.github/workflows/benchmark.yml

@@ -16,7 +16,7 @@ jobs:
       with:
         ref: master
     - name: Install Go
-      uses: actions/setup-go@v5.1.0
+      uses: actions/setup-go@v5.2.0
       with:
         go-version-file: 'go.mod'
 

.github/workflows/codeql.yml

@@ -23,10 +23,10 @@ jobs:
         uses: actions/checkout@v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3.27.1
+        uses: github/codeql-action/init@v3.28.0
         with:
           languages: go
           queries: security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3.27.1
+        uses: github/codeql-action/analyze@v3.28.0

.github/workflows/go.yml

@@ -15,7 +15,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v4.2.2
     - name: Install Go
-      uses: actions/setup-go@v5.1.0
+      uses: actions/setup-go@v5.2.0
       with:
         go-version-file: 'go.mod'
     - name: Run linters
@@ -30,7 +30,7 @@ jobs:
       uses: actions/checkout@v4.2.2
     - name: Install Go
       if: success()
-      uses: actions/setup-go@v5.1.0
+      uses: actions/setup-go@v5.2.0
       with:
         go-version-file: 'go.mod'
     - run: go test -race ./...

go.mod

@@ -2,7 +2,7 @@ module github.com/gabriel-vasile/mimetype
 
 go 1.20
 
-require golang.org/x/net v0.31.0
+require golang.org/x/net v0.33.0
 
 // v1.4.4 had a test file detected as malicious by antivirus software. #575
 retract v1.4.4

go.sum

@@ -1,2 +1,2 @@
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=

internal/magic/archive.go

@@ -52,10 +52,15 @@ func InstallShieldCab(raw []byte, _ uint32) bool {
 }
 
 // Zstd matches a Zstandard archive file.
+// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md
 func Zstd(raw []byte, limit uint32) bool {
-	return len(raw) >= 4 &&
-		(0x22 <= raw[0] && raw[0] <= 0x28 || raw[0] == 0x1E) && // Different Zstandard versions.
-		bytes.HasPrefix(raw[1:], []byte{0xB5, 0x2F, 0xFD})
+	if len(raw) < 4 {
+		return false
+	}
+	sig := binary.LittleEndian.Uint32(raw)
+	// Check for Zstandard frames and skippable frames.
+	return (sig >= 0xFD2FB522 && sig <= 0xFD2FB528) ||
+		(sig >= 0x184D2A50 && sig <= 0x184D2A5F)
 }
 
 // CRX matches a Chrome extension file: a zip archive prepended by a package header.

internal/magic/zip.go

@@ -110,3 +110,22 @@ func zipContains(raw, sig []byte, msoCheck bool) bool {
 	}
 	return false
 }
+
+// APK matches an Android Package Archive.
+// The source of signatures is https://github.com/file/file/blob/1778642b8ba3d947a779a36fcd81f8e807220a19/magic/Magdir/archive#L1820-L1887
+func APK(raw []byte, _ uint32) bool {
+	apkSignatures := [][]byte{
+		[]byte("AndroidManifest.xml"),
+		[]byte("META-INF/com/android/build/gradle/app-metadata.properties"),
+		[]byte("classes.dex"),
+		[]byte("resources.arsc"),
+		[]byte("res/drawable"),
+	}
+	for _, sig := range apkSignatures {
+		if zipContains(raw, sig, false) {
+			return true
+		}
+	}
+
+	return false
+}

mimetype_test.go

@@ -262,6 +262,7 @@ var testcases = []testcase{
 	{"xz", "\xfd7zXZ\x00", "application/x-xz", true},
 	{"zip", "PK\x03\x04", "application/zip", true},
 	{"zst", "(\xb5/\xfd", "application/zstd", true},
+	{"zst skippable frame", "\x50\x2A\x4D\x18", "application/zstd", false},
 }
 
 func TestDetect(t *testing.T) {

supported_mimes.md

@@ -1,4 +1,4 @@
-## 177 Supported MIME types
+## 178 Supported MIME types
 This file is automatically generated when running tests. Do not edit manually.
 
 Extension | MIME type | Aliases
@@ -11,6 +11,7 @@ Extension | MIME type | Aliases
 **.docx** | application/vnd.openxmlformats-officedocument.wordprocessingml.document | -
 **.pptx** | application/vnd.openxmlformats-officedocument.presentationml.presentation | -
 **.epub** | application/epub+zip | -
+**.apk** | application/vnd.android.package-archive | -
 **.jar** | application/jar | -
 **.odt** | application/vnd.oasis.opendocument.text | application/x-vnd.oasis.opendocument.text
 **.ott** | application/vnd.oasis.opendocument.text-template | application/x-vnd.oasis.opendocument.text-template

tree.go

@@ -44,7 +44,11 @@ var (
 		"application/gzip-compressed", "application/x-gzip-compressed",
 		"gzip/document")
 	sevenZ = newMIME("application/x-7z-compressed", ".7z", magic.SevenZ)
-	zip    = newMIME("application/zip", ".zip", magic.Zip, xlsx, docx, pptx, epub, jar, odt, ods, odp, odg, odf, odc, sxc).
+	// APK must be checked before JAR because APK is a subset of JAR.
+	// This means APK should be a child of JAR detector, but in practice,
+	// the decisive signature for JAR might be located at the end of the file
+	// and not reachable because of library readLimit.
+	zip = newMIME("application/zip", ".zip", magic.Zip, xlsx, docx, pptx, epub, apk, jar, odt, ods, odp, odg, odf, odc, sxc).
 		alias("application/x-zip", "application/x-zip-compressed")
 	tar = newMIME("application/x-tar", ".tar", magic.Tar)
 	xar = newMIME("application/x-xar", ".xar", magic.Xar)
@@ -57,6 +61,7 @@ var (
 	pptx = newMIME("application/vnd.openxmlformats-officedocument.presentationml.presentation", ".pptx", magic.Pptx)
 	epub = newMIME("application/epub+zip", ".epub", magic.Epub)
 	jar  = newMIME("application/jar", ".jar", magic.Jar)
+	apk  = newMIME("application/vnd.android.package-archive", ".apk", magic.APK)
 	ole  = newMIME("application/x-ole-storage", "", magic.Ole, msi, aaf, msg, xls, pub, ppt, doc)
 	msi  = newMIME("application/x-ms-installer", ".msi", magic.Msi).
 		alias("application/x-windows-installer", "application/x-msi")