Skip to content

Enable AES256 encryption for zip files #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 2.X
Choose a base branch
from
Open

Enable AES256 encryption for zip files #171

wants to merge 2 commits into from

Conversation

@nheiniger
Copy link

@nheiniger nheiniger commented Sep 10, 2025
edited by coderabbitai bot
Loading

Description

This PR enables AES256 when the --zippassword option is provided. This replaces the default and less secure ZipCrypto option.

The code is taken from the examples of SharpZipLib here: https://github.com/icsharpcode/SharpZipLib/wiki/Zip-Samples/6dc300804f36f981e516fa477219b0e40c192861

Motivation and Context

Just follow best practice after an auditor noted that the zip file uses zipcrypto.

How Has This Been Tested?

Run SharpHound twice, once with SharpHound.exe --zippassword infected to confirm that the encryption is working as expected. Then a second time with SharpHound.exe and no password to ensure that it works without a password too.

Screenshots

With this change, the encryption method is now AES256
image

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

Summary by CodeRabbit

  • New Features
    • Password-protected ZIP exports now use AES-256 encryption per file entry, delivering stronger protection without changing existing workflows.
    • Automatically applies whenever a ZIP password is set; no additional configuration required.
    • Backward compatible: no changes to public APIs or user settings.
    • Affects only newly created archives; existing archives remain unchanged.

@coderabbitai
Copy link

coderabbitai bot commented Sep 10, 2025
edited
Loading

Walkthrough

Adds per-entry AES-256 encryption in ZIP creation: when a ZipPassword is set, each ZipEntry’s AESKeySize is set to 256. This occurs within existing loops in LoopManager.ZipFiles and OutputWriter.ZipFiles. No control flow or public API changes.

Changes

Cohort / File(s) Summary
ZIP AES-256 per-entry encryption
src/Runtime/LoopManager.cs, src/Runtime/OutputWriter.cs		 Set ZipEntry.AESKeySize = 256 when _context.ZipPassword/ZipPassword is present, complementing existing ZipOutputStream.Password usage; no other logic or API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title succinctly and accurately conveys the main change—enabling AES256 encryption for ZIP archives—without extra detail or ambiguous language, making it clear and specific for anyone scanning the project history.
Description Check ✅ Passed The description fully follows the repository’s template by including clear sections for Description, Motivation and Context, How Has This Been Tested, Screenshots, Types of changes, and Checklist, each populated with relevant details about the change, its purpose, and verification steps.

Poem

I zipped with a hop and a cryptic grin,
AES carrots tucked snugly in tin,
256 bits guard each file I stow—
burrow-safe bundles, ready to go.
With whiskers twitching, I press “compress,”
soft thumps of security—nothing less. 🥕🗜️

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a073f1a and ddc8ba6.

📒 Files selected for processing (2)
  • src/Runtime/LoopManager.cs (1 hunks)
  • src/Runtime/OutputWriter.cs (1 hunks)
🔇 Additional comments (2)
src/Runtime/OutputWriter.cs (1)

208-208: LGTM! Correctly enables AES256 encryption for ZIP entries.

The implementation properly sets the AES key size to 256 bits when a ZIP password is provided, which will upgrade from the default ZipCrypto to AES256 encryption as intended.

src/Runtime/LoopManager.cs (1)

104-104: LGTM! Consistent AES256 encryption implementation.

This change matches the identical implementation in OutputWriter.cs (Line 208), ensuring consistent AES256 encryption behavior across both ZIP creation workflows in the application.

✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Sep 10, 2025
edited
Loading

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

@nheiniger
Copy link
Author

nheiniger commented Sep 10, 2025

I have read the CLA Document and I hereby sign the CLA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nheiniger