unable to unzip jar files

Question

unable to unzip jar files

xt0x1c opened this issue 3 years ago · 10 comments

While scanning nested .jar files, the scanner exiting with an error:

./local-log4j-vuln-scanner --exclude /proc /
local-log4j-vuln-scanner - a simple local log4j vulnerability scanner

OUTPUT
cant't open JAR file: /../../../FOO-1.0.0-BAR.jar (size 19165951): zip: not a valid zip file
….

manual unzipping the file work's fine

unzip -l /../../../FOO-1.0.0-BAR.jar
Archive: /../../../FOO-1.0.0-BAR.jar
warning [ /../../../FOO-1.0.0-BAR.jar ]: 8500 extra bytes at beginning or within zipfile
(attempting to process anyway)

Answer 1 · 2021-12-14T16:29:50.000Z

Looks like the Go archive/zip implementation is more strict than unzip. Can you provide the file?

Answer 2 · 2021-12-14T18:45:47.000Z

i tried to reproduce the problem with other files and figured out, that all files are executable jar's

see for reference
https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html

to reproduce the problem you can take thr jar files from this project like the attached

database-1.0.0-SNAPSHOT.jar.zip

Answer 3 · 2021-12-21T18:46:37.000Z

@t0xic-coder How did you resolve the problem? I'm seeing the same thing.

Answer 4 · 2021-12-21T18:55:23.000Z

@collegian Just unzip your jar to some directory and pass that directory to scanner.
unzip your-jar.jar -d some-dir

Answer 5 · 2021-12-23T14:13:00.000Z

I looked a bit more into this and there might be a way to add this.

anchore/syft#428 --> contains implementation of OpenZip
--> this project is apache 2 licensed, but https://www.apache.org/licenses/GPL-compatibility.html states that it is ok to include
golang/go#10464 --> contains a patch for archive/zip

Answer 6 · 2021-12-23T14:59:28.000Z

For whatever reason I only now realized that I had code written for the simple "ZIP appended to something else" laying around in various incarnations.

@t0xic-coder, @FilipDeVos (or anyone else), could you please give the code in https://github.com/hillu/local-log4j-vuln-scanner/tree/feature/broken-zip a try and tell me that it works for your use-cases? Thanks.

Answer 7 · 2021-12-23T21:56:29.000Z

@hillu I will take a look and try it out later today.

Answer 8 · 2021-12-24T00:12:26.000Z

@FilipDeVos I have pushed the change to the master branch and tagged that in the meantime. Thanks in advance for looking into it, anyway.

Answer 9 · 2021-12-24T00:37:36.000Z

I tested and it works properly. Thank you so much.

Answer 10 · 2021-12-24T10:49:45.000Z

@FilipDeVos Thank you. I guess the issue can be closed then.