Skip to content

Add ZIP integrity verification for .swarm files #180

Closed
#193
Closed
Add ZIP integrity verification for .swarm files#180
#193
Labels
securitySecurity-related issues
@careck

Description

@careck
careck
opened on Apr 30, 2026

Security Review Finding — LOW Priority

Source: Krillnotes Security Review v1.0.1 (April 2026)
Location: krillnotes-core/src/core/invite.rs:180-193

Description

read_json_from_zip_bytes() reads ZIP entries without verifying ZIP integrity (CRC32). Corrupted ZIPs could cause parsing failures with unhelpful error messages.

Impact

Low — signature verification over parsed JSON is the actual security boundary. This is a robustness/UX concern rather than a security vulnerability. Corrupted archives will fail at the JSON parsing or signature verification stage anyway.

Recommendation

Add CRC32 integrity checks when reading ZIP entries for better error messages.

Acceptance Criteria

  • ZIP CRC32 verification added to read_json_from_zip_bytes()
  • Corrupted ZIP files produce clear error messages

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions