feat(safari): localstorage extraction

Extracts Safari 17+ localStorage from WebKit's nested layout —
WebsiteDataStore/<uuid>/Origins/<top-hash>/<frame-hash>/LocalStorage/
localstorage.sqlite3 for named profiles, WebsiteData/Default for the
default profile. Parses the binary SecurityOrigin serialization
(length-prefixed scheme+host plus 0x00 default-port or 0x01 <uint16_le>
explicit-port section) and decodes UTF-16 LE ItemTable value BLOBs,
capping oversized values at 2048 bytes to match the Chromium extractor.
Reports the frame origin URL so partitioned third-party storage is
attributed to the iframe origin JavaScript actually sees.

Closes the remaining LocalStorage checkbox in #565.

Author: moonD4rk

browser/safari/extract_storage.go

@@ -0,0 +1,290 @@
+package safari
+
+import (
+	"database/sql"
+	"encoding/binary"
+	"fmt"
+	"os"
+	"path/filepath"
+	"unicode/utf16"
+
+	_ "modernc.org/sqlite"
+
+	"github.com/moond4rk/hackbrowserdata/log"
+	"github.com/moond4rk/hackbrowserdata/types"
+)
+
+// Modern WebKit (Safari 17+) stores localStorage under a nested, partitioned layout rooted at
+// either WebsiteDataStore/<uuid>/Origins (per named profile) or WebsiteData/Default
+// (the pre-profile default store). Within that root:
+//
+//	<root>/<top-frame-hash>/<frame-hash>/origin                         — binary; encodes top+frame origins
+//	<root>/<top-frame-hash>/<frame-hash>/LocalStorage/localstorage.sqlite3
+//
+// top-hash == frame-hash ⇒ first-party; they differ for third-party partitioned storage.
+// We report the frame origin because that's what window.localStorage exposes to JS.
+// ItemTable: (key TEXT UNIQUE ON CONFLICT REPLACE, value BLOB NOT NULL ON CONFLICT FAIL);
+// value BLOBs are UTF-16 LE strings.
+//
+// The flat "LocalStorage/<scheme>_<host>_<port>.localstorage" directory that older builds used
+// is empty on current Safari and is no longer a supported source.
+
+const (
+	webkitOriginFile         = "origin"
+	webkitLocalStorageSubdir = "LocalStorage"
+	webkitLocalStorageDB     = "localstorage.sqlite3"
+	webkitOriginSaltName     = "salt" // HMAC salt sibling of the <hash> dirs; not a data dir
+
+	maxLocalStorageValueLength = 2048
+)
+
+// origin file encoding-byte constants (WebCore SecurityOrigin serialization).
+const (
+	originEncASCII = 0x01 // Latin-1 / ASCII
+	originEncUTF16 = 0x00 // UTF-16 LE
+)
+
+// Port marker values after the (scheme, host) pair in an origin block.
+// 0x00  → port is the scheme default (stored as 0).
+// 0x01  → next two bytes are a uint16_le port.
+const (
+	originPortDefaultMarker = 0x00
+	originPortExplicitFlag  = 0x01
+)
+
+func extractLocalStorage(root string) ([]types.StorageEntry, error) {
+	dirs, err := findOriginDataDirs(root)
+	if err != nil {
+		return nil, err
+	}
+
+	var entries []types.StorageEntry
+	for _, od := range dirs {
+		origin, err := readOriginFile(filepath.Join(od, webkitOriginFile))
+		if err != nil {
+			log.Debugf("safari localstorage: origin %s: %v", od, err)
+			continue
+		}
+		dbPath := filepath.Join(od, webkitLocalStorageSubdir, webkitLocalStorageDB)
+		items, err := readLocalStorageFile(dbPath)
+		if err != nil {
+			log.Debugf("safari localstorage: db %s: %v", dbPath, err)
+			continue
+		}
+		for _, it := range items {
+			entries = append(entries, types.StorageEntry{
+				URL:   origin,
+				Key:   it.key,
+				Value: it.value,
+			})
+		}
+	}
+	return entries, nil
+}
+
+func countLocalStorage(root string) (int, error) {
+	entries, err := extractLocalStorage(root)
+	if err != nil {
+		return 0, err
+	}
+	return len(entries), nil
+}
+
+// findOriginDataDirs returns <root>/<h1>/<h2>/ paths that contain both an "origin" file and
+// a "LocalStorage/localstorage.sqlite3" database. Non-directory entries, the "salt" sibling,
+// and partition dirs without localStorage data are silently skipped.
+func findOriginDataDirs(root string) ([]string, error) {
+	topEntries, err := os.ReadDir(root)
+	if err != nil {
+		return nil, fmt.Errorf("read origins root: %w", err)
+	}
+	var out []string
+	for _, top := range topEntries {
+		if !top.IsDir() || top.Name() == webkitOriginSaltName {
+			continue
+		}
+		topPath := filepath.Join(root, top.Name())
+		frameEntries, err := os.ReadDir(topPath)
+		if err != nil {
+			continue
+		}
+		for _, frame := range frameEntries {
+			if !frame.IsDir() {
+				continue
+			}
+			framePath := filepath.Join(topPath, frame.Name())
+			if _, err := os.Stat(filepath.Join(framePath, webkitOriginFile)); err != nil {
+				continue
+			}
+			dbPath := filepath.Join(framePath, webkitLocalStorageSubdir, webkitLocalStorageDB)
+			if _, err := os.Stat(dbPath); err != nil {
+				continue
+			}
+			out = append(out, framePath)
+		}
+	}
+	return out, nil
+}
+
+// originEndpoint is one half of an origin file (top-frame or frame). Port 0 means the scheme
+// default (443 for https, 80 for http) and is omitted from the URL rendering.
