Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unable to unzip jar files #18

Closed
xt0x1c opened this issue Dec 14, 2021 · 10 comments
Closed

unable to unzip jar files #18

xt0x1c opened this issue Dec 14, 2021 · 10 comments

Comments

@xt0x1c
Copy link

xt0x1c commented Dec 14, 2021

While scanning nested .jar files, the scanner exiting with an error:

./local-log4j-vuln-scanner  --exclude /proc  /
local-log4j-vuln-scanner - a simple local log4j vulnerability scanner

OUTPUT
cant't open JAR file: /../../../FOO-1.0.0-BAR.jar (size 19165951): zip: not a valid zip file
….

manual unzipping the file work's fine

unzip -l /../../../FOO-1.0.0-BAR.jar
Archive:  /../../../FOO-1.0.0-BAR.jar
warning [ /../../../FOO-1.0.0-BAR.jar ]:  8500 extra bytes at beginning or within zipfile
  (attempting to process anyway)

@hillu
Copy link
Owner

hillu commented Dec 14, 2021

Looks like the Go archive/zip implementation is more strict than unzip. Can you provide the file?

@xt0x1c
Copy link
Author

xt0x1c commented Dec 14, 2021

i tried to reproduce the problem with other files and figured out, that all files are executable jar's

see for reference
https://docs.spring.io/spring-boot/docs/current/reference/html/executable-jar.html

to reproduce the problem you can take thr jar files from this project like the attached

database-1.0.0-SNAPSHOT.jar.zip

@collegian
Copy link

@t0xic-coder How did you resolve the problem? I'm seeing the same thing.

@Champ586
Copy link

@collegian Just unzip your jar to some directory and pass that directory to scanner.
unzip your-jar.jar -d some-dir

@FilipDeVos
Copy link

I looked a bit more into this and there might be a way to add this.

@hillu
Copy link
Owner

hillu commented Dec 23, 2021

For whatever reason I only now realized that I had code written for the simple "ZIP appended to something else" laying around in various incarnations.

@t0xic-coder, @FilipDeVos (or anyone else), could you please give the code in https://github.com/hillu/local-log4j-vuln-scanner/tree/feature/broken-zip a try and tell me that it works for your use-cases? Thanks.

@FilipDeVos
Copy link

@hillu I will take a look and try it out later today.

@hillu
Copy link
Owner

hillu commented Dec 24, 2021

@FilipDeVos I have pushed the change to the master branch and tagged that in the meantime. Thanks in advance for looking into it, anyway.

@FilipDeVos
Copy link

I tested and it works properly. Thank you so much.

@hillu
Copy link
Owner

hillu commented Dec 24, 2021

@FilipDeVos Thank you. I guess the issue can be closed then.

@hillu hillu closed this as completed Dec 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants