Crash when providing wrong password to zip encrypted with ZipEncrypt

mrossi · January 29, 2025, 9:34am

I am extracting encrypted zips with aspose-zip for Java.

I think the important pieces of code are these:

try (IArchive archive = getArchive()) {
    archive.extractToDirectory(outputDir.toString());
}

and:

    protected Archive getArchive() {
        ArchiveLoadOptions loadOptions = new ArchiveLoadOptions();
        if (encoding != null) {
            loadOptions.setEncoding(encoding);
        }
        if (decryptionPassword != null) {
            loadOptions.setDecryptionPassword(decryptionPassword);
        }
        return new Archive(zipInputStream, loadOptions);
    }

The problem is the following:

If I provide the correct password (“password” in this case), the extraction works.
If I provide a wrong password (for example, “wrong”), the extraction fails as expected, but with an internal error. (com.aspose.zip.private_.aw.s: Bad state (invalid block type)
I would expect it to crash with an “InvalidDataException”, since I want to diversify between errors due to wrong password or other unexpected errors (crashes, corrupted zips, …)

I would hence please ask if it were possible to fix the bug

Professionalize.Discourse · January 29, 2025, 9:34am

@mrossi

It seems that you are encountering an issue where providing an incorrect password for a zip file results in an internal error instead of the expected InvalidDataException. This behavior is indeed a known bug when using the store (no compression) method for zip extraction.

The development team has acknowledged this issue and has opened a ticket to address it. They plan to implement a fix, which is expected to be included in a future version of the library. In the latest version (23.5), the library should raise an exception when attempting to extract with a wrong password, which should help differentiate between incorrect passwords and other unexpected errors.

To summarize, if you are using a version prior to 23.5, you may experience this internal error. Upgrading to the latest version should resolve the issue and provide the expected behavior.

If you need further assistance or have additional questions, feel free to ask!

Sources:
[1]: Detect wrong password when extracting 7z archive

mrossi · January 29, 2025, 9:45am

This is the version I am using:

<dependency>
      <groupId>com.aspose</groupId>
      <artifactId>aspose-zip</artifactId>
      <version>24.11</version>
</dependency>

This is higher than 23.5, so there is clarely a bug.

To have more information in order to reproduce the bug:

the zip is attached
try to extract with pwd “wrong” instead of the correct “password”
stack given by the code

com.aspose.zip.private_.aw.s: Bad state (invalid block type)

	at com.aspose.zip.private_.aw.k.a(Unknown Source)
	at com.aspose.zip.private_.aw.r.a(Unknown Source)
	at com.aspose.zip.private_.aw.q.a(Unknown Source)
	at com.aspose.zip.private_.aw.f.a(Unknown Source)
	at com.aspose.zip.cp.a(Unknown Source)
	at com.aspose.zip.qe.a(Unknown Source)
	at com.aspose.zip.Archive.extractToDirectory(Unknown Source)

prova.zip (15.8 KB)

Eugene.Shashkov · January 29, 2025, 11:16am

@mrossi
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): ZIPNET-1251

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

vadimyurko · January 30, 2025, 5:12pm

@mrossi
We were able to reproduce the issue.
The issue will be fixed in the upcoming release (25.1).

We have opened the following new ticket(s) in our internal issue tracking system.

Issue ID(s): ZIPJAVA-213

mrossi · January 31, 2025, 3:00pm

Thanks, I have now two questions:

A part from this error, is it right to assume that if the “InvalidDataException” is thrown, the problem is that the zip is encrypted and the passed password is wrong?
For now, in case of failure, I’m running the same unzipping by passing “null” as password. If I receive the ArgumentNullException I assume that the reason is that the zip is password protected.

Are these assumptions correct? If they are not could you provide counterexamples?
Thanks in advance

aspose.notifier · January 31, 2025, 5:16pm

The issues you have found earlier (filed as ZIPJAVA-213) have been fixed in this update.

Eugene.Shashkov · February 1, 2025, 6:04pm

InvalidDataException can be raised in case when data or headers of archive is corrupted, and decompression algorithm fails to proceed.

The correct way to determine whether ZIP archive password protected is to check does its entry has type ArchiveEntryEncrypted: if (archive.Entries[0] is ArchiveEntryEncrypted) {...}
In theory, ZIP standard allows entries be encrypted independently, so while some entries are encrypted other are not. Aspose.ZIP can extract such “mixed” archives. In practice, usually whole archive whether encrypted or not.