Github user DidierLoiseau commented on the pull request:
https://github.com/apache/commons-compress/commit/97867f6fa3634c77dfafd76c89ecb1087f5cd1ae#commitcomment-29378554
In src/main/java/org/apache/commons/compress/archivers/Expander.java:
In src/main/java/org/apache/commons/compress/archivers/Expander.java on
line 359:
This check still allows to extract to a sibling directory of the
`targetDirectory` if the `targetDirectory` name is a prefix of that sibling
directory, doesn't it? `targetDirPath` should include the `File.separator` as
shown in [the example on
Snyk](https://snyk.io/research/zip-slip-vulnerability#java).
---
