Carey,
Thank you for raising this. I did a quick review of our code base when
the most recent zip slip story was in the news. It looks to me like we’re
properly defending against the vulnerability. However, it is entirely
possible that I missed something. I’ll check again tomorrow and respond to
you.
If you ever do identify a vulnerability, please send a note to
[email protected].
Thank you!
Cheers,
Tim
P.S. Would you be willing to share how you’re using Tika at Microsoft? We
know of 2 MS projects using it, but we’d be interested in hearing about
yours!
On Wed, Jul 11, 2018 at 6:57 PM Carey MacDonald <[email protected]>
wrote:
> Hello Apache Tika developers,
>
> We have recently become aware of a vulnerability called “Zip Slip” where
> Java code that uses certain zip extraction methods may be vulnerable to
> malicious attacks if a particular zip is extracted in a certain way. The
> information on the vulnerability can be found on this Github repo
> <https://github.com/snyk/zip-slip-vulnerability>. Has it been
> investigated whether or not Tika is vulnerable to this kind of attack, and
> if so has it been fixed? We are using Tika 1.18 via the tika-server
> application, but I imagine it could affect multiple different use cases if
> it was a problem. I noticed that Tika was not on the list of affected
> projects, but we just wanted to confirm that that was because it was safe
> just in case Tika had just been overlooked as part of the investigations.
> If Tika is vulnerable, is there a known fix or workaround in flight that we
> should be aware of?
>
> Thanks,
>
> Carey MacDonald
>
