From e03c10627dfc57de973a74c17b62f51445c9c28c Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Sat, 5 Oct 2024 04:52:56 +0000
Subject: [PATCH] Introduced protections against "zip slip" attacks

---
 .../org/elasticsearch/plugins/cli/InstallPluginAction.java     | 3 ++-
 .../test/java/org/elasticsearch/plugins/PluginsUtilsTests.java | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/distribution/tools/plugin-cli/src/main/java/org/elasticsearch/plugins/cli/InstallPluginAction.java b/distribution/tools/plugin-cli/src/main/java/org/elasticsearch/plugins/cli/InstallPluginAction.java
index c7bee4a6c172d..20b0293483dde 100644
--- a/distribution/tools/plugin-cli/src/main/java/org/elasticsearch/plugins/cli/InstallPluginAction.java
+++ b/distribution/tools/plugin-cli/src/main/java/org/elasticsearch/plugins/cli/InstallPluginAction.java
@@ -8,6 +8,7 @@
 
 package org.elasticsearch.plugins.cli;
 
+import io.github.pixee.security.ZipSecurity;
 import org.apache.lucene.search.spell.LevenshteinDistance;
 import org.apache.lucene.util.CollectionUtil;
 import org.apache.lucene.util.Constants;
@@ -776,7 +777,7 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException
         final Path target = stagingDirectory(pluginsDir);
         pathsToDeleteOnShutdown.add(target);
 
-        try (ZipInputStream zipInput = new ZipInputStream(Files.newInputStream(zip))) {
+        try (ZipInputStream zipInput = ZipSecurity.createHardenedInputStream(Files.newInputStream(zip))) {
             ZipEntry entry;
             byte[] buffer = new byte[8192];
             while ((entry = zipInput.getNextEntry()) != null) {
diff --git a/server/src/test/java/org/elasticsearch/plugins/PluginsUtilsTests.java b/server/src/test/java/org/elasticsearch/plugins/PluginsUtilsTests.java
index a7cc74582afdc..80cfbbca4a92a 100644
--- a/server/src/test/java/org/elasticsearch/plugins/PluginsUtilsTests.java
+++ b/server/src/test/java/org/elasticsearch/plugins/PluginsUtilsTests.java
@@ -8,6 +8,7 @@
 
 package org.elasticsearch.plugins;
 
+import io.github.pixee.security.ZipSecurity;
 import org.apache.logging.log4j.Level;
 import org.apache.lucene.tests.util.LuceneTestCase;
 import org.elasticsearch.Build;
@@ -173,7 +174,7 @@ void makeJar(Path jarFile, Class<?>... classes) throws Exception {
                 if (codebase.toString().endsWith(".jar")) {
                     // copy from jar, exactly as is
                     out.putNextEntry(new ZipEntry(relativePath));
-                    try (ZipInputStream in = new ZipInputStream(Files.newInputStream(codebase))) {
+                    try (ZipInputStream in = ZipSecurity.createHardenedInputStream(Files.newInputStream(codebase))) {
                         ZipEntry entry = in.getNextEntry();
                         while (entry != null) {
                             if (entry.getName().equals(relativePath)) {