+type originEndpoint struct {
+	scheme string
+	host   string
+	port   uint16
+}
+
+// readOriginFile parses WebKit's SecurityOrigin binary serialization and returns the frame
+// origin URL (scheme://host[:port]). The file holds two origin blocks back-to-back: top-frame
+// then frame. When the frame block is missing/unreadable we fall back to the top-frame so we
+// can still attribute the data to *something* meaningful.
+func readOriginFile(path string) (string, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	top, pos, terr := readOriginBlock(data, 0)
+	if terr != nil {
+		return "", fmt.Errorf("parse top-frame origin: %w", terr)
+	}
+	frame, _, ferr := readOriginBlock(data, pos)
+	if ferr != nil {
+		// Partitioned info unavailable — attribute to the top-frame origin.
+		frame = top
+	}
+	if frame.scheme == "" || frame.host == "" {
+		return "", fmt.Errorf("origin file missing scheme/host")
+	}
+	return formatOriginURL(frame), nil
+}
+
+// readOriginBlock reads one origin block: scheme record, host record, port marker.
+// Returns the parsed endpoint and the byte offset immediately after the block.
+func readOriginBlock(data []byte, pos int) (originEndpoint, int, error) {
+	var ep originEndpoint
+	var err error
+	ep.scheme, pos, err = readOriginString(data, pos)
+	if err != nil {
+		return ep, pos, err
+	}
+	ep.host, pos, err = readOriginString(data, pos)
+	if err != nil {
+		return ep, pos, err
+	}
+	if pos >= len(data) {
+		return ep, pos, fmt.Errorf("unexpected EOF before port marker")
+	}
+	marker := data[pos]
+	pos++
+	switch marker {
+	case originPortDefaultMarker:
+		ep.port = 0
+	case originPortExplicitFlag:
+		if pos+2 > len(data) {
+			return ep, pos, fmt.Errorf("truncated port value at offset %d", pos)
+		}
+		ep.port = binary.LittleEndian.Uint16(data[pos : pos+2])
+		pos += 2
+	default:
+		return ep, pos, fmt.Errorf("unexpected port marker 0x%02x at offset %d", marker, pos-1)
+	}
+	return ep, pos, nil
+}
+
+// readOriginString consumes one length-prefixed record (uint32_le length + encoding byte + data).
+func readOriginString(data []byte, pos int) (string, int, error) {
+	if pos+5 > len(data) {
+		return "", pos, fmt.Errorf("truncated string record at offset %d", pos)
+	}
+	length := int(binary.LittleEndian.Uint32(data[pos : pos+4]))
+	enc := data[pos+4]
+	pos += 5
+	if length < 0 || pos+length > len(data) {
+		return "", pos, fmt.Errorf("string record overruns buffer: length %d at offset %d", length, pos-5)
+	}
+	chunk := data[pos : pos+length]
+	pos += length
+	switch enc {
+	case originEncASCII:
+		return string(chunk), pos, nil
+	case originEncUTF16:
+		return decodeUTF16LE(chunk), pos, nil
+	default:
+		return string(chunk), pos, nil
+	}
+}
+
+func formatOriginURL(ep originEndpoint) string {
+	url := ep.scheme + "://" + ep.host
+	if ep.port != 0 {
+		url += fmt.Sprintf(":%d", ep.port)
+	}
+	return url
+}
+
+type localStorageItem struct {
+	key   string
+	value string
+}
+
+func readLocalStorageFile(path string) ([]localStorageItem, error) {
+	// Read-only + immutable so we don't disturb a live WAL (same pattern as profiles.go).
+	dsn := "file:" + path + "?mode=ro&immutable=1"
+	db, err := sql.Open("sqlite", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("open %s: %w", path, err)
+	}
+	defer db.Close()
+	if err := db.Ping(); err != nil {
+		return nil, fmt.Errorf("ping %s: %w", path, err)
+	}
+
+	rows, err := db.Query(`SELECT key, value FROM ItemTable`)
+	if err != nil {
+		return nil, fmt.Errorf("query ItemTable: %w", err)
+	}
+	defer rows.Close()
+
+	var items []localStorageItem
+	for rows.Next() {
+		var key sql.NullString
+		var value []byte
+		if err := rows.Scan(&key, &value); err != nil {
+			log.Debugf("safari localstorage: scan row in %s: %v", path, err)
+			continue
+		}
+		items = append(items, localStorageItem{
+			key:   key.String,
+			value: decodeLocalStorageValue(value),
+		})
+	}
+	return items, rows.Err()
+}
+
+// decodeLocalStorageValue treats the BLOB as UTF-16 LE. Values at or above the cap are replaced
+// with a size marker to keep JSON/CSV output bounded, matching chromium/extract_storage.go.
+func decodeLocalStorageValue(b []byte) string {
+	if len(b) >= maxLocalStorageValueLength {
+		return fmt.Sprintf(
+			"value is too long, length is %d, supported max length is %d",
+			len(b), maxLocalStorageValueLength,
+		)
+	}
+	return decodeUTF16LE(b)
+}
+
+// decodeUTF16LE returns the input as a Go string on odd-length (malformed) inputs; WebKit values
+// are always even-length in practice but we don't want a stray byte to drop a whole row.
+func decodeUTF16LE(b []byte) string {
+	if len(b) == 0 {
+		return ""
+	}
+	if len(b)%2 != 0 {
+		return string(b)
+	}
+	u16 := make([]uint16, len(b)/2)
+	for i := range u16 {
+		u16[i] = binary.LittleEndian.Uint16(b[i*2:])
+	}
+	return string(utf16.Decode(u16))
+}