Zip slip vulnerability in the Expander that relies on Unicode codepoints that when normalized enable zip slip (“..” and “/”).
This is vulnerable because the check for zip slip happens before the path normalization.
Not inspired by anything, but it does sit in a ladder of zip slip challenges.
Fixing this should be straightforward. The challenge here is to create the proof-of-vulnerability, which requires fairly esoteric “knowledge” about which unicode codepoints normalize to “..” or “/”.
NOTE This will only work when the locale is “UTF-8”. More generally, though, POSIX causes some test failures in “off the shelf” commons-compress – so a locale of UTF-8 is not a stretch.