rspec/rules/S6096/rationale.adoc

Zip slip is a special case of path injection. It occurs when an application uses the name of an archive entry to construct a file path and access this file without validating its path first.

This rule will consider all archives untrusted, assuming they have been created outside the application file system.

A user with malicious intent would inject specially crafted values, such as ``++../++``, in the archive entry name to change the initial intended path. The resulting path would resolve somewhere in the filesystem where the user should not normally have access.
Modify Rule S6096: Common education content (APPSEC-71) (#1172) 2022-08-25 14:08:01 +02:00			`Zip slip is a special case of path injection. It occurs when an application uses the name of an archive entry to construct a file path and access this file without validating its path first.`

			`This rule will consider all archives untrusted, assuming they have been created outside the application file system.`

			A user with malicious intent would inject specially crafted values, such as ``++../++``, in the archive entry name to change the initial intended path. The resulting path would resolve somewhere in the filesystem where the user should not normally have access.