mirrors/CyberChef
1
Fork 0
mirror of https://github.com/gchq/CyberChef.git synced 2026-02-03 14:00:40 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge 1815c043fa into 2092e5b20c

Browse source
This commit is contained in:
GCHQ Developer C85297 2026-01-29 13:01:52 +00:00 committed by GitHub
commit fbcc1c3465
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 1704 additions and 2283 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/master.yml vendored
View file

@ -10,12 +10,12 @@ jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v6
- name: Set node version
uses: actions/setup-node@v3
uses: actions/setup-node@v6
with:
node-version: '18.x'
node-version: 18
- name: Install
run: |

3865
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

38
package.json
View file

@ -39,23 +39,23 @@
"node >= 16"
],
"devDependencies": {
"@babel/core": "^7.24.7",
"@babel/eslint-parser": "^7.24.7",
"@babel/plugin-syntax-import-assertions": "^7.24.7",
"@babel/plugin-transform-runtime": "^7.24.7",
"@babel/preset-env": "^7.24.7",
"@babel/runtime": "^7.24.7",
"@babel/core": "^7.28.6",
"@babel/eslint-parser": "^7.27.1",
"@babel/plugin-syntax-import-assertions": "^7.28.6",
"@babel/plugin-transform-runtime": "^7.28.5",
"@babel/preset-env": "^7.28.6",
"@babel/runtime": "^7.28.6",
"@codemirror/commands": "^6.6.0",
"@codemirror/language": "^6.10.2",
"@codemirror/search": "^6.5.6",
"@codemirror/state": "^6.4.1",
"@codemirror/view": "^6.28.0",
"autoprefixer": "^10.4.19",
"babel-loader": "^9.1.3",
"babel-loader": "^10.0.0",
"babel-plugin-dynamic-import-node": "^2.3.3",
"babel-plugin-transform-builtin-extend": "1.1.2",
"babel-plugin-transform-builtin-extend": "^1.1.2",
"base64-loader": "^1.0.0",
"chromedriver": "^130.0.0",
"chromedriver": "^137.0.0",
"cli-progress": "^3.12.0",
"colors": "^1.4.0",
"compression-webpack-plugin": "^11.1.0",
@ -70,18 +70,18 @@
"grunt-chmod": "~1.1.1",
"grunt-concurrent": "^3.0.0",
"grunt-contrib-clean": "~2.0.1",
"grunt-contrib-connect": "^4.0.0",
"grunt-contrib-connect": "^5.0.1",
"grunt-contrib-copy": "~1.0.0",
"grunt-contrib-watch": "^1.1.0",
"grunt-eslint": "^25.0.0",
"grunt-exec": "~3.0.0",
"grunt-webpack": "^6.0.0",
"grunt-webpack": "^7.0.1",
"grunt-zip": "^1.0.0",
"html-webpack-plugin": "^5.6.0",
"imports-loader": "^5.0.0",
"mini-css-extract-plugin": "2.9.0",
"modify-source-webpack-plugin": "^4.1.0",
"nightwatch": "^3.6.3",
"nightwatch": "^3.15.0",
"postcss": "^8.4.38",
"postcss-css-variables": "^0.19.0",
"postcss-import": "^16.1.0",
@ -91,7 +91,7 @@
"terser": "^5.31.1",
"webpack": "^5.91.0",
"webpack-bundle-analyzer": "^4.10.2",
"webpack-dev-server": "5.0.4",
"webpack-dev-server": "^5.2.3",
"webpack-node-externals": "^3.0.0",
"worker-loader": "^3.0.8"
},
@ -117,7 +117,7 @@
"chi-squared": "^1.1.0",
"codepage": "^1.15.0",
"crypto-api": "^0.8.5",
"crypto-browserify": "^3.12.0",
"crypto-browserify": "^3.12.1",
"crypto-js": "^4.2.0",
"ctph.js": "0.0.5",
"d3": "7.9.0",
@ -128,7 +128,7 @@
"escodegen": "^2.1.0",
"esprima": "^4.0.1",
"exif-parser": "^0.1.12",
"fernet": "^0.4.0",
"fernet": "^0.3.3",
"file-saver": "^2.0.5",
"flat": "^6.0.1",
"geodesy": "1.1.3",
@ -136,15 +136,15 @@
"hash-wasm": "^4.12.0",
"highlight.js": "^11.9.0",
"ieee754": "^1.2.1",
"jimp": "^0.22.12",
"jimp": "^1.6.0",
"jq-web": "^0.5.1",
"jquery": "3.7.1",
"js-sha3": "^0.9.3",
"jsesc": "^3.0.2",
"json5": "^2.2.3",
"jsonata": "^2.0.3",
"jsonpath-plus": "^9.0.0",
"jsonwebtoken": "8.5.1",
"jsonpath-plus": "^10.3.0",
"jsonwebtoken": "9.0.3",
"jsqr": "^1.4.0",
"jsrsasign": "^11.1.0",
"kbpgp": "2.1.15",
@ -186,7 +186,7 @@
"uuid": "^11.1.0",
"vkbeautify": "^0.99.3",
"xpath": "0.0.34",
"xregexp": "^5.1.1",
"xregexp": "^5.1.2",
"zlibjs": "^0.3.1"
},
"scripts": {

22
src/core/operations/JWTSign.mjs
View file

@ -6,14 +6,12 @@
import Operation from "../Operation.mjs";
import jwt from "jsonwebtoken";
import OperationError from "../errors/OperationError.mjs";
import {JWT_ALGORITHMS} from "../lib/JWT.mjs";
import { JWT_ALGORITHMS } from "../lib/JWT.mjs";
/**
* JWT Sign operation
*/
class JWTSign extends Operation {
/**
* JWTSign constructor
*/
@ -22,7 +20,8 @@ class JWTSign extends Operation {
this.name = "JWT Sign";
this.module = "Crypto";
this.description = "Signs a JSON object as a JSON Web Token using a provided secret / private key.<br><br>The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.";
this.description =
"Signs a JSON object as a JSON Web Token using a provided secret / private key.<br><br>The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.";
this.infoURL = "https://wikipedia.org/wiki/JSON_Web_Token";
this.inputType = "JSON";
this.outputType = "string";
@ -30,18 +29,18 @@ class JWTSign extends Operation {
{
name: "Private/Secret Key",
type: "text",
value: "secret"
value: "secret",
},
{
name: "Signing algorithm",
type: "option",
value: JWT_ALGORITHMS
value: JWT_ALGORITHMS,
},
{
name: "Header",
type: "text",
value: "{}"
}
value: "{}",
},
];
}
@ -56,7 +55,11 @@ class JWTSign extends Operation {
try {
return jwt.sign(input, key, {
algorithm: algorithm === "None" ? "none" : algorithm,
header: JSON.parse(header || "{}")
header: JSON.parse(header || "{}"),
// Allow keys of less than 2048 bits
allowInsecureKeySizes: true,
// Allow HMAC with SHA-256 algorithms (for symmetric encryption)
allowInvalidAsymmetricKeyTypes: true,
});
} catch (err) {
throw new OperationError(`Error: Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.
@ -64,7 +67,6 @@ class JWTSign extends Operation {
${err}`);
}
}
}
export default JWTSign;

21
src/core/operations/JWTVerify.mjs
View file

@ -6,14 +6,12 @@
import Operation from "../Operation.mjs";
import jwt from "jsonwebtoken";
import OperationError from "../errors/OperationError.mjs";
import {JWT_ALGORITHMS} from "../lib/JWT.mjs";
import { JWT_ALGORITHMS } from "../lib/JWT.mjs";
/**
* JWT Verify operation
*/
class JWTVerify extends Operation {
/**
* JWTVerify constructor
*/
@ -22,7 +20,8 @@ class JWTVerify extends Operation {
this.name = "JWT Verify";
this.module = "Crypto";
this.description = "Verifies that a JSON Web Token is valid and has been signed with the provided secret / private key.<br><br>The key should be either the secret for HMAC algorithms or the PEM-encoded public key for RSA and ECDSA.";
this.description =
"Verifies that a JSON Web Token is valid and has been signed with the provided secret / private key.<br><br>The key should be either the secret for HMAC algorithms or the PEM-encoded public key for RSA and ECDSA.";
this.infoURL = "https://wikipedia.org/wiki/JSON_Web_Token";
this.inputType = "string";
this.outputType = "JSON";
@ -30,7 +29,7 @@ class JWTVerify extends Operation {
{
name: "Public/Secret Key",
type: "text",
value: "secret"
value: "secret",
},
];
}
@ -46,9 +45,16 @@ class JWTVerify extends Operation {
algos[algos.indexOf("None")] = "none";
try {
const verified = jwt.verify(input, key, { algorithms: algos });
const verified = jwt.verify(input, key, {
algorithms: algos,
// Allow HMAC with SHA-256 algorithms (for symmetric encryption)
allowInvalidAsymmetricKeyTypes: true,
});
if (Object.prototype.hasOwnProperty.call(verified, "name") && verified.name === "JsonWebTokenError") {
if (
Object.prototype.hasOwnProperty.call(verified, "name") &&
verified.name === "JsonWebTokenError"
) {
throw new OperationError(verified.message);
}
@ -57,7 +63,6 @@ class JWTVerify extends Operation {
throw new OperationError(err);
}
}
}
export default JWTVerify;

16
tests/operations/tests/Code.mjs
View file

@ -322,7 +322,21 @@ TestRegister.addTests([
]
}
],
expectedMatch: /^Invalid JPath expression: jsonPath: self is not defined:/
expectedMatch: /^Invalid JPath expression: Unexpected "{" at character 1/
},
{
name: "JPath Expression: Script-based RCE",
input: "[{}]",
recipeConfig: [
{
"op": "JPath expression",
"args": [
"$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('id').toString())\";a=''[['constructor']][['constructor']](p);a())]",
"\n"
]
}
],
expectedMatch: /^Invalid JPath expression: jsonPath: Cannot read properties of {2}\(reading 'constructor'\): /
},
{
name: "CSS selector",

19
webpack.config.js
View file

@ -120,17 +120,20 @@ module.exports = {
jquery: "jquery/src/jquery",
},
fallback: {
"fs": false,
"child_process": false,
"net": false,
"tls": false,
"path": require.resolve("path/"),
"assert": require.resolve("assert"),
"buffer": require.resolve("buffer/"),
"child_process": false,
"crypto": require.resolve("crypto-browserify"),
"stream": require.resolve("stream-browserify"),
"zlib": require.resolve("browserify-zlib"),
"events": require.resolve("events"),
"fs": false,
"net": false,
"path": require.resolve("path/"),
"process": false,
"vm": false
"stream": require.resolve("stream-browserify"),
"tls": false,
"url": require.resolve("url"),
"vm": false,
"zlib": require.resolve("browserify-zlib"),
}
},
module: {