PR #92 fixed encrypted ZIP detection in the extract path (ZipArchive::new → is_password_protected), but the list command goes through inspection/list.rs:list_zip which calls archive.by_index(i) without any encryption check.
Reproduction
# Create encrypted ZIP (any tool, e.g. zip -e or Python)
cargo run --package exarch-cli -- list encrypted.zip
Output:
Error: failed to list archive: encrypted.zip
Caused by:
invalid archive: failed to read ZIP entry: unsupported Zip archive: Password required to decrypt file
Expected output:
Error: security violation: archive is password-protected.
Root cause
inspection/list.rs line 252: archive.by_index(i).map_err(|e| ExtractionError::InvalidArchive(...)) — does not check e.to_string().contains("Password required to decrypt file").
Fix
Apply the same pattern as zip.rs:check_entry_encrypted — either:
- Call
is_password_protected at the top of list_zip before iterating entries, or
- In the
map_err closure at line 252, check for the password error string and return SecurityViolation.
Option 1 is cleaner (fail fast before iterating).
PR #92 fixed encrypted ZIP detection in the extract path (
ZipArchive::new→is_password_protected), but thelistcommand goes throughinspection/list.rs:list_zipwhich callsarchive.by_index(i)without any encryption check.Reproduction
# Create encrypted ZIP (any tool, e.g. zip -e or Python) cargo run --package exarch-cli -- list encrypted.zipOutput:
Expected output:
Root cause
inspection/list.rsline 252:archive.by_index(i).map_err(|e| ExtractionError::InvalidArchive(...))— does not checke.to_string().contains("Password required to decrypt file").Fix
Apply the same pattern as
zip.rs:check_entry_encrypted— either:is_password_protectedat the top oflist_zipbefore iterating entries, ormap_errclosure at line 252, check for the password error string and returnSecurityViolation.Option 1 is cleaner (fail fast before iterating).