Zip slip is a special case of path injection. It occurs when an application uses the name of an archive entry to construct a file path and access
this file without validating its path first.
This rule will consider all archives untrusted, assuming they have been created outside the application file system.
A user with malicious intent would inject specially crafted values, such as ../, in the archive entry name to change the initial
intended path. The resulting path would resolve somewhere in the filesystem where the user should not normally have access.
What is the potential impact?
A web application is vulnerable to Zip Slip and an attacker is able to exploit it by submitting an archive he controls.
The files that can be affected are limited by the permission of the process that runs the application. Worst case scenario: the process runs with
root privileges on Linux, and therefore any file can be affected.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Override arbitrary files
The application opens the archive to copy its entries to the file system. The entries' names contain path traversal payloads for existing files in
the system, which are overwritten once the entries are copied. The vulnerability is exploited to corrupt files critical for the application or
operating system to work properly.
It could result in data being lost or the application being unavailable.
