Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51802

The unzip steps is vulnerabe to zip slip (unpacks outside target directory)

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When trying to unpack the sample zip-slip.zip, this happens:

      [Pipeline] unzip
      Extracting from /tmp/zip-slip.zip
      Extracting: good.txt -> /home/jenkins/work/workspace/test-pipeline/good.txt
      Extracting: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt -> /tmp/evil.txt
      Extracted: 2 files
      

      Unpacking those malicious files should fail.

      See https://snyk.io/research/zip-slip-vulnerability and https://github.com/jenkinsci/jenkins/pull/3402 for a similar fix in core

        Attachments

          Activity

            People

            Assignee:
            rsandell rsandell
            Reporter:
            tgr Tobias Gruetzmacher
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: