{"id":20780898,"url":"https://github.com/x4e/fakedirectory","last_synced_at":"2025-07-17T02:42:50.461Z","repository":{"id":138137278,"uuid":"222104966","full_name":"x4e/fakedirectory","owner":"x4e","description":"Trick WinRAR, JD-GUI and nearly every zip file reader.","archived":false,"fork":false,"pushed_at":"2019-11-17T21:06:13.000Z","size":63,"stargazers_count":60,"open_issues_count":1,"forks_count":3,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-01T11:08:27.515Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x4e.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-16T13:41:35.000Z","updated_at":"2025-06-19T08:49:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"d6708699-626f-4b76-90ff-7ee0d03d011a","html_url":"https://github.com/x4e/fakedirectory","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/x4e/fakedirectory","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x4e%2Ffakedirectory","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x4e%2Ffakedirectory/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x4e%2Ffakedirectory/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x4e%2Ffakedirectory/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x4e","download_url":"https://codeload.github.com/x4e/fakedirectory/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x4e%2Ffakedirectory/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262950349,"owners_count":23389644,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T13:40:01.989Z","updated_at":"2025-07-01T11:08:28.051Z","avatar_url":"https://github.com/x4e.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fake Directory [![Build Status](https://travis-ci.com/cookiedragon234/fakedirectory.svg?branch=master)](https://travis-ci.com/cookiedragon234/fakedirectory)\nExploits a flaw in pretty much every zip file parser, which treats files ending with a `/` as a directory, even if they aren't.\n\nThis makes the contents of the files completely unavailable to anyone using WinRAR, Luyten and every other zip viewer I have seen.\n\n## Why does it work?\nLook at this code from `java/util/zip/ZipFile`:\n```Java\n    /**\n     * Returns the zip file entry for the specified name, or null\n     * if not found.\n     *\n     * @param name the name of the entry\n     * @return the zip file entry, or null if not found\n     * @throws IllegalStateException if the zip file has been closed\n     */\n    public ZipEntry getEntry(String name) {\n        if (name == null) {\n            throw new NullPointerException(\"name\");\n        }\n        long jzentry = 0;\n        synchronized (this) {\n            ensureOpen();\n            jzentry = getEntry(jzfile, zc.getBytes(name), true);\n            if (jzentry != 0) {\n                // If no entry is found for the specified 'name' and\n                // the 'name' does not end with a forward slash '/',\n                // the implementation tries to find the entry with a\n                // slash '/' appended to the end of the 'name', before\n                // returning null. When such entry is found, the name\n                // that actually is found (with a slash '/' attached)\n                // is used\n                // (disabled if jdk.util.zip.ensureTrailingSlash=false)\n                ZipEntry ze = ensuretrailingslash ? getZipEntry(null, jzentry)\n                                                  : getZipEntry(name, jzentry);\n                freeEntry(jzfile, jzentry);\n                return ze;\n            }\n        }\n        return null;\n    }\n```\nWhen the JVM comes across a reference to a class, say for example the Main Class specified in the manifest, it searches the ZipFile for that class. If a file with that specific name does not exist it tries again with a `/` appended to the name. Therefore it will still find the given entry, even though readers will skip over the file presuming its a directory.\n\n## How can this be leveraged\nOne usage of this is as a form of Java Jar obfuscation. The JVM is not vulnerable to this exploit, meaning it will read a file `test.class/` as a file rather than a directory. This means that you can produce valid Jar files that are able to be executed but not analysed or decompiled easily.\n\nThis could also have malicious uses, such as to hide malware within a zip file. I have not tested whether anti viruses are vulnerable, however there is a possibility that some might be. This is why this needs to be publicised so that it can be fixed.\n\nCredit to [@Cubxity](https://github.com/Cubxity) and [@half-cambodian-hacker-man](https://github.com/half-cambodian-hacker-man) for providing information on discord.\n\n## Usage\n`java -jar fakedirectory.jar exampleJar.jar` will replace all class files within the jar with a fake directory.\n\n## Examples of vulnerable applications\nWinrar\n\n![WinRAR Failing](https://i.imgur.com/pKn2FOO.png)\n\nLuyten\n\n![Luyten Failing](https://i.imgur.com/rkkUNEJ.png)\n\nJByteMod\n\n![JByteMod Failing](https://i.imgur.com/awhPq65.png)\n\n\nOnly use this for educational purposes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx4e%2Ffakedirectory","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx4e%2Ffakedirectory","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx4e%2Ffakedirectory/lists"}