From e2e0cf260fb5511063481c8d86cd9e0790d98f70 Mon Sep 17 00:00:00 2001
From: simon987 <me@simon987.net>
Date: Thu, 18 May 2023 20:09:17 -0400
Subject: [PATCH] Skip encrypted files when no passphrase is supplied

---
 third-party/libscan/libscan/arc/arc.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/third-party/libscan/libscan/arc/arc.c b/third-party/libscan/libscan/arc/arc.c
index bb5ed32..cd331a8 100644
--- a/third-party/libscan/libscan/arc/arc.c
+++ b/third-party/libscan/libscan/arc/arc.c
@@ -4,7 +4,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <fcntl.h>
-#include <openssl/evp.h>
 #include <pcre.h>
 
 #define MAX_DECOMPRESSED_SIZE_RATIO 40.0
@@ -211,11 +210,20 @@ scan_code_t parse_archive(scan_arc_ctx_t *ctx, vfile_t *f, document_t *doc, pcre
 
                 double decompressed_size_ratio = (double) sub_job->vfile.st_size / (double) f->st_size;
                 if (decompressed_size_ratio > MAX_DECOMPRESSED_SIZE_RATIO) {
-                    CTX_LOG_DEBUGF("arc.c", "Skipped %s, possible zip bomb (decompressed_size_ratio=%f)", sub_job->filepath,
+                    CTX_LOG_ERRORF("arc.c", "Skipped %s, possible zip bomb (decompressed_size_ratio=%f)",
+                                   sub_job->filepath,
                                    decompressed_size_ratio);
                     break;
                 }
 
+                if ((archive_entry_is_encrypted(entry) || archive_entry_is_data_encrypted(entry) ||
+                     archive_entry_is_metadata_encrypted(entry)) && ctx->passphrase[0] == 0) {
+                    // Is encrypted but no password is specified, skip
+                    CTX_LOG_ERRORF("arc.c", "Skipped %s, archive is encrypted but no passphrase is supplied",
+                                   doc->filepath);
+                    break;
+                }
+
                 // Handle excludes
                 if (exclude != NULL && EXCLUDED(sub_job->filepath)) {
                     CTX_LOG_DEBUGF("arc.c", "Excluded: %s", sub_job->filepath);