The unzip steps is vulnerabe to zip slip (unpacks outside target directory)

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      When trying to unpack the sample zip-slip.zip, this happens:

      [Pipeline] unzip
Extracting from /tmp/zip-slip.zip
Extracting: good.txt -> /home/jenkins/work/workspace/test-pipeline/good.txt
Extracting: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt -> /tmp/evil.txt
Extracted: 2 files

      Unpacking those malicious files should fail.

      See https://snyk.io/research/zip-slip-vulnerability and https://github.com/jenkinsci/jenkins/pull/3402 for a similar fix in core

            Assignee:
            rsandell
            Reporter:
            Tobias Gruetzmacher
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Archived: