openpack 0.2.2

Safe archive-reader for ZIP-derived formats (ZIP, CRX, JAR, APK, IPA) with BOM-safe checks.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

use std::fs::File;
use std::io::Write;
use std::path::PathBuf;

use zip::write::SimpleFileOptions;
use zip::CompressionMethod;
use zip::ZipWriter;

use openpack::{Limits, OpenPack, OpenPackError};

struct Scratch {
    _tmp: tempfile::TempDir,
    path: PathBuf,
}

impl Scratch {
    fn new(suffix: &str) -> Self {
        let tmp = tempfile::tempdir().expect("tempdir");
        let path = tmp.path().join(format!("archive.{suffix}"));
        Self { _tmp: tmp, path }
    }
}

fn write_zip(path: &std::path::Path, entries: &[(&str, &[u8], CompressionMethod)]) {
    let file = File::create(path).unwrap();
    let mut zip = ZipWriter::new(file);
    for (name, data, comp) in entries {
        let options = SimpleFileOptions::default().compression_method(*comp);
        zip.start_file(*name, options).unwrap();
        zip.write_all(data).unwrap();
    }
    zip.finish().unwrap();
}

#[test]
fn zip_bomb_ratio_check_in_read_entry() {
    let archive = Scratch::new("zip");

    // Highly compressible payload
    let payload = vec![0u8; 1024 * 1024 * 10]; // 10MB of zeros

    write_zip(
        &archive.path,
        &[("bomb.txt", &payload, CompressionMethod::Deflated)],
    );

    let mut limits = Limits::default();
    limits.max_compression_ratio = 5.0; // Strictly allow only 5x compression
    
    // We increase total limit so it passes entries() iteration
    limits.max_entry_uncompressed_size = 20 * 1024 * 1024;
    limits.max_total_uncompressed_size = 20 * 1024 * 1024;

    let pack = OpenPack::open(&archive.path, limits).unwrap();

    let err = pack.read_entry("bomb.txt").unwrap_err();
    assert!(
        matches!(err, OpenPackError::LimitExceeded(ref msg) if msg.contains("compression ratio limit")),
        "Expected compression ratio limit error, got {:?}",
        err
    );
}

#[test]
fn path_traversal_in_read_entry() {
    let archive = Scratch::new("zip");
    
    // Create an archive with a malicious entry name
    write_zip(
        &archive.path,
        &[("../../etc/passwd", b"secret", CompressionMethod::Stored)],
    );

    let pack = OpenPack::open_default(&archive.path).unwrap();
    
    let err = pack.read_entry("../../etc/passwd").unwrap_err();
    assert!(
        matches!(err, OpenPackError::ZipSlip(_)),
        "Expected ZipSlip error on read_entry"
    );

    let contains_err = pack.contains("../../etc/passwd").unwrap_err();
    assert!(
        matches!(contains_err, OpenPackError::ZipSlip(_)),
        "Expected ZipSlip error on contains"
    );
}

#[test]
fn path_traversal_in_extract_all_to() {
    let archive = Scratch::new("zip");
    
    write_zip(
        &archive.path,
        &[("../../etc/passwd", b"secret", CompressionMethod::Stored)],
    );

    let pack = OpenPack::open_default(&archive.path).unwrap();
    
    let extract_dir = tempfile::tempdir().unwrap();
    
    let err = pack.extract_all_to(extract_dir.path()).unwrap_err();
    assert!(
        matches!(err, OpenPackError::ZipSlip(_)),
        "Expected ZipSlip error on extract_all_to"
    );
}