Fix additional corruption with zips created on linux containing empty directories

This is similar to #36.

Go's zip library has some "interesting" behavior where if you call
zipWriter.CreateHeader with a file header that already contains
extra metadata encoding the last modified time for an empty directory,
it will append the current last modified time to the existing one
stored in the `Extra` field. This leads to corruption similar to #36
where MacOS will refuse to open the zip and `zipinfo -v` will show a
"There are an extra -xxx bytes preceding this file" warning.

I think the Go's library solution to this would be to use CreateRaw,
but we actually do want most of the logic that CreateHeader implements
(see #36 where we switched to CreateHeader). So instead, I just clear
the Extra field in the file header when copying over directories. This
means that directories will have their last modified time reset to the
current date. This is somewhat incorrect, but seems to me like a
reasonable compromise to me.

Author: ddworken

jar/rewrite.go

@@ -123,7 +123,15 @@ func Rewrite(w io.Writer, zr *zip.Reader) error {
 	copyFile:
 		if zipItem.Mode().IsDir() {
 			// Copy() only works on files, so manually create the directory entry
-			if _, err := zw.CreateHeader(&zipItem.FileHeader); err != nil {
+			dirHeader := zipItem.FileHeader
+			// Reset the Extra field which holds the OS-specific metadata that encodes the last
+			// modified time. This is technically incorrect because it means the mitigated
+			// zips that we create will have the last modified timestamp updated. But, if we don't
+			// do this we create invalid zips because `zw.CreateHeader` assumes that `Extra` is empty
+			// and always appends the modified time to the end of `Extra`. We don't use `zw.CreateRaw`
+			// because we want the rest of the logic that `zw.CreateHeader` provides.
+			dirHeader.Extra = make([]byte, 0)
+			if _, err := zw.CreateHeader(&dirHeader); err != nil {
 				return fmt.Errorf("failed to copy zip directory %s: %v", zipItem.Name, err)
 			}
 		} else {

jar/rewrite_test.go

@@ -363,6 +363,8 @@ func TestAutoMitigatedJarsAreCorrectlyFormed(t *testing.T) {
 		"log4j-core-2.1.jar",
 		"safe1.jar",
 		"safe1.signed.jar",
+		"emptydir.zip",
+		"emptydirs.zip",
 	}
 	for _, name := range testCases {
 		t.Run(name, func(t *testing.T) {