Reject archives containing only one file (#143)

Add validation to reject zip archives that contain only a single file,
since users should upload single files directly without wrapping them
in an archive.

Changes:
- Add get_archive_file_count() and is_single_file_archive() to archive.py
- Use is_single_file_archive() in crackme and solution controllers
- Update upload guidance in templates to clarify this rule
- Update FAQ with this rejection reason

Closes #139

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: xusheng6

app/controllers/crackme.py

@@ -21,7 +21,7 @@
 from app.services.recaptcha import verify as verify_recaptcha
 from app.services.limiter import limit
 from app.services.view import FLASH_ERROR, FLASH_SUCCESS, validate_required
-from app.services.archive import is_archive_password_protected
+from app.services.archive import is_archive_password_protected, is_single_file_archive, is_unsupported_archive
 from app.services.discord import notify_new_crackme
 from app.controllers.decorators import login_required
 
@@ -190,11 +190,21 @@ def upload_crackme_post():
         flash('This file is too large!', FLASH_ERROR)
         return render_template('crackme/create.html')
 
+    # Check for unsupported archive formats (RAR, tar, etc.)
+    if is_unsupported_archive(file_data):
+        flash('RAR and tar archives are not supported. Please upload a ZIP file for multiple files, or upload single files directly.', FLASH_ERROR)
+        return render_template('crackme/create.html')
+
     # Check for password protection
     if is_archive_password_protected(file_data):
         flash('Password-protected archives are not allowed. Do NOT add a password yourself - the server handles this automatically.', FLASH_ERROR)
         return render_template('crackme/create.html')
-    
+
+    # Check for single-file archives
+    if is_single_file_archive(file_data):
+        flash('Archives containing only one file are not allowed. Please upload the file directly without wrapping it in an archive.', FLASH_ERROR)
+        return render_template('crackme/create.html')
+
     # Store the uploaded file size
     size = len(file_data)
 

app/controllers/solution.py

@@ -14,7 +14,7 @@
 from app.services.recaptcha import verify as verify_recaptcha
 from app.services.limiter import limit
 from app.services.view import FLASH_ERROR, FLASH_SUCCESS
-from app.services.archive import is_archive_password_protected, is_pe_file
+from app.services.archive import is_archive_password_protected, is_pe_file, is_single_file_archive, is_unsupported_archive
 from app.services.discord import notify_new_solution
 from app.controllers.decorators import login_required
 
@@ -90,11 +90,21 @@ def upload_solution_post(hexidcrackme):
         print(f"Error reading file: {e}")
         abort(500)
 
+    # Check for unsupported archive formats (RAR, tar, etc.)
+    if is_unsupported_archive(data):
+        flash('RAR and tar archives are not supported. Please upload a ZIP file for multiple files, or upload single files directly.', FLASH_ERROR)
+        return redirect(f'/upload/solution/{hexidcrackme}')
+
     # Check for password-protected archives
     if is_archive_password_protected(data):
         flash('Password-protected archives are not allowed. Do NOT add a password yourself - the server handles this automatically.', FLASH_ERROR)
         return redirect(f'/upload/solution/{hexidcrackme}')
 
+    # Check for single-file archives
+    if is_single_file_archive(data):
+        flash('Archives containing only one file are not allowed. Please upload the file directly without wrapping it in an archive.', FLASH_ERROR)
+        return redirect(f'/upload/solution/{hexidcrackme}')
+
     # Check for PE files (patched binaries are not allowed)
     if is_pe_file(file.filename, data):
         flash('Executable files (PE binaries) are not allowed as solutions. '

app/services/archive.py

@@ -3,9 +3,11 @@
 """
 
 import zipfile
+import tarfile
 import io
 import struct
 
+
 # PE file extensions (case-insensitive)
 PE_EXTENSIONS = {'.exe', '.dll', '.sys', '.scr', '.ocx', '.com', '.drv', '.cpl', '.efi'}
 
@@ -57,6 +59,116 @@ def is_pe_file(filename: str, file_data: bytes) -> bool:
     return False
 
 
+def _is_metadata_file(filename: str) -> bool:
+    """Check if a file is a metadata file that should be ignored when counting.
+
+    Args:
+        filename: The filename/path within the archive
+
+    Returns:
+        True if the file is a metadata file, False otherwise
+    """
+    # macOS resource fork files and metadata
+    if filename.startswith('__MACOSX/'):
+        return True
+    # macOS AppleDouble files (resource forks)
+    basename = filename.rsplit('/', 1)[-1]
+    if basename.startswith('._'):
+        return True
+    # macOS .DS_Store files
+    if basename == '.DS_Store':
+        return True
+    return False
+
+
+def is_rar_file(file_data: bytes) -> bool:
+    """Check if file is a RAR archive by magic bytes."""
+    # RAR magic: "Rar!" (0x52 0x61 0x72 0x21)
+    return file_data[:4] == b'Rar!'
+
+
+def is_tar_file(file_data: bytes) -> bool:
+    """Check if file is a tar archive (including .tar.gz, .tar.bz2, .tar.xz)."""
+    # Check for gzip magic (1f 8b) - could be .tar.gz
+    if file_data[:2] == b'\x1f\x8b':
+        try:
+            with tarfile.open(fileobj=io.BytesIO(file_data)) as tf:
+                return True
+        except Exception:
+            return False
+
+    # Check for bzip2 magic (42 5a 68) - could be .tar.bz2
+    if file_data[:3] == b'BZh':
+        try:
+            with tarfile.open(fileobj=io.BytesIO(file_data)) as tf:
+                return True
+        except Exception:
+            return False
+
+    # Check for xz magic (fd 37 7a 58 5a 00) - could be .tar.xz
+    if file_data[:6] == b'\xfd7zXZ\x00':
+        try:
+            with tarfile.open(fileobj=io.BytesIO(file_data)) as tf:
+                return True
+        except Exception:
+            return False
+
+    # Check for plain tar (ustar at offset 257)
+    if len(file_data) > 262 and file_data[257:262] == b'ustar':
+        return True
+
+    return False
+
+
+def is_unsupported_archive(file_data: bytes) -> bool:
+    """Check if file is an unsupported archive format (RAR, tar, etc.).
+
+    Only ZIP files are supported for multi-file uploads.
+    """
+    return is_rar_file(file_data) or is_tar_file(file_data)
+
+
+def get_archive_file_count(file_data: bytes) -> int | None:
+    """Get the number of files in a ZIP archive.
+
+    Returns None if the file is not a valid ZIP archive.
+    Excludes metadata files (macOS __MACOSX, .DS_Store, ._ files) from the count.
+
+    Args:
+        file_data: The binary content of the archive file
+
+    Returns:
+        Number of files in the archive, or None if not a valid ZIP archive
+    """
+    try:
+        with zipfile.ZipFile(io.BytesIO(file_data), 'r') as zf:
+            file_count = sum(
+                1 for info in zf.infolist()
+                if not info.is_dir() and not _is_metadata_file(info.filename)
+            )
+            return file_count
+    except zipfile.BadZipFile:
+        return None
+    except Exception:
+        return None
+
+
+def is_single_file_archive(file_data: bytes) -> bool:
+    """Check if an archive contains only a single file.
+
+    This is used to reject archives that unnecessarily wrap a single file,
+    since users should upload single files directly without archiving them.
+
+    Args:
+        file_data: The binary content of the archive file
+
+    Returns:
+        True if the archive contains exactly one file, False otherwise
+    """
+    file_count = get_archive_file_count(file_data)
+    return file_count == 1
+
+
 def is_archive_password_protected(file_data: bytes) -> bool:
     """Check if an archive file is password-protected.
 

templates/crackme/create.html

@@ -17,7 +17,7 @@ <h3>Quick Rules</h3>
         <li>You must be able to <b>solve your own crackme</b></li>
         <li>Must execute without errors, <b>no network connections</b> except localhost</li>
         <li>Provide clear information about input/output and how to solve it</li>
-        <li>Do NOT password-protect your archive (server handles this)</li>
+        <li>Upload single files directly. If you have multiple files, put them in a zip archive without a password (server handles encryption)</li>
     </ol>
 
     <p>Read the full <a href="/upload/crackmerules">crackme submission rules</a> for detailed guidelines.</p>

templates/faq/faq.html

@@ -76,7 +76,7 @@ <h3 id="writeup-rejected">Why was my writeup rejected? <a href="#writeup-rejecte
             <li>Only providing a password, serial, key, or executable without explanation</li>
             <li>Patching the binary when the expected solution is to keygen or find the password</li>
             <li>Insufficient detail about the solving process</li>
-            <li>Password-protected archive (server handles this automatically)</li>
+            <li>Single file wrapped in an archive, or password-protected archive</li>
         </ul>
         <p>Review the <a href="/upload/writeuprules">writeup submission rules</a>, improve your writeup with detailed explanations, and resubmit. Remember: we want others to learn from your solution!</p>
         <div class="divider"></div>
@@ -112,7 +112,7 @@ <h3 id="crackme-rejected">Why was my crackme rejected? <a href="#crackme-rejecte
         <p>Review the complete <a href="/upload/crackmerules">crackme submission rules</a>, fix the issues, and resubmit. If you're unsure why your crackme was rejected, contact us at crackmesone@gmail.com.</p>
         <div class="divider"></div>
         <h3 id="upload-size-limit">What is the maximum file size for uploads? <a href="#upload-size-limit" class="anchor-link">#</a></h3>
-        <p>The maximum file size for both crackme and writeup uploads is <b>10 MB</b> (10,485,760 bytes). If you need to include additional files or resources, compress them into a single archive. Do not password-protect your archive - the server handles compression and password protection automatically.</p>
+        <p>The maximum file size for both crackme and writeup uploads is <b>10 MB</b> (10,485,760 bytes). Upload single files directly. If you have multiple files, put them in a zip archive without a password (server handles encryption).</p>
         <div class="divider"></div>
         <h3 id="getting-started">How do I get started with reverse engineering? <a href="#getting-started" class="anchor-link">#</a></h3>
         <p>If you're new to reverse engineering, here are some steps to get started:</p>

templates/rules/crackmerules.html

@@ -48,7 +48,7 @@ <h3>Requirements</h3>
 
             <li><b>Educational purpose only.</b> No cracks/keygens for commercial software, game trainers, or DRM circumvention tools.</li>
 
-            <li><b>Maximum file size: 5 MB.</b> Compress multiple files into a single archive. Do NOT password-protect it (server handles this).</li>
+            <li><b>Maximum file size: 5 MB.</b> Upload single files directly. If you have multiple files, put them in a zip archive without a password (server handles encryption).</li>
 
             <li><b>English language.</b> Display text and upload description must be in English.</li>
         </ol>

templates/rules/solutionrules.html

@@ -10,7 +10,7 @@ <h2>Writeup Submission Rules</h2>
         <p>It is important to think of these more as walkthroughs than simple solution submissions. Essentially, another user should be able to open your writeup and understand how you got there.</p>
         <ol>
             <li>Writeups should include text, doc or docx, md, pdf, etc. files detailing how you solved the crackme. Writeups can contain an executable file but should not exclusively contain an executable file.</li>
-            <li>Writeups should not be compressed with a password. Our server handles the compression and passwords. Compressing is okay if you want to submit multiple files, but do not make it password-protected.</li>
+            <li>Upload single files directly. If you have multiple files, put them in a zip archive without a password (server handles encryption).</li>
             <li>Writeups should contain more than just a flag, password, serial, binary, etc. They should contain detailed information about how you got to a writeup.</li>
             <li>Check the writeup to ensure it adequately solves the crackme. For example, if a crackme requests a keygen and you submit a detailed writeup and executable that serves as the keygen, please ensure the keygen produces valid keys.</li>
             <li>While external links to blog posts or websites are allowed, we would prefer if most of the writeup information was self-contained. If you'd like to copy and paste some of the stuff from your blog/website into your writeup and leave a link back to your blog/website, you are more than welcome to do so.</li>

templates/solution/create.html

@@ -13,6 +13,7 @@ <h2>Upload a Writeup</h2>
         <li>Please do NOT submit a patched crackme unless that crackme specifies that patching is intended (patchme).</li>
         <li>Please do NOT exclusively submit a password, serial, key, executable, solving script, etc. We want people to be able to learn from your writeup.</li>
         <li>Please submit your writeup in English.</li>
+        <li>Upload single files directly. If you have multiple files, put them in a zip archive without a password (server handles encryption).</li>
     </ol>
 
     <p>Read a full list of rules <a href="/upload/writeuprules">here</a></p>