Add support for Opera/Opera GX browser (#1629)

Paradoxis · web-flow · commit 860456a7c305 · 2026-03-18T10:06:22.000+01:00
diff --git a/dissect/target/plugins/apps/browser/chromium.py b/dissect/target/plugins/apps/browser/chromium.py
@@ -308,7 +308,10 @@ def cookies(self, browser_name: str | None = None) -> Iterator[BrowserCookieReco
                             )
 
                         # Strip extra data
-                        if cookie_value and encrypted_cookie[0:3] == b"v20":
+                        if cookie_value and (
+                            encrypted_cookie[0:3] == b"v20"
+                            or (encrypted_cookie[0:3] == b"v10" and browser_name == "opera")
+                        ):
                             cookie_value = cookie_value[32:]
 
                     yield self.BrowserCookieRecord(
diff --git a/dissect/target/plugins/apps/browser/opera.py b/dissect/target/plugins/apps/browser/opera.py
@@ -0,0 +1,192 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from dissect.util.ts import webkittimestamp
+
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import export
+from dissect.target.plugins.apps.browser.browser import (
+    GENERIC_COOKIE_FIELDS,
+    GENERIC_DOWNLOAD_RECORD_FIELDS,
+    GENERIC_EXTENSION_RECORD_FIELDS,
+    GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
+    BrowserPlugin,
+)
+from dissect.target.plugins.apps.browser.chromium import (
+    CHROMIUM_DOWNLOAD_RECORD_FIELDS,
+    ChromiumMixin,
+)
+
+if TYPE_CHECKING:
+    from collections.abc import Iterator
+
+
+OPERA_EXTENSION_RECORD_FIELDS = [
+    ("boolean", "blacklisted"),
+]
+
+
+class OperaPlugin(ChromiumMixin, BrowserPlugin):
+    """Opera (Stable and Opera GX) browser plugin."""
+
+    __namespace__ = "opera"
+
+    DIRS = (
+        # Windows (Stable)
+        "AppData/Roaming/Opera Software/Opera Stable/Default",
+        "AppData/Roaming/Opera Software/Opera Stable/_side_profiles/*/Default",
+        "AppData/Local/Opera Software/Opera Stable/Default",
+        "AppData/Local/Opera Software/Opera Stable/_side_profiles/*/Default",
+        # Windows (GX)
+        "AppData/Roaming/Opera Software/Opera GX Stable/Default",
+        "AppData/Roaming/Opera Software/Opera GX Stable/_side_profiles/*/Default",
+        "AppData/Local/Opera Software/Opera GX Stable/Default",
+        "AppData/Local/Opera Software/Opera GX Stable/_side_profiles/*/Default",
+        # MacOS (Stable)
+        "Library/Application Support/com.operasoftware.Opera/Default",
+        "Library/Application Support/com.operasoftware.Opera/_side_profiles/*/Default",
+        # MacOS (GX)
+        "Library/Application Support/com.operasoftware.OperaGX/_side_profiles/*/Default",
+        "Library/Application Support/com.operasoftware.OperaGX/Default",
+    )
+
+    BrowserHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "application/browser/opera/history",
+        GENERIC_HISTORY_RECORD_FIELDS,
+    )
+
+    BrowserCookieRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "application/browser/opera/cookie",
+        GENERIC_COOKIE_FIELDS,
+    )
+
+    BrowserDownloadRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "application/browser/opera/download",
+        GENERIC_DOWNLOAD_RECORD_FIELDS + CHROMIUM_DOWNLOAD_RECORD_FIELDS,
+    )
+
+    BrowserExtensionRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "application/browser/opera/extension",
+        GENERIC_EXTENSION_RECORD_FIELDS + OPERA_EXTENSION_RECORD_FIELDS,
+    )
+
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "application/browser/opera/password",
+        GENERIC_PASSWORD_RECORD_FIELDS,
+    )
+
+    @export(record=BrowserHistoryRecord)
+    def history(self) -> Iterator[BrowserHistoryRecord]:
+        """Return browser history records for Opera (and Opera GX)."""
+        yield from super().history("opera")
+
+    @export(record=BrowserCookieRecord)
+    def cookies(self) -> Iterator[BrowserCookieRecord]:
+        """Return browser cookie records for Opera (and Opera GX)."""
+        yield from super().cookies("opera")
+
+    @export(record=BrowserDownloadRecord)
+    def downloads(self) -> Iterator[BrowserDownloadRecord]:
+        """Return browser download records for Opera (and Opera GX)."""
+        yield from super().downloads("opera")
+
+    @export(record=BrowserExtensionRecord)
+    def extensions(self) -> Iterator[BrowserExtensionRecord]:
+        """Iterates over all installed extensions for Opera (and Opera GX).
+
+        Yields:
+
+        .. code-block:: text
+
+            Records with the following fields:
+                blacklisted (boolean): Extension blacklisted by Opera/Opera GX.
+                ts_install (datetime): Extension install timestamp.
