Thanks to visit codestin.com
Credit goes to lib.rs

Lib.rs

Compression
#tar-archive #extract-archive #zip #security #archive

app exarch-cli

Command-line utility for secure archive extraction and creation

by bug-ops

15 unstable releases (3 breaking)

Uses new Rust 2024

new 0.4.0 May 20, 2026
0.3.1 May 19, 2026
0.3.0 Apr 23, 2026
0.2.9 Mar 25, 2026
0.1.2 Jan 1, 2026

#105 in Compression

MIT/Apache

1MB
18K SLoC

exarch

Crates.io CI codecov License

Command-line utility for secure archive extraction and creation. Built on exarch-core, providing memory-safe archive handling with built-in protection against path traversal, zip bombs, and symlink escape attacks.

Features

  • Secure by default - All security checks enabled out of the box
  • Path traversal protection - Blocks ../ escape attempts
  • Zip bomb detection - Configurable compression ratio limits
  • Symlink/hardlink validation - Prevents symlink escape attacks
  • Quota enforcement - File count, total size, and per-file limits
  • Multiple formats - TAR (gz, bz2, xz, zstd), ZIP, and 7z support
  • Multiple output modes - Human-readable and JSON output

Installation

From crates.io

cargo install exarch-cli

From source

git clone https://github.com/bug-ops/exarch
cd exarch
cargo install --path crates/exarch-cli

Tip

Use cargo binstall exarch-cli for faster installation without compilation.

Pre-built binaries

Download from GitHub Releases:

Platform Architecture Download
Linux x86_64 exarch-x86_64-unknown-linux-gnu.tar.gz
Linux aarch64 exarch-aarch64-unknown-linux-gnu.tar.gz
macOS x86_64 exarch-x86_64-apple-darwin.tar.gz
macOS aarch64 exarch-aarch64-apple-darwin.tar.gz
Windows x86_64 exarch-x86_64-pc-windows-msvc.zip

After downloading:

# Linux/macOS
tar -xzf exarch-*.tar.gz
chmod +x exarch
sudo mv exarch /usr/local/bin/

# Windows - extract zip and add to PATH

Important

Requires Rust 1.93.0 or later for building from source.

Usage

exarch [OPTIONS] <COMMAND>

Commands

Command Description
extract Extract archive contents
create Create a new archive
list List archive contents
verify Verify archive integrity
completion Generate shell completion script (bash, zsh, fish, powershell, elvish)

Global Options

Option Short Description
--verbose -v Print one line per entry to stderr (name, size, type). Overridden by --quiet.
--quiet -q Suppress non-error output
--json -j Output results in JSON format
--help -h Print help
--version -V Print version

Extract Command

exarch extract [OPTIONS] <ARCHIVE> [OUTPUT_DIR]

Examples

# Extract archive to current directory
exarch extract archive.tar.gz

# Extract to specific directory
exarch extract archive.zip /tmp/output

# Extract with JSON output for scripting
exarch extract --json archive.tar.xz | jq '.data.files_extracted'

# Extract with verbose output
exarch extract --verbose archive.tar.gz

# Increase security limits for large archives
exarch extract --max-files 50000 --max-total-size 50G large-archive.tar.gz

# Allow symlinks for trusted archives
exarch extract --allow-symlinks trusted-source.tar

Security Options

Option Default Description
--max-files 10000 Maximum number of files to extract
--max-total-size - Maximum total extracted size (supports K/M/G/T suffixes)
--max-file-size - Maximum single file size
--max-compression-ratio 100 Maximum compression ratio (zip bomb protection)
--allowed-extensions Extract only entries whose extension is in the allowlist (repeatable; comma-separated values accepted; leading dots optional)
--allow-symlinks false Allow symlinks (within extraction directory)
--allow-hardlinks false Allow hardlinks (within extraction directory)
--preserve-permissions false Preserve file permissions from archive
--force false Overwrite existing files

Caution

Only use --allow-symlinks and --allow-hardlinks with archives from trusted sources. These options can be exploited by malicious archives.

Create Command

Create archives from files and directories:

exarch create [OPTIONS] <OUTPUT> <SOURCES>...

Examples

# Create tar.gz from directory
exarch create backup.tar.gz ./src

# Create from multiple sources
exarch create project.tar.gz src/ Cargo.toml README.md

# Create ZIP with maximum compression
exarch create -l 9 archive.zip ./data

# Exclude patterns
exarch create backup.tar.gz ./project --exclude "*.log" --exclude "target/"

# Include hidden files
exarch create backup.tar.gz ./project --include-hidden

# Overwrite existing archive
exarch create -f backup.tar.gz ./src

Create Options

Option Short Description
--compression-level -l Compression level (1-9, default: 6)
--follow-symlinks Follow symbolic links
--include-hidden Include hidden files
--exclude -x Exclude pattern (repeatable)
--strip-prefix Strip path prefix
--force -f Overwrite existing file
--quiet -q Suppress output
--json Output JSON format

Tip

Archive format is detected from the output file extension. Supported formats: .tar, .tar.gz, .tar.bz2, .tar.xz, .tar.zst, .zip

Caution

Since v0.4.0, create rejects ZIP-family alias extensions (.apk, .jar, .whl, .epub, .war, .ear, .aab, .ipa, .appx, .msix, .vsix, .nbm) when format inference is left to the file extension. These containers require extra structure (signing, manifests, ordering) that exarch doesn't produce.

Shell Completion

Generate completion scripts for your shell:

# bash
exarch completion bash > /usr/local/etc/bash_completion.d/exarch

# zsh
exarch completion zsh > ${fpath[1]}/_exarch

# fish
exarch completion fish > ~/.config/fish/completions/exarch.fish

# PowerShell
exarch completion powershell | Out-String | Invoke-Expression

# elvish
exarch completion elvish > ~/.config/elvish/lib/exarch.elv

Output Modes

Human-readable (default)

Extraction complete
  Files extracted: 1,523
  Directories: 87
  Total size: 42.3 MB

JSON output (--json)

{
  "operation": "extract",
  "status": "success",
  "data": {
    "files_extracted": 1523,
    "directories_created": 87,
    "symlinks_created": 0,
    "bytes_written": 44396032
  }
}

Tip

Use JSON output with jq for scripting: exarch extract --json archive.tar.gz | jq '.data.files_extracted'

Security

exarch is designed with security as a primary concern, protecting against common archive vulnerabilities:

Vulnerability Protection
Path traversal (CVE-2025-4517) Blocks ../ and absolute paths by default
Symlink escape (CVE-2024-12905) Validates symlink targets stay within extraction dir
Hardlink attacks (CVE-2025-48387) Validates hardlink targets
Zip bombs (42.zip) Configurable compression ratio limit (default: 100:1)
Resource exhaustion File count and size quotas
Permission escalation Permission sanitization by default

Note

All security checks are enabled by default. Use --allow-* flags only for trusted archives.

Supported Formats

Format Extension Extract Create List Verify
TAR .tar
TAR + gzip .tar.gz, .tgz
TAR + bzip2 .tar.bz2, .tbz2
TAR + xz .tar.xz, .txz
TAR + zstd .tar.zst, .tzst
ZIP .zip
7z .7z

Note

7z creation is not yet supported. Solid and encrypted 7z archives are rejected for security reasons.

Development

# Build
cargo build -p exarch-cli

# Run tests
cargo nextest run -p exarch-cli

# Run CLI directly
cargo run -p exarch-cli -- extract tests/fixtures/sample.tar.gz

# Check formatting and lints
cargo +nightly fmt --all -- --check
cargo clippy -p exarch-cli -- -D warnings

Roadmap

  • Phase 1: Foundation - CLI parsing, error handling, output formatting
  • Phase 2: Archive creation functionality
  • Phase 3: List and verify commands
  • Phase 4: Progress bars, shell completions, per-entry verbose output
  • Phase 5: Distribution (Homebrew, apt, releases)

License

Licensed under MIT OR Apache-2.0 - see LICENSE-MIT or LICENSE-APACHE.

Dependencies

~16–24MB
~433K SLoC