Introduced protections against "zip slip" attacks

distribution/tools/plugin-cli/src/main/java/org/elasticsearch/plugins/cli/InstallPluginAction.java

@@ -8,6 +8,7 @@
 
 package org.elasticsearch.plugins.cli;
 
+import io.github.pixee.security.ZipSecurity;
 import org.apache.lucene.search.spell.LevenshteinDistance;
 import org.apache.lucene.util.CollectionUtil;
 import org.apache.lucene.util.Constants;
@@ -776,7 +777,7 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException
         final Path target = stagingDirectory(pluginsDir);
         pathsToDeleteOnShutdown.add(target);
 
-        try (ZipInputStream zipInput = new ZipInputStream(Files.newInputStream(zip))) {
+        try (ZipInputStream zipInput = ZipSecurity.createHardenedInputStream(Files.newInputStream(zip))) {
             ZipEntry entry;
             byte[] buffer = new byte[8192];
             while ((entry = zipInput.getNextEntry()) != null) {

server/src/test/java/org/elasticsearch/plugins/PluginsUtilsTests.java

@@ -8,6 +8,7 @@
 
 package org.elasticsearch.plugins;
 
+import io.github.pixee.security.ZipSecurity;
 import org.apache.logging.log4j.Level;
 import org.apache.lucene.tests.util.LuceneTestCase;
 import org.elasticsearch.Build;
@@ -173,7 +174,7 @@ void makeJar(Path jarFile, Class<?>... classes) throws Exception {
                 if (codebase.toString().endsWith(".jar")) {
                     // copy from jar, exactly as is
                     out.putNextEntry(new ZipEntry(relativePath));
-                    try (ZipInputStream in = new ZipInputStream(Files.newInputStream(codebase))) {
+                    try (ZipInputStream in = ZipSecurity.createHardenedInputStream(Files.newInputStream(codebase))) {
                         ZipEntry entry = in.getNextEntry();
                         while (entry != null) {
                             if (entry.getName().equals(relativePath)) {