Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51802

The unzip steps is vulnerabe to zip slip (unpacks outside target directory)

XMLWordPrintable

      When trying to unpack the sample zip-slip.zip, this happens:

      [Pipeline] unzip
Extracting from /tmp/zip-slip.zip
Extracting: good.txt -> /home/jenkins/work/workspace/test-pipeline/good.txt
Extracting: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt -> /tmp/evil.txt
Extracted: 2 files

      Unpacking those malicious files should fail.

      See https://snyk.io/research/zip-slip-vulnerability and https://github.com/jenkinsci/jenkins/pull/3402 for a similar fix in core

            rsandell rsandell
            tgr Tobias Gruetzmacher
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: