Skip to content

Commit

Permalink
Introduced protections against "zip slip" attacks
Browse files Browse the repository at this point in the history
  • Loading branch information
pixeebot[bot] authored Jun 3, 2024
1 parent 550b7c9 commit c5df725
Showing 1 changed file with 2 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

package org.elasticsearch.plugins.cli;

import io.github.pixee.security.ZipSecurity;
import org.apache.lucene.search.spell.LevenshteinDistance;
import org.apache.lucene.util.CollectionUtil;
import org.apache.lucene.util.Constants;
Expand Down Expand Up @@ -776,7 +777,7 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException
final Path target = stagingDirectory(pluginsDir);
pathsToDeleteOnShutdown.add(target);

try (ZipInputStream zipInput = new ZipInputStream(Files.newInputStream(zip))) {
try (ZipInputStream zipInput = ZipSecurity.createHardenedInputStream(Files.newInputStream(zip))) {
ZipEntry entry;
byte[] buffer = new byte[8192];
while ((entry = zipInput.getNextEntry()) != null) {
Expand Down

0 comments on commit c5df725

Please sign in to comment.