Archive5 min

What's Inside That ZIP? Inspect Archives Safely Before Extracting

See every filename, size, path, and warning inside a ZIP, RAR, or 7z before extracting a single byte. Catch zip bombs, path traversal, and .exe payloads locally.

Inspection runs locally via Zro7 Inspect Archive using libarchive.js. Nothing is written to disk until you extract.

To inspect a suspicious archive before extracting, drop it into Zro7 Inspect Archive. libarchive.js reads the central directory and lists every entry — filename, path, size, compression ratio, timestamp — plus warnings for the three attacks that matter: zip bombs, path traversal, and hidden executables. Nothing is written to your disk until you approve.

Attacks a listing reveals

1. Zip bombs

A 42 KB ZIP that expands to 4.5 PB (the classic "42.zip") shows a compression ratio of 100,000,000:1 in the listing. Zro7 flags any entry with a ratio above 100:1 as a bomb candidate.

2. Path traversal ("zip slip")

Entries with paths like ../../etc/passwd or C:\Windows\System32\... try to write outside the extraction folder. Zro7 highlights any path containing ../, absolute paths, or drive letters.

3. Executable payloads disguised as documents

"Invoice.pdf.exe", ".scr", ".js", ".vbs", ".bat", ".ps1", ".lnk" inside a ZIP labelled Invoice_September.zip is the #1 email malware pattern. The listing shows the true filename with all extensions; Zro7 flags common executable extensions.

Why local inspection matters

Uploading a suspected malware ZIP to a cloud unarchiver puts the operator in the blast radius — some scan-and-log services keep the payload. Browser-side inspection reads only the central directory (a few KB) and never executes anything.

Steps

  1. Open Inspect Archive.
  2. Drop the archive. Entries and warnings render.
  3. Extract selectively (or not at all).

Frequently asked questions

Which archive formats can I inspect?

Same 12+ formats libarchive.js supports: ZIP, RAR, 7z, TAR variants, ISO, CAB, and more.

Does inspection decompress the data?

No — only the central directory is read. Bombs never expand.

Can it detect malware in the file contents?

No — Zro7 flags structural risks (paths, ratios, extensions) not payload signatures. Run a real AV for that.

Are encrypted entries listed?

Yes — filenames appear in the central directory even when contents are encrypted (a known ZIP-format limitation).

Any upload?

None.

Related posts

← Back to blog