Is the plugin install exposed to zip-slip?

electrofelix · August 13, 2018, 3:24pm

Due to some requests by the local security team, looking into whether some of the software we use is exposed to zip-slip.

Digging around in the kibana codebase on github I spotted https://github.com/elastic/kibana/blob/da1268d3221e25952e2207c37fde4f3b9d2688ce/packages/kbn-es/src/utils/decompress.js#L40-L85 which looks like it extracts a zipfile without checking whether it contains leading '../' as part of the path.

This code looks like it's only used by plugin management, and so it limits exposure to first being persuaded to install a compromised archive as a plugin to kibana, but it would be nice to confirm whether this is indeed correct, and whether that is the only place that is vulnerable?

tylersmalley · August 13, 2018, 11:14pm

Thanks @electrofelix, I will look into this. Currently, this utility (kbn-es) is only used in development to assist with running Elasticsearch. The assets are hosted on our S3 bucket, so the exposure is even more limited, but regardless I will investigate.

system · September 10, 2018, 11:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.