-
Bug
-
Resolution: Unresolved
-
Minor
-
None
When trying to unpack the sample zip-slip.zip, this happens:
[Pipeline] unzip Extracting from /tmp/zip-slip.zip Extracting: good.txt -> /home/jenkins/work/workspace/test-pipeline/good.txt Extracting: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt -> /tmp/evil.txt Extracted: 2 files
Unpacking those malicious files should fail.
See https://snyk.io/research/zip-slip-vulnerability and https://github.com/jenkinsci/jenkins/pull/3402 for a similar fix in core
