reporting missing entries in the central directory #26
Description
Although according to the ZIP specification that each file in the ZIP archive with a local header should have a matching entry in the central directory it does not seem to be enforced. The central directory is merely used as a lookup table, without checking the integrity of the entire archive.
There are ZIP archives out there in the wild where there are entries with a local header, but without a corresponding entry in the central directory. There are even file formats that are using this as a method to store metadata, such as SOZip:
https://github.com/sozip/sozip-spec
https://github.com/sozip/sozipfile
(links include test files)
The question is whether or not these files should be unpacked or not. In the case of SOzip the files are clearly metadata, but there could be other archives where the files are not metadata (and are used for, say, smuggling a payload through a malware scanner). A linter should at least be able to spot that there are extra files.
Somewhat related is what Google does with APK signing blocks, but that will be a separate issue (as those don't have a local header).