fix(slack): harden cookie decryption and remove dead WorkspaceURL field

priyanshujain · priyanshujain · commit 80bd9b546627 · 2026-03-11T17:20:38.000+07:00
- Validate ciphertext is block-aligned to prevent CryptBlocks panic
- Error on unrecognized encryption version prefix (not just v10)
- Return error when decrypted output has no xoxd- token
- Remove unused WorkspaceURL field from Credentials
diff --git a/source/slack/desktop/cookies.go b/source/slack/desktop/cookies.go
@@ -98,17 +98,19 @@ func decryptCookie(encrypted, key []byte) (string, error) {
 	if len(encrypted) < 3 {
 		return "", fmt.Errorf("encrypted value too short")
 	}
-	if string(encrypted[:3]) == "v10" {
-		encrypted = encrypted[3:]
+	prefix := string(encrypted[:3])
+	if prefix != "v10" {
+		return "", fmt.Errorf("unsupported encryption version %q", prefix)
 	}
+	encrypted = encrypted[3:]
 
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return "", fmt.Errorf("create cipher: %w", err)
 	}
 
-	if len(encrypted) < aes.BlockSize {
-		return "", fmt.Errorf("ciphertext too short")
+	if len(encrypted) < aes.BlockSize || len(encrypted)%aes.BlockSize != 0 {
+		return "", fmt.Errorf("ciphertext length %d is not a multiple of block size", len(encrypted))
 	}
 
 	// Chromium uses 16 bytes of space as IV.
@@ -135,7 +137,7 @@ func decryptCookie(encrypted, key []byte) (string, error) {
 		return match, nil
 	}
 
-	return string(plaintext), nil
+	return "", fmt.Errorf("no xoxd- token found in decrypted cookie")
 }
 
 func getKeychainPassword() (string, error) {
diff --git a/source/slack/desktop/extract.go b/source/slack/desktop/extract.go
@@ -8,11 +8,10 @@ import (
 )
 
 type Credentials struct {
-	Token        string
-	Cookie       string
-	TeamID       string
-	TeamName     string
-	WorkspaceURL string
+	Token    string
+	Cookie   string
+	TeamID   string
+	TeamName string
 }
 
 func Extract() (*Credentials, error) {

Original file line number	Diff line number	Diff line change
`@@ -98,17 +98,19 @@ func decryptCookie(encrypted, key []byte) (string, error) {`
`98`	`98`	`if len(encrypted) < 3 {`
`99`	`99`	`return "", fmt.Errorf("encrypted value too short")`
`100`	`100`	`}`
`101`		`- if string(encrypted[:3]) == "v10" {`
`102`		`- encrypted = encrypted[3:]`
	`101`	`+ prefix := string(encrypted[:3])`
	`102`	`+ if prefix != "v10" {`
	`103`	`+ return "", fmt.Errorf("unsupported encryption version %q", prefix)`
`103`	`104`	`}`
	`105`	`+ encrypted = encrypted[3:]`
`104`	`106`
`105`	`107`	`block, err := aes.NewCipher(key)`
`106`	`108`	`if err != nil {`
`107`	`109`	`return "", fmt.Errorf("create cipher: %w", err)`
`108`	`110`	`}`
`109`	`111`
`110`		`- if len(encrypted) < aes.BlockSize {`
`111`		`- return "", fmt.Errorf("ciphertext too short")`
	`112`	`+ if len(encrypted) < aes.BlockSize \|\| len(encrypted)%aes.BlockSize != 0 {`
	`113`	`+ return "", fmt.Errorf("ciphertext length %d is not a multiple of block size", len(encrypted))`
`112`	`114`	`}`
`113`	`115`
`114`	`116`	`// Chromium uses 16 bytes of space as IV.`
`@@ -135,7 +137,7 @@ func decryptCookie(encrypted, key []byte) (string, error) {`
`135`	`137`	`return match, nil`
`136`	`138`	`}`
`137`	`139`
`138`		`- return string(plaintext), nil`
	`140`	`+ return "", fmt.Errorf("no xoxd- token found in decrypted cookie")`
`139`	`141`	`}`
`140`	`142`
`141`	`143`	`func getKeychainPassword() (string, error) {`
Original file line number	Diff line number	Diff line change
`@@ -8,11 +8,10 @@ import (`
`8`	`8`	`)`
`9`	`9`
`10`	`10`	`type Credentials struct {`
`11`		`- Token string`
`12`		`- Cookie string`
`13`		`- TeamID string`
`14`		`- TeamName string`
`15`		`- WorkspaceURL string`
	`11`	`+ Token string`
	`12`	`+ Cookie string`
	`13`	`+ TeamID string`
	`14`	`+ TeamName string`
`16`	`15`	`}`
`17`	`16`
`18`	`17`	`func Extract() (*Credentials, error) {`