Scan RAR files - Githubissues

logpresso / CVE-2021-44228-Scanner

Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Apache License 2.0

851 stars 174 forks source link

Scan RAR files #59

Closed takakiyo closed 2 years ago

takakiyo commented 2 years ago

RAR (Resource adapter ARchive) is a file type defined in Java EE spec, and it may contains Java code.

    private boolean isScanTarget(String path) {
        String loweredPath = path.toLowerCase();
        if (scanZip && loweredPath.endsWith(".zip"))
            return true;

        // ear = Java EE archive, aar = Android archive
        return loweredPath.endsWith(".jar") || loweredPath.endsWith(".war") || loweredPath.endsWith(".ear")
                || loweredPath.endsWith(".aar");
    }

Please add || loweredPath.endsWith(".rar") to scan RAR files.

xeraph commented 2 years ago

@takakiyo Would you test v1.5.0 release?

Menschomat commented 2 years ago

With build from master I'm getting:

Skipping broken jar file \Hidden\Path for HiddenFileName.rar ('error in opening zip file')

xeraph commented 2 years ago

@Menschomat Maybe it is not Resource adapter ARchive. If HiddenFileName.rar is WinRAR file, magic header starts like this:

Resource adapter ARchive is actually ZIP file. ZIP file should starts like this (0x50 0x4B ..):

Menschomat commented 2 years ago

@xeraph First of all, thanks for this great tool! You helped us a lot. I'll check this tomorrow, when I'm back in the office.

headman78 commented 2 years ago

What about excluding WinRAR files from scanning? Getting a alot of these from those: Skipping broken jar file \Screenshots.rar ('zip END header not found')

xeraph commented 2 years ago

@headman78 Would you create new issue for this?