Today, as happens from time to time, I found myself with a RAR file whose provenance I strongly suspected. Archives are always suspicious, since you never know what lay dormant on the system that created them, but this one was particularly suspect. I didn’t want to use WinRAR, in case the extraction process was booby-trapped, so this was my thought process:

  1. I shouldn’t use WinRAR.
  2. Maybe I could use a different program.
  3. But who knows whether a different program will be able to avoid triggering any malicious code?
  4. I should try Windows Sandbox. (This was the point at which I looked up and started installing Windows Sandbox.)
  5. Hold on, I have VirtualBox. I could use a Linux virtual machine to extract it much more safely.
  6. Wait, don’t I use Docker all the time?

So that was how I ended up creating a new Docker Machine, er, machine specifically for extracting archives, mounted my folders to it, and then, within that VM, ran Alpine Linux in Docker with those same folders mounted there, and finally installed and used unrar to extract the files. unrar apparently only exists up to around Alpine Linux 3.14, so I now need something along the lines of docker run -it --rm -v "$(pwd)":/work alpine:3.14.

Speaking of Docker Machine, I’ve been using it since before I upgraded to Windows 10 a few years ago, as the native version wasn’t available for Windows 7. Now that I’m on 10, I am happy to report that I’m still using Machine because Docker for Windows requires Hyper-V, which has too high a performance cost associated with it and prevents you from using regular virtualization software like VirtualBox. I’ve heard that this is no longer the case, so maybe I’ll try it again at some point.

Reporting live from the future, this is what I use now that I’ve got Docker Desktop running on Windows 10 and am able to mount host volumes:

PowerShelldocker run -it --rm -v "$(pwd):/work" -w /work busybox:1.36.1-musl unzip

||-v "$(pwd):/work"mounts the current directory (which should contain the file) and-w /work|| sets that as the working directory to simplify specifying the path.