+                ts_update (datetime): Extension update timestamp.
+                browser (string): The browser from which the records are generated.
+                id (string): Extension unique identifier.
+                name (string): Name of the extension.
+                short_name (string): Short name of the extension.
+                default_title (string): Default title of the extension.
+                description (string): Description of the extension.
+                version (string): Version of the extension.
+                ext_path (path): Relative path of the extension.
+                from_webstore (boolean): Extension from webstore.
+                permissions (string[]): Permissions of the extension.
+                manifest (varint): Version of the extensions' manifest.
+                source: (path): The source file of the download record.
+        """
+        for user, json_file, content in self._iter_json("Secure Preferences"):
+            try:
+                extensions = content.get("extensions").get("opsettings")
+                for extension_id, extension_data in extensions.items():
+                    # Opera includes a bunch of empty (prefilled) blacklisted extensions with only one key called
+                    # 'blacklist_state'. If no other metadata is present, it's not installed. Filtering based on if
+                    # the extension itself is blacklisted is a no-go as you can still install blacklisted extensions.
+                    blacklisted = bool(extension_data.get("blacklist_state", 0))
+                    if blacklisted and len(extension_data.keys()) == 1:
+                        continue
+
+                    ts_install = extension_data.get("first_install_time") or extension_data.get("install_time")
+                    ts_update = extension_data.get("last_update_time")
+
+                    if ts_install:
+                        ts_install = webkittimestamp(ts_install)
+                    if ts_update:
+                        ts_update = webkittimestamp(ts_update)
+
+                    if ext_path := extension_data.get("path"):
+                        ext_path = self.target.fs.path(ext_path)
+
+                    manifest = extension_data.get("manifest")
+                    if manifest:
+                        name = manifest.get("name")
+                        short_name = manifest.get("short_name")
+                        description = manifest.get("description")
+                        ext_version = manifest.get("version")
+                        ext_permissions = manifest.get("permissions")
+                        manifest_version = manifest.get("manifest_version")
+
+                        if manifest.get("browser_action"):
+                            default_title = manifest.get("browser_action").get("default_title")
+                        else:
+                            default_title = None
+
+                    else:
+                        name = None
+                        short_name = None
+                        default_title = None
+                        description = None
+                        ext_version = None
+                        ext_permissions = None
+                        manifest_version = None
+
+                    yield self.BrowserExtensionRecord(
+                        blacklisted=blacklisted,
+                        ts_install=ts_install,
+                        ts_update=ts_update,
+                        browser=self.__namespace__,
+                        extension_id=extension_id,
+                        name=name,
+                        short_name=short_name,
+                        default_title=default_title,
+                        description=description,
+                        version=ext_version,
+                        ext_path=ext_path,
+                        from_webstore=extensions.get(extension_id).get("from_webstore"),
+                        permissions=ext_permissions,
+                        manifest_version=manifest_version,
+                        source=json_file,
+                        _target=self.target,
+                        _user=user.user,
+                    )
+            except (AttributeError, KeyError) as e:
+                self.target.log.warning("No browser extensions found in: %s", json_file)
+                self.target.log.debug("", exc_info=e)
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records for Opera (and Opera GX)."""
+        yield from super().passwords("opera")
diff --git a/tests/_data/plugins/apps/browser/opera/History b/tests/_data/plugins/apps/browser/opera/History
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:01eac0f064a1c2e49b31de4270358e4d677291b3f639104cb7b491334a8fe9a3
+size 196608
diff --git a/tests/_data/plugins/apps/browser/opera/Login Data b/tests/_data/plugins/apps/browser/opera/Login Data
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a2a5eb638ecfbc462f226e3fc1885c2536708b3a7acbf4ee0bfe6460a31ec4b
+size 40960
diff --git a/tests/_data/plugins/apps/browser/opera/Network/Cookies b/tests/_data/plugins/apps/browser/opera/Network/Cookies
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1e0d3edf4928f1db9cefb0ef70fe6d652f6fc189ca34cf255681951fb87e4db5
+size 36864
diff --git a/tests/_data/plugins/apps/browser/opera/Secure Preferences b/tests/_data/plugins/apps/browser/opera/Secure Preferences
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7304bd6e1c3b851dd1652af259d1a3755527395e498e9c7a4c1cf5589db8be27
+size 212960
diff --git a/tests/plugins/apps/browser/test_opera.py b/tests/plugins/apps/browser/test_opera.py
@@ -0,0 +1,123 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+import pytest
+from flow.record.fieldtypes import datetime as dt
+
+from dissect.target.plugins.apps.browser.opera import OperaPlugin
+from tests._utils import absolute_path
+
+if TYPE_CHECKING:
+    from dissect.target.filesystem import VirtualFilesystem
+    from dissect.target.target import Target
+
+
+@pytest.fixture
+def target_opera_win(target_win_users: Target, fs_win: VirtualFilesystem) -> Target:
+    fs_win.map_dir(
+        "Users\\John\\AppData\\Roaming\\Opera Software\\Opera Stable\\Default\\",
+        absolute_path("_data/plugins/apps/browser/opera/"),
+    )
+    fs_win.map_dir(
+        (
+            "Users\\John\\AppData\\Roaming\\Opera Software\\Opera Stable"
+            "\\_side_profiles\\31303232385F31323239343834393136\\Default"
+        ),
+        absolute_path("_data/plugins/apps/browser/opera/"),
+    )
+
+    target_win_users.add_plugin(OperaPlugin)
+    return target_win_users
+
+
+@pytest.fixture
+def target_operagx_win(target_win_users: Target, fs_win: VirtualFilesystem) -> Target:
+    fs_win.map_dir(
+        "Users\\John\\AppData\\Roaming\\Opera Software\\Opera GX Stable\\Default\\",
+        absolute_path("_data/plugins/apps/browser/opera/"),
+    )
+    fs_win.map_dir(
+        (
+            "Users\\John\\AppData\\Roaming\\Opera Software\\Opera GX Stable"
+            "\\_side_profiles\\31303232385F31323239343834393136\\Default\\"
+        ),
+        absolute_path("_data/plugins/apps/browser/opera/"),
+    )
+
+    target_win_users.add_plugin(OperaPlugin)
+    return target_win_users
+
+
+@pytest.mark.parametrize(
+    "target_platform",
+    ["target_opera_win", "target_operagx_win"],
+)
+def test_opera_history(target_platform: Target, request: pytest.FixtureRequest) -> None:
+    target_platform = request.getfixturevalue(target_platform)
+    records = list(target_platform.opera.history())
+
+    assert len(records) == 164
+    assert {"opera"} == {record.browser for record in records}
+
+    assert records[75].url == "https://github.com/fox-it/dissect.target"
+    assert records[75].id == 76
+    assert records[75].visit_count == 2
+    assert records[75].ts == dt("2026-03-17 13:24:54.736168+00:00")
+
+
+@pytest.mark.parametrize(
+    "target_platform",
+    ["target_opera_win", "target_operagx_win"],
+)
+def test_opera_cookies(target_platform: Target, request: pytest.FixtureRequest) -> None:
+    target_platform = request.getfixturevalue(target_platform)
+    records = list(target_platform.opera.cookies())
+
+    assert len(records) == 102
+    assert {"opera"} == {record.browser for record in records}
+
+    assert records[-1].host == ".github.com"
+    assert records[-1].name == "tz"
+
+
+@pytest.mark.parametrize(
+    "target_platform",
+    ["target_opera_win", "target_operagx_win"],
+)
+def test_opera_downloads(target_platform: Target, request: pytest.FixtureRequest) -> None:
+    target_platform = request.getfixturevalue(target_platform)
+    records = list(target_platform.opera.downloads())
+
+    assert len(records) == 2
+    assert {"opera"} == {record.browser for record in records}
+
+    assert records[0].url == "https://codeload.github.com/fox-it/dissect.target/zip/refs/tags/3.25.1"
+    assert records[0].tab_url == "https://github.com/fox-it/dissect.target/releases/tag/3.25.1"
+    assert records[0].state == "complete"
+    assert records[0].mime_type == "application/x-zip-compressed"
+    assert records[0].path == "C:\\Users\\User\\Downloads\\dissect.target-3.25.1.zip"
+
+
+@pytest.mark.parametrize(
+    "target_platform",
+    ["target_opera_win", "target_operagx_win"],
+)
+def test_opera_extensions(target_platform: Target, request: pytest.FixtureRequest) -> None:
+    target_platform = request.getfixturevalue(target_platform)
+    records = list(target_platform.opera.extensions())
+
+    assert len(records) == 66
+    assert {"opera"} == {record.browser for record in records}
+
+    assert records[0].name == "Web Store"
+    assert not records[0].blacklisted
+    assert records[0].extension_id == "ahfgeienlihckogmohjhadlkjgocpleb"
+    assert records[0].description == "Discover great apps, games, extensions and themes for Opera."
+    assert records[0].version == "0.2"
+
+    assert records[65].name == "NewTab. Search"
+    assert records[65].blacklisted
+    assert records[65].extension_id == "pookachmhghnpgjhebhilcidgdphdlhi"
+    assert records[65].description == "The extension changes default search provider."
+    assert records[65].version == "2.0.0.0"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:01eac0f064a1c2e49b31de4270358e4d677291b3f639104cb7b491334a8fe9a3`
	`3`	`+size 196608`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:6a2a5eb638ecfbc462f226e3fc1885c2536708b3a7acbf4ee0bfe6460a31ec4b`
	`3`	`+size 40960`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:1e0d3edf4928f1db9cefb0ef70fe6d652f6fc189ca34cf255681951fb87e4db5`
	`3`	`+size 36864`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:7304bd6e1c3b851dd1652af259d1a3755527395e498e9c7a4c1cf5589db8be27`
	`3`	`+size 212960`