Hi,
Similar to a question I asked in the Kibana forum (Is the plugin install exposed to zip-slip?) due to some requests by the local security team, looking into whether some of the software we use is exposed to zip-slip.
Digging around in the logstash codebase on github I spotted https://github.com/elastic/logstash/blob/fdda39964d4f5ff40fd4058c1a2faf30f366df2f/lib/bootstrap/util/compress.rb#L21-L30 which looks like it will extract files without checking if there is any leading '..' components in the path. Similarly https://github.com/elastic/logstash/blob/fdda39964d4f5ff40fd4058c1a2faf30f366df2f/lib/bootstrap/util/compress.rb#L55-L72 does the same for tarfiles.
Checking the ruby stdlib I don't see anything ignoring files in TarReader if the path contains '..', so presumably it is up to application usage to perform such checking.
Looking at where this is used, https://github.com/elastic/logstash/search?p=2&q=LogStash%3A%3AUtil%3A%3AZip&unscoped_q=LogStash%3A%3AUtil%3A%3AZip, it does appear to be only used by the plugin extraction and so should mean that this is only vulnerable if an admin is persuaded to install a compromised plugin.
It would be nice to confirm whether my understanding is correct, and that this is the only place that is vulnerable?
Thanks