Is logstash vulnerable to zip-slip?

Hi,

Similar to a question I asked in the Kibana forum (Is the plugin install exposed to zip-slip?) due to some requests by the local security team, looking into whether some of the software we use is exposed to zip-slip.

Digging around in the logstash codebase on github I spotted https://github.com/elastic/logstash/blob/fdda39964d4f5ff40fd4058c1a2faf30f366df2f/lib/bootstrap/util/compress.rb#L21-L30 which looks like it will extract files without checking if there is any leading '..' components in the path. Similarly https://github.com/elastic/logstash/blob/fdda39964d4f5ff40fd4058c1a2faf30f366df2f/lib/bootstrap/util/compress.rb#L55-L72 does the same for tarfiles.

Checking the ruby stdlib I don't see anything ignoring files in TarReader if the path contains '..', so presumably it is up to application usage to perform such checking.

Looking at where this is used, https://github.com/elastic/logstash/search?p=2&q=LogStash%3A%3AUtil%3A%3AZip&unscoped_q=LogStash%3A%3AUtil%3A%3AZip, it does appear to be only used by the plugin extraction and so should mean that this is only vulnerable if an admin is persuaded to install a compromised plugin.

It would be nice to confirm whether my understanding is correct, and that this is the only place that is vulnerable?

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.