If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email security@doom.fish or use GitHub's private vulnerability reporting
- Include steps to reproduce and any relevant details
We aim to respond within 48 hours and release a fix within 7 days for critical issues.
| Version | Supported |
|---|---|
| 5.x | ✅ Active |
| < 5.0 | ❌ EOL |
The crypto feature enables decryption of encrypted RAR archives:
- RAR5: AES-256-CBC with PBKDF2-HMAC-SHA256 key derivation
- RAR4: AES-128-CBC with SHA-1 key derivation
Passwords are held in memory only during parsing/decompression and are not persisted.
This library uses unsafe in performance-critical decompression hot paths. All unsafe blocks:
- Have
// SAFETY:comments explaining invariants - Are validated by Miri in CI on every push
- Are covered by 6 fuzz targets that run in CI
Continuous fuzzing with cargo-fuzz covers header parsing and decompression for both RAR4 and RAR5 formats. See fuzz/ for targets.
The core library has zero dependencies. Optional features add audited, well-known crates:
| Feature | Dependencies |
|---|---|
async |
tokio |
crypto |
aes, cbc, pbkdf2, sha2, sha1 |
parallel |
rayon, crossbeam-channel |
napi |
napi, napi-derive |
cargo audit runs in CI on every push to check for known vulnerabilities.