[pavel_lishin]

https://gist.github.com/igorw/1d67f422689017e814a8#file-app-...

Is it possible to craft a zip file that will write data to parent directories, or an explicit path?

[tlrobinson]

Who cares about a possible directory traversal when the entire purpose of this is to run arbitrary code?

It doesn't appear to attempt to sandbox the uploaded code at all. This is obviously not meant to be exposed to untrusted parties.

[CaveTech]

unzip intentionally prevents such from happening. So while you could make a .zip file that intends to do that, you need an unzipping tool that would actually allow it.