Hello Apache Tika developers,
We have recently become aware of a vulnerability called "Zip Slip" where Java
code that uses certain zip extraction methods may be vulnerable to malicious
attacks if a particular zip is extracted in a certain way. The information on
the vulnerability can be found on this Github
repo<https://github.com/snyk/zip-slip-vulnerability>. Has it been investigated
whether or not Tika is vulnerable to this kind of attack, and if so has it been
fixed? We are using Tika 1.18 via the tika-server application, but I imagine
it could affect multiple different use cases if it was a problem. I noticed
that Tika was not on the list of affected projects, but we just wanted to
confirm that that was because it was safe just in case Tika had just been
overlooked as part of the investigations. If Tika is vulnerable, is there a
known fix or workaround in flight that we should be aware of?
Thanks,
Carey MacDonald
