address, identified by the presence of FF:FE in the 12th and 13th octets.";
const intIdent = Utils.hex(ipv6[4] >>> 8) + ":" + Utils.hex(ipv6[4] & 0xff) + ":" +

2
src/core/operations/ParseSSHHostKey.mjs
View file

@ -87,7 +87,7 @@ class ParseSSHHostKey extends Operation {
* @returns {byteArray}
*/
convertKeyToBinary(inputKey, inputFormat) {
const keyPattern = new RegExp(/^(?:[ssh]|[ecdsa-sha2])\S+\s+(\S*)/),
const keyPattern = new RegExp(/^(?:ssh|ecdsa-sha2)\S+\s+(\S*)/),
keyMatch = inputKey.match(keyPattern);
if (keyMatch) {

2
src/core/operations/RegularExpression.mjs
View file

@ -45,7 +45,7 @@ class RegularExpression extends Operation {
},
{
name: "Email address",
value: "(?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*\")@(?:(?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9](?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9-]*[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9])?\\.)+[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9](?:[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9-]*[\u00A0-\uD7FF\uE000-\uFFFF-a-z0-9])?|\\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\\])"
value: "(?:[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9](?:[\\u00A0-\\uD7FF\\uE000-\\uFFFF-a-z0-9-]*[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9])?\\.)+[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9](?:[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9-]*[\\u00A0-\\uD7FF\\uE000-\\uFFFFa-z0-9])?|\\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\\.){3}\\])"
},
{
name: "URL",

2
src/core/operations/SharpenImage.mjs
View file

@ -81,7 +81,7 @@ class SharpenImage extends Operation {
if (isWorkerEnvironment())
self.sendStatusMessage("Sharpening image... (Blurring cloned image)");
const blurImage = gaussianBlur(image.clone(), radius, 3);
const blurImage = gaussianBlur(image.clone(), radius);
if (isWorkerEnvironment())

4
src/core/operations/Sort.mjs
View file

@ -125,7 +125,7 @@ class Sort extends Operation {
const ret = a_[i].localeCompare(b_[i]); // Compare strings
if (ret !== 0) return ret;
}
if (!isNaN(a_[i]) && !isNaN(a_[i])) { // Compare numbers
if (!isNaN(a_[i]) && !isNaN(b_[i])) { // Compare numbers
if (a_[i] - b_[i] !== 0) return a_[i] - b_[i];
}
}
@ -163,7 +163,7 @@ class Sort extends Operation {
const ret = a_[i].localeCompare(b_[i]); // Compare strings
if (ret !== 0) return ret;
}
if (!isNaN(a_[i]) && !isNaN(a_[i])) { // Compare numbers
if (!isNaN(a_[i]) && !isNaN(b_[i])) { // Compare numbers
if (a_[i] - b_[i] !== 0) return a_[i] - b_[i];
}
}

2
src/core/operations/ToCharcode.mjs
View file

@ -52,7 +52,7 @@ class ToCharcode extends Operation {
const delim = Utils.charRep(args[0] || "Space"),
base = args[1];
let output = "",
padding = 2,
padding,
ordinal;
if (base < 2 || base > 36) {

1
src/core/operations/UnescapeUnicodeCharacters.mjs
View file

@ -47,7 +47,6 @@ class UnescapeUnicodeCharacters extends Operation {
while ((m = regex.exec(input))) {
// Add up to match
output += input.slice(i, m.index);
i = m.index;
// Add match
output += Utils.chr(parseInt(m[1], 16));