Is the plugin install exposed to zip-slip?

Due to some requests by the local security team, looking into whether some of the software we use is exposed to zip-slip.

Digging around in the kibana codebase on github I spotted which looks like it extracts a zipfile without checking whether it contains leading '../' as part of the path.

This code looks like it's only used by plugin management, and so it limits exposure to first being persuaded to install a compromised archive as a plugin to kibana, but it would be nice to confirm whether this is indeed correct, and whether that is the only place that is vulnerable?

Thanks @electrofelix, I will look into this. Currently, this utility (kbn-es) is only used in development to assist with running Elasticsearch. The assets are hosted on our S3 bucket, so the exposure is even more limited, but regardless I will investigate.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.