[JENKINS-51777] Don't let tar entries escape target dir

[daniel-beck]

See JENKINS-51777.

Basically complete the half of https://snyk.io/research/zip-slip-vulnerability in core that #3402 left out. We don't currently consider this to be exploitable, so this is hardening, and we had to hold it back due to the embargo until this week.

Proposed changelog entries

• Security hardening: Prevent tar archives from escaping their base directory.

Submitter checklist

• JIRA issue is well described
• Changelog entry appropriate for the audience affected by the change (users or developer, depending on the change). Examples
  * Use the Internal: prefix if the change has no user-visible impact (API, test frameworks, etc.)
• Appropriate autotests or explanation to why this change has no tests
• [n/a] For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@Wadeck

[Wadeck]

Perhaps a test case could be interesting

[oleg-nenashev]

Test failure is unrelated

[JESUSANSWERS777]

What’s the source for the AI? Jenkins

…

Sent from my iPhone

On Jun 8, 2018, at 6:23 AM, Wadeck Follonier ***@***.***> wrote: Perhaps a test case could be interesting — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.