Zip Slip is a critical vulnerability that occurs when extracting files from a compressed archive (e.g., ZIP, TAR) without proper validation of file paths. An attacker can craft a malicious archive containing files with path traversal sequences (e.g., `../../`) or absolute paths. When extracted, these files may escape the intended directory, allowing an attacker to overwrite sensitive files, expose confidential data, or execute arbitrary code.

Remediation

• Before extracting files, canonicalise and validate destination paths to ensure they remain within the intended extraction directory. Reject any entries attempting path traversal or absolute path usage.
• Use secure, actively maintained archive-handling libraries that implement protections against directory traversal.
• Sanitize file names to remove control characters, path separators, or patterns that could alter expected behaviour.
• Configure extraction processes to prevent overwriting of existing files, particularly sensitive or system-critical ones.
• Apply the principle of least privilege to the extraction context (e.g., drop unnecessary permissions and avoid running as